Role Based Access Control _RBAC_ by wuxiangyu


									Spring 2005, Syracuse University                    Lecture Notes for CIS/CSE 785: Computer Security

                                   Malicious Code

(1) Kinds of Malicious Code

     Trojan horse
     Virus
     Logic bomb, time bomb
     trapdoor, backdoor
     Worm

(2) Trojan Horse

Trojan Horses: a piece of malicious code that, in addition to its primary effect, has a second, non-
obvious malicious effect.

 ls Trojan horse.
   If somebody visits your directory, is it possible to trick the user into running a Trojan horse
   If “.” is at the beginning of the victim’s PATH environment variable.

 %   cp /bin/sh /tmp/.xxsh
 %   chmod 4777 /tmp/.xxsh
 %   rm ./ls
 %   ls $*

 Ken Thompson's Famous Trojan Horses

      "Reflection on Trusting Trust", Turning Award Speech.
      Goal: add a Trojan horse to login program, so that one can use a special password to log
       into the system. However, the Trojan horse should be difficult to detect and fix.
      Approach 1: Change login binary
        This is easy to fix, just recompile it from login.c.
        How about also change login.c? This is easy to detect if somebody reads the code.
           Q: how to make it more difficult to detect?
      Approach 2: Change compiler.c for login.c, and change login.c back to the
       normal. When the compiler compiles login.c, it automatically adds the Trojan horses to
       login binary.
        What if somebody reads compiler.c? The Trojan horse in compiler.c can be
           detected. They can get another copy of compiler.c, and compile this new (and
           clean) compiler.c.

Wenliang Du                         Malicious Code: Page 1 of 3                            10/4/2011
Spring 2005, Syracuse University                  Lecture Notes for CIS/CSE 785: Computer Security

       Approach 3: Change the complier.c, such that a Trojan horse will be added to the
        binary if compiler.c and login.c are compiled. After we get the binary of
        compiler, we change compiler.c back to the normal.
         The Trojan horse is already built into the binary of compiler.
         Unless somebody looks at the compiler binary, the Trojan horse is difficult to detect.
            None of the source files contain any Trojan horse; Trojan horses are added by the
         To remove the Trojan horse, one has to change the compiler program.

(2)      Virus
 Must be activated by being executed. There are various ways to get activated
   Running an affected program
   Attachment (Melissa and Love bug)(Macro virus)
   Reading email (Bubbleboy virus)
   Appended Viruses
   Viruses that surround a program
   Boot Sector Viruses

 Macro Viruses
   A sequence of instructions that is interpreted, rather than executed directly
   Melissa virus

 Solutions
   No general cure for viruses
   Virus checkers are effective against known viruses only

 Truths and Misconceptions about viruses
   Viruses can infect systems other than PCs/MS-DOS/Windows
   Q: why not many viruses exist in Unix?
   Viruses can appear in data files: Microsoft Word Macro virus

(3)      Worms

 History of the Internet Worm
   Nov. 2 1988, Robert T. Morris Jr.
   His father Robert T. Morris Sr. (in NSA) and Ken Thompson wrote a paper about network
      security in 1979.
   Flaw in worm: fail to check the existence of another copy of the worm.

 What made worm a successful attack:

Wenliang Du                        Malicious Code: Page 2 of 3                        10/4/2011
Spring 2005, Syracuse University                  Lecture Notes for CIS/CSE 785: Computer Security

     Difference from virus: propagate via networks
     Bug in fingerd: buffer overflow
     Backdoor in sendmail: DEBUG mode
     Took advantage of a mechanism used to simplify resource sharing
     Weak passwords: password guessing
      Worm carries a short list of common passwords (432 passwords): e.g. "guest",
         "passwords", "aaa", "help", "coffee", "coke", etc.
      Use the system dictionary if the short list fails
   Disguise:
      remove all the traces from disks
      save all files in memory, encrypted
      change its process name periodically
 More Malicious Code: Code Red
   Middle of 2001
   Using Microsoft's Internet Information Server (IIS)
   Using buffer overflows

(4)       Trapdoors
 Example of trapdoors
   Special account to avoid password
   Special sequence to avoid access control
   Worm: sendmail DEBUG mode: allow to run a program

 Another example: What is a fast way to gain somebody's full privilege forever when he/she
  leaves the computer for a short period of time?
   % cp /bin/sh /tmp/.xxsh
   % chmod 4777 /tmp/.xxsh

 Causes of trapdoors:
   Forget to remove
   Intentionally leave them in the program for testing
   Intentionally leave them for maintenance
   Intentionally leave them as a covert means of access to the component

Wenliang Du                        Malicious Code: Page 3 of 3                        10/4/2011

To top