Program Security (Pfleeger Ch. 5) Software Engineering! Programmed Threats Life forms Bugs Trojan Horses Viruses Worms Bacteria/rabbits Exposures Trap doors/back doors Information leaks Logic bombs Time bombs Viruses Properties Detection resistant Robust - hard to destroy/deactivate Infectious - wide-ranging, reinfection Easy to create Machine/OS/Application-independent Dimensions Lifetime Transient Resident Target Boot sector TSR code Library code Application Document Attachment method Prepended or appended Surrounding Integrated Replaced overwrite change pointers Infection route Diskettes/removable media Email/MIME FTPed/HTTPed files Virus Signatures Storage patterns Modification date Size Checksum Execution patterns Virus Defensive Mechanisms Compression Polymorphism Alteration of system utilities Virus Protection Backups - boot diskette, executables, data files COTS S/W Test new code on isolated machine Virus scanner - update often, use on every diskette coming in *or* going out Access control - limit damage to space accessible by user who ran infected program.... H/W-based protection Protected instructions, write protection, base & bounds registgers, VM, tagged memory Audit file signatures Case Studies Brain Boot sector virus Protected itself in high memory (reset upper memory bound to prevent disturbances) Changed interrupt vectors to screen and redirect disk accesses Marked six disk sectors it used as "faulty" to prevent normal access to them On each disk access, checked if disk uninfected- if so, infect it Internet Worm (1988.11.02) Find target hosts /etc/hosts file .rhost hosts.equiv at random Gain access symmetry of trust (.rhost, hosts.equiv) common user accounts/passwords password guessing/cracking fingerd buffer overflow sendmail misconfiguration (DEGUG mode) Launch Grappling Hook (bootstrap loader) 99 lines of C code transferred and compiled on target given one-time password used to authenticate itself to source machine fetch rest of worm from source machine to target - remove traces if any errors compile, link, load and execute Hide use of one-time password for grappling hook encrypt memory-resident copy delete all files once in memory change name of program periodically change PID periodially exit before running for too long (note: this make cracking attempts limited per worm) Targeted Malicious Code Trapdoors Testing (undocumented "features") Maintenance Remote access Intruders Bad code (bounds checking/improper input checking) Undefined machine opcodes Salami Attacks Collect small amounts of money/time/space so as to be undetected - but many drops of water make up the sea Remain because of ... rounding error, poor processes, poor audit Covert Channels Information leakage - esp. in multilevel systems Legitimately authorized process (e.g., service program run by authorized user) accesses sensitive info Program is altered so that it signals unauthorized agent by modulating a medium that this spy can sense, usually in a way that is not readily noticed (noise) Channel Types Storage channels Presence or absence of objects (e.g., lock on shared object, file, port in use, etc.) Availability of exhaustible resource (e.g., disk space, inodes, etc.) In the noise of accessible data object (e.g., in the last bit of seconds field of time stamps, in the low order bit(s) of images, etc.) Timing channels alter usage rates of shared system resources so that another process can tell whether the resource is used heavily or lightly, and interpret these readings as data EX - use of time quanta in timeshared system sender: use whole quantum = 1 give up CPU immediately = 0 receiver: read system clock, interpret bit, then give up CPU on each time quantum - big difference between times = 1 small difference between times = 0 Covert Channel Identification SRM - Shared Resource Matrix Identify all resources that may be read or modified by processes of various classes take transitive closure look for information flows in violation of policy verify flows are real Information flow method Determine data and control flows within program Determine which outputs are affected by which inputs Note: Difficult in face of pointers, recursion Channel Capacity Estimation Quick & Dirty Derive state machine for sending bits (two states, two transitions per state) Determine costs of all four transitions Take reciprocal of average cost (in time) as channel rate Precise Same as above but use information theory result by Shannon as applied by Millen to solve system of linear equations to derive optimal channel rate for symbols with unequal costs Handling Eliminate flows if possible Partitioned system Reduce flow rates Mode-based systems Dither time Introduce noise Audit Look for attempts to modulate resources Controls for Program Threats Development controls - Software Engineering Peer reviews (walk-throughs) design validation code test plans test results Cleanroom development program verification front-loaded but faster in practice design for verifiability Good design practice modularity encapsulation - minimal coupling information hiding code reuse design for testability Independent testing - separation of duty Configuration management change control version control backups shadow copies stable versions - code freezes stable configurations - consistency regression testing immutable versions audit trail Process Improvement TQM/CQI/CPI/SEI Capability Maturity Models/ISO 9000/1, etc. Structured processes so outcomes are predictable and repeatable SEI CMM levels Initial - chaotic Repeatable - Planning, islands of process, CM, etc. Defined - Management support, standardization, documentation, intergroup coordination, peer reviews, training Managed - Quantitative measures, analysis Optimizing - feedback SSE CMM (System Security Engineering) - NSA extends SEI's CMM 3 areas - Engineering (development) SE development, including security analysis vulnerability analysis Project (management) quality, assurance Organizational training, process improvement ISO 9000/9001 ISO 9000/9001 - general development, installation, maintenance there must exist documented, defined processes (not prescriptive in terms of how good they are) ISO 9000-3 - for software development specifically Issues - consistency (precision) reliability (accuracy) how good a measure are CMM levels of quality, productivity, assurance? OS Controls Trusted S/W Functional correctness enforced integrity limited privilege appropriate security level Mutual Suspicion error checking verification of results sanity/integrity checks Confinement isolation/protection Access log audit mechanisms Administrative Controls Standards of program development Design Documentation Programming Coding Testing Configuration management Security audits Separation of duties