Logic_Bombs by hedongchenchen


									Logic Bombs
  Douglas Smith
 David Palmisano
      What is a Logic Bomb?
 A logic bomb is a piece of code
 intentionally inserted into a software
 system that will set off a malicious function
 when specified conditions are met.
        More on Logic Bombs
 Criteria for “Logic Bombs”
   For code to be considered a ‘logic bomb’ the effects
    of the code should be unwanted and unknown to the
    software operator.
   Trial software that expires after a certain time is
    generally not considered a logic bomb.
 Piggybacking
   Many viruses, worms, and other code that are
    malicious in nature, often carry a logic bomb that
    “detonates” under given conditions. This may help the
    code on it’s journey as it worms through your system
          A New Age of Crime
 Robbery at gunpoint has become
  obsolete. Welcome to the new generation
  of crime.
 Logic bombs for profit (monetary or
     Remote
     No get-a-way car
     Low fatality rate
     Wile E. Coyote syndrome a thing of the past
  Emergence of the Logic Bomb
 Technology is directly proportional to the
  need for security.
 The home computer was one of the
  greatest technological advancements
  since the wheel.
   Word Processing
   Pong
   The Virus
          Emergence cont’d
 Time Bombs
   Detonates at a given time.
   Most well-known version of the logic bomb.
   Many of the first viruses released were time
   Debuted in the 1980’s (Friday the 13th virus)
   Michelangelo virus brought public focus to
    viruses due to media coverage.
 Most of the time Logic bombs are placed
  in the system by insiders.
 Such as:
      Disgruntled employees
      Corporate Spies
 Also planted by remote users/systems
Possible Triggers for Logic Bombs?
   Lapses in time.
   Specific dates.
   Specific Commands
   Specific Actions in Programs
   “Still – there” logic bombs
     Remain in the system with compromising effects.
     Will run as instructed by its creator unless the creator
      deactivates it.
        Payroll example.
             Historic Attacks
 In June 1992, a defense contractor General
  Dynamics employee, Michael Lauffenburger,
  was arrested for inserting a logic bomb that
  would delete vital rocket project data. It was
  alleged that his plan was to return as a highly-
  paid consultant to fix the problem once it
  triggered. The bomb was stumbled on by
  another employee of the company.
  Lauffenburger was charged with computer
  tampering and attempted fraud and faced
  potential fines of $500,000 and jail-time ).
          Historic Attacks
 In February 2000, Tony Xiaotong was
 indicted before a grand jury accused of
 planting a logic bomb during his
 employment as a programmer and
 securities trader at Deutche Morgan
 Grenfell. The bomb had a trigger date of
 July 2000, and was discovered by other
 programmers in the company. Removing
 and cleaning up after the bomb allegedly
 took several months.
        Victimization Prevention
 Do not allow any one person universal access to your
    Separation of duties
 Always practice safe computing. Always use protection.
  AntiVirus software can significantly reduce the risk of
  contracting a virus which may contain a logic bomb.
       New strains of logic bomb and virus programs are constantly being
 Remember, if you believe your system may be
  compromised by another entity (programmer, software or
  other system). Get tested to prevent the transmission of
  dangerous code operations.
              Defenses for Bombs
 Segregate operations from programming and testing.
 Institute a carefully controlled process for moving code into
   Give only operations staff write-access to production code.
   Lock down your production code - source and executable – making
    it close to impossible for unauthorized people to modify programs.
   Assign responsibility for specific production programs to named
    positions in operations.
   Develop and maintain a list of authorized programmers who are
    allowed to request implementation of changes to production
   Require authorization from the authorized quality assurance officer
    before accepting changes to production.
   Keep records of exactly which modifications were installed when,
    and at whose request.
             Defenses for Bombs
 Use hash functions on entire files in the production library.
 Recompute all hashes against a secure table to ensure that no one
  has altered production files without authorization and
 Keep audit trails running at all times so that you can determine
  exactly which user modified which file and when.
 If possible, ensure that audit trails include chained hash functions.
  That is, the checksum on each record (which must include a
  timestamp) is calculated not only on the basis of the record itself but
  also using as input the checksum from the previous record.
  Modifying such an audit trail is much more complicated than simply
  using a disk editor to alter data in one or two records.
 Back up your audit files and keep them under high security.
 Kabay, M. E.. Network World Security Newsletter, August 21, 2002.

 Walder, Justin. Press Release, December 17, 2002.

 Answers.com. Logic bombs:Definition and Much More from
  Answers.com. http://www.answers.com/topic/logic-bomb

To top