Professional Documents
Culture Documents
CHAPTER - 2 - Computer Threat
CHAPTER - 2 - Computer Threat
1 Chapter TWO
Introduction
2
Malicious code is code inserted in a software system or web script intended to
cause undesired effects, security breaches, or damage to a system.
Taking advantage of common system vulnerabilities,
malicious code examples include
computer viruses,
worms,
Trojan horses,
logic bombs,
spyware,
adware, and
backdoor programs.
Malicious code
3
files; they can read, write, modify, append, and even delete them.
But malicious code can do the same, without the user's permission or even
knowledge.
Kinds of Malicious Code
A printed copy of a virus does nothing and threatens no one. Even executable
virus code sitting on a disk does nothing.
Appended Viruses
A program virus attaches itself to
a program; then, whenever the
program is run, the virus is activated.
Viruses That Surround a Program
11
One-Time Execution
The majority of viruses today execute only once, spreading their infection and
causing their effect in that one execution. A virus often arrives as an e-mail
attachment of a document virus. It is executed just by being opened.
Boot Sector Viruses
17
For very frequently used parts of the operating system and for a few specialized
user programs, it would take too long to reload the program each time it was
needed. Such code remains in memory and is called "resident" code.
Virus writers also like to attach viruses to resident code because the resident
code is activated many times while the machine is running.
Each time the resident code runs, the virus does too.
• The port in question normally denies traffic, but with redirection the
attacker can bypass security measures and open a tunnel for
communication.
How to prevent Port Redirection
29
• The hacker can also take over the session and reformat the
packets to send information to either or both communicating
Cont…
33
• Data sessions are more vulnerable when the packets are left in
clear-text format and can be read without additional decryption
by the human eye.
• These attacks are usually carried out by threat actors who are trying to
find vulnerabilities they can exploit.
Cont…
36
Packet Sniffers
• A packet sniffer may also be called a network analyzer, packet analyzer, or
Ethernet sniffer.
• The packet sniffer may be either a software program or a piece of hardware with
software installed in it that captures traffic sent over the network, which is then
decoded and analyzed by the sniffer.
• Network administrators install monitors on dedicated machines or on their
workstations when needed.
• A common software program available today is Wireshark, formerly known as
Ethereal.
Cont…
39
Ping Sweeps
• Ping enables you to validate that an IP address exists and can accept
requests by sending an echo request and then waiting for an echo
reply.
• A ping sweep tool can send an echo request to numerous host IP
addresses at the same time to see which host(s) respond(s) with an
echo reply.
Cont…
40
Port Scans
• A port scanner is a software program that surveys a host network for open ports.
Because ports are associated with applications, the hacker can use the port and
application information to determine a way to attack the network.
• When the attacker discovers active IP addresses, the intruder or attacker uses a
port scanner (Nmap or Superscan -software designed to search a network host for
open ports) to determine which network services or ports are active on the active
IP addresses.
3. Denial-of-Service (DoS) attack
42
47
Non-malicious flaws:- Introduced by the programmer overlooking something:
Buffer overflow error
Incomplete mediation error
Time-of-check to Time-of-use (TOCTTU) errors
Types of Flaws
48
Buffers are memory storage regions that temporarily hold data while it is being
A buffer overflow (or buffer overrun) occurs when the volume of data exceeds the
storage capacity of the memory buffer. As a result, the program attempting to write
the data to the buffer overwrites adjacent memory locations.
For example, a buffer for log-in credentials may be designed to expect username
Buffer Overflows
Memory is finite
A buffer's capacity is finite.
In many programming languages the programmer must declare the buffer's
maximum size so that the compiler can set aside that amount of space.
Incomplete mediation
51
Concurrency issue
• Successive instructions may not execute serially
• Other processes may be given control
Access control
• Only users with rights can access objects
TOCTTOU: control is given to other process between access
control check and access operation
2.4 Controls Against Program Threats
54
Three types of controls:
1. Developmental control
2. Operating system Controls
3. Administrative Controls
Developmental Controls
1. The Nature of Software Development
Collaborative effort, involving people with different skill sets who combine their
expertise to produce a working product
Development requires people who can requirement specification, designing,
implementation, testing, review, documenting, reviewing, managing, maintaining
the system.
Developmental Controls
55
2. Fundamental principles of s/w engineering
Fundamental principles of software engineering
1. Modularity
2. Encapsulation
3. Information hiding
A key principle of software engineering is to create a design or code in small, self-contained
units, called components or modules
If a component is isolated from the effects of other components, then it is easier to trace a
problem to the fault that caused it and to limit the damage the fault causes. This isolation is
called encapsulation.
Information hiding is another characteristic of modular software.
Modularization is the process of dividing a task into subtasks.
Encapsulation hides a component's implementation details, but it does not necessarily mean
complete isolation
Developmental Controls
56
1. Modularity
Modules should be:
Single-purpose - logically/functionally
Small - for a human to grasp
Simple - for a human to grasp
Independent – high cohesion, low coupling
High cohesion – highly focused on (single) purpose
Low coupling – free from interference from other modules
Modularity should improve correctness
Fewer flaws => better security
Developmental Controls
57
2. Encapsulation
Minimizing information sharing with other modules
=> Limited interfaces reduce # of covert channels
Well documented interfaces
“Hiding what should be hidden and showing what should be visible.”
3. Information hiding
Module is a black box
Well defined function and I/O
Easy to know what module does but not how it does it
Reduces complexity, interactions, covert channels, ...
=> better security
Operating System Controls
58
How an operating system can protect against some of the design and
implementation flaws.
Trusted Software
To trust any program, we base our trust on rigorous analysis and testing,
looking for certain key characteristics:
Functional correctness
Enforcement of integrity
Limited privilege
Appropriate confidence level
Operating System Controls
59
Incident response plans (which will leverage other types of controls); and
Security planning
Security planning considers how security risk management practices
are designed, implemented, monitored, reviewed and continually
improved.
Entities must develop a security plan that sets out how they will
manage their security risks and how security aligns with their
priorities and objectives.
Security planning includes controls planned for future
implementation, as well as resources planned for future use.
Resources include personnel, contractors, equipment, software, and
budgetary allocations.
Cont…
66
Risk analysis
The process of identifying the risks to system security and
determining the probability of occurrence, the resulting impact, and
the additional safeguards that mitigate this impact.
Cont…
67