3rd homework on Password Cracking is posted at http://www.cse.unr.edu/~mgunes/cs450/HW3.htm.
The deadline is Thursday, Apr 8 at 11:00 am.
Wednesday, March 31, 2010
Lecture 16: Targeted Malware (Mar 29)
Lecture #16 started with Alex Rudd's presentation which gave us an overview about a history of Digital rights management. Digital rights management is a technological way of limiting access to copyrighted material. Then Dr. Gunes, gave us a overview of Lecture # 15 during which he talked about what a virus is, how it propagates, what a worm is and also about the difference between the worm and a virus. He also talked about Rabbit/Bacteria and Logic/ Time Bomb, Trojan, Trap Door and a Dropper. The four phases of a virus- Dormant, Propagation, Triggering and Execution phase were also discussed. Different types of viruses and how they append to the programs were talked about. Different virus signatures that help identify the virus, like the storage pattern, execution pattern and Transmission pattern are mentioned. Polymorphic viruses and the approaches that Anti virus software’s take in protecting against viruses are mentioned. Also, the prevention of virus attacks and damage limiting is also talked about.
Then, Dr. Gunes moved on to Targeted Malware. Trapdoors, Salami attacks, rootkit programs, privilege escalation, interface illusion and keystroke logging, Timing attack were mentioned. Covert channels that secretly leak information and provide unauthorized access were taught. Two different kinds of Covert channels exist- Storage Channels and Timing channels. Storage channels pass information by using the presence or absence of an object. An example of storage covert channel is File lock. Timing channels pass information by considering the speed at which things happen. Covert channels can be identified by the presence of shared resources, correctness of program code and analyzing the flow of information also slowing down the rate at which the information is transferred. Different methods for controlling program threats were discussed. Operating systems controls on use of programs were mentioned.
Then, Dr. Gunes moved on to Targeted Malware. Trapdoors, Salami attacks, rootkit programs, privilege escalation, interface illusion and keystroke logging, Timing attack were mentioned. Covert channels that secretly leak information and provide unauthorized access were taught. Two different kinds of Covert channels exist- Storage Channels and Timing channels. Storage channels pass information by using the presence or absence of an object. An example of storage covert channel is File lock. Timing channels pass information by considering the speed at which things happen. Covert channels can be identified by the presence of shared resources, correctness of program code and analyzing the flow of information also slowing down the rate at which the information is transferred. Different methods for controlling program threats were discussed. Operating systems controls on use of programs were mentioned.
Thursday, March 25, 2010
Lecture 15: Malicious Codes (Mar 24)
For Lecture 15, we began with Mike's presentation on Blue Pill malicious software. A Blue Pill attack is essentially malicious software code that runs in a virtualized environment, making it dangerous and difficult to detect. As virtualization becomes more popular, it is expected that such attacks will become much more common. The most vulnerable systems to these types of attack include the modern line of processors with built-in virtualization support. The defense against Blue Pill is called Red Pill, but it is not yet very reliable. This presentation was very interesting and contained a lot of great info.
After Mike’s presentation, Professor Gunes continued with lecture 15 on Malicious Codes. He began by discussing different kinds of malicious code, including virus, worm, rabbit/bacteria, logic/time bomb, Trojan horse, backdoor, and dropper. He noted that sometimes it is difficult to specify between different types of malicious codes. The lecture outlined why Trojans are hard to detect and showed that they are also the most popular type of malicious code. We were reminded that even if you create a legitimate trapdoor for yourself, someone else can find it. We were introduced to the “4 Virus Lifecycles,” which are the dormant phase, the propagation phase, the triggering phase, and the execution phase.
The lecture also included methods for preventing malicious code attacks. We learned about how viruses can be detected according to certain patterns, characteristics, and other signature traits of virus code. The easiest way to prevent a malicious code attack is to be sure that your trust the source of the files that you download.
After Mike’s presentation, Professor Gunes continued with lecture 15 on Malicious Codes. He began by discussing different kinds of malicious code, including virus, worm, rabbit/bacteria, logic/time bomb, Trojan horse, backdoor, and dropper. He noted that sometimes it is difficult to specify between different types of malicious codes. The lecture outlined why Trojans are hard to detect and showed that they are also the most popular type of malicious code. We were reminded that even if you create a legitimate trapdoor for yourself, someone else can find it. We were introduced to the “4 Virus Lifecycles,” which are the dormant phase, the propagation phase, the triggering phase, and the execution phase.
The lecture also included methods for preventing malicious code attacks. We learned about how viruses can be detected according to certain patterns, characteristics, and other signature traits of virus code. The easiest way to prevent a malicious code attack is to be sure that your trust the source of the files that you download.
Monday, March 8, 2010
Lecture 13: Program Security (Mar 8th)
Lecture 13 began with a presentation by Joshua about Encrypted Viruses. His presentation covered what encrypted viruses were and how they are used. Essentially, the presentation explained that an encrypted virus is one that the virus code is either encrypted so that it is not easily detected by the system, or is a virus that encrypts files on one’s computer so they cannot be accessed. His presentation shows that encryption can also be used for malicious reasons.
The lecture began with a continuation on the discussion of non-malicious security flaws. Dr. Gunes began by discussing string formatting vulnerabilities and how simple printf() functions, if not used properly can cause serious security issues. In addition, he continued with his explanation of Incomplete Mediate. This is where the programmer doesn’t specify exactly the correct data to be accepted from the user and can therefore allow the program to accept unreasonable values, poorly formatted entries, and allows the system to become susceptible to buffer overflow and malicious code injections. Furthermore, the lecture concluded with a discussion on TOCTTOU errors, otherwise known as “race conditions”. In this circumstance, lets say two processes of a program are using the same data in their code. Well the system will check to see if the first process is allowed to use the data, then lets it, and same for the second process. However if something changes in the time it takes for the system to check if the process is allowed to use the data, then many errors can occur. The lecture finished with an overview of what will be on the mid-term.
The lecture began with a continuation on the discussion of non-malicious security flaws. Dr. Gunes began by discussing string formatting vulnerabilities and how simple printf() functions, if not used properly can cause serious security issues. In addition, he continued with his explanation of Incomplete Mediate. This is where the programmer doesn’t specify exactly the correct data to be accepted from the user and can therefore allow the program to accept unreasonable values, poorly formatted entries, and allows the system to become susceptible to buffer overflow and malicious code injections. Furthermore, the lecture concluded with a discussion on TOCTTOU errors, otherwise known as “race conditions”. In this circumstance, lets say two processes of a program are using the same data in their code. Well the system will check to see if the first process is allowed to use the data, then lets it, and same for the second process. However if something changes in the time it takes for the system to check if the process is allowed to use the data, then many errors can occur. The lecture finished with an overview of what will be on the mid-term.
Lecture 12: Program Security (Mar 3rd)
Lecture 12 was split between a presentation from Jeff on trusted computing and program security. Jeff's presentation covered what trusting computing meant with regards to the internet. He also covered the basics of what a null attack was. The lecture on program security covered how to find and fix faults, types of security flaws, and buffer overflows. The section on finding and fixing faults suggested that the best way to find faults is to allow users to test the program and report faults they find. The types of security flaws mentioned were: malicious, non-malicious, and unintentional. Malicious flaws are created in order to attack a particular system. Non-malicious flaws are sometimes features that are intended to be in the program, but when used by a malicious person can cause problems for the program. Finally non-malicious flaws are errors that were not intended by the programs creates. The last topic covered was buffer overflows. Buffer overflows occur when the program gets an input that is longer than the input that it was expecting. When this happens you don't know if the program is going to overwrite code or data with the extra input.
Thursday, March 4, 2010
Homework 2
2nd homework on Cryptographic Systems and Program Security is posted at http://www.cse.unr.edu/~mgunes/cs450/HW2.htm.
The deadline is Friday, Mar 12 at 12:00 pm.
The deadline is Friday, Mar 12 at 12:00 pm.
Wednesday, March 3, 2010
Lecture 11: Digital Certificates (Mar 1st)
The lecture of Monday, March 1st consisted of the description and usage of Digital Certificates. Dr. Gunes began by explained what digital certificates were, and their relationship with Certificate Authorities (CA). CAs can verify someone's identity and issue them a unique certificate. However, there are multiple CAs, and an attacker could pose as his own CA. This leads to cross-verification, in which certificates are verified by a generally-trusted CA, or by a CA closer to a root CA.
Certificates can solve legal disputes since they provide proof of the integrity and origin of data. However, certificates expire, and their keys can be stolen. The certificate is then revoked, and placed on a Certificate Revocation List (CRL). This CRL should be checked every time user uses a public key to access a message. However, these lists are suspect to DOS attacks. Short-lived (1 day) certificates expire quickly.
Certificates are granted when a subscriber generates a public/private key pair and sends the public to a CA. CAs will verify the subscriber identity, then issue and publish a certificate with the public key. To use it, the subscriber signs a message with his private key. The receiver verifies the digital signature with sender's public key and asks for verification of signature from the CA repository.
The X.500 directory service has the X.509 extension for public key certificates. Message recipients are generally responsible for finding the necessary certificate. X.509 has a general certificate format that includes at least the algorithm, the CA, and who owns the key. X.500 requires each entry to have a unique name, so general information about the location/organization is used, as well as a student/employee ID number. X.509 version 3 contains extensions that allow for a set of extra information to be added to a CA's certificates.
Certificates can solve legal disputes since they provide proof of the integrity and origin of data. However, certificates expire, and their keys can be stolen. The certificate is then revoked, and placed on a Certificate Revocation List (CRL). This CRL should be checked every time user uses a public key to access a message. However, these lists are suspect to DOS attacks. Short-lived (1 day) certificates expire quickly.
Certificates are granted when a subscriber generates a public/private key pair and sends the public to a CA. CAs will verify the subscriber identity, then issue and publish a certificate with the public key. To use it, the subscriber signs a message with his private key. The receiver verifies the digital signature with sender's public key and asks for verification of signature from the CA repository.
The X.500 directory service has the X.509 extension for public key certificates. Message recipients are generally responsible for finding the necessary certificate. X.509 has a general certificate format that includes at least the algorithm, the CA, and who owns the key. X.500 requires each entry to have a unique name, so general information about the location/organization is used, as well as a student/employee ID number. X.509 version 3 contains extensions that allow for a set of extra information to be added to a CA's certificates.
Subscribe to:
Posts (Atom)