In this lecture, we learnt about what it means by a secure program, malicious codes, and the web application vulnerabilities. Besides that, we had also touched on the measures on how to counter malicious code and vulnerabilities by applying software engineering principles and practices, and the protections against program flaws during execution.
From what I’ve understand from the lecture is that a secure program is defined by different perspectives of who is going to evaluate software quality. There are also a number of approaches in judging program security. This includes fixing faults by patching software after conducting penetration tests. There is no doubt that fixes might trigger more faults later results in software failures. There are flaws in software in the software market, but flaws are not the causes of faults followed by failures.
The common flaws that we see in programs are:
validation error
domain error
serialization and aliasing
inadequate identification and authentication
boundary condtion violation
other exploitable logic errors
Non-malicious program errors occur because of unintentional mistakes made by software developers, which causes malfunction. Examples of non-malicious program errors are buffer overflows, incomplete mediation (exposed and uncontrolled data), and Time of Check to Time of Use. These non-malicious program errors may lead to exploitation of malicious programmers, or commonly known as hackers. As I've said earlier in the ealier posts, with small amount of knowledge, a commoner can easily exploit unintentional program errors.
To describe buffer overflow, it is almost similar to attempting to pour two liters of water into a one-liter bottle. Incomplete mediation has something to do with manipulating exposed data such as date and time to cause errors (Note: Usually exposed and uncontrolled data exists in URLs). The Time-to-check to time-to-use flaw is pertaining to mediation that is performed with the "bait and switch" method in the middle, or further known as a serialization or synchronization flaw. It is possible that these three flaws can be combined together as a multistep attack to cause harm to a system.
This is why malicious programmers create malicious codes in order to cause harm or exploit a particular system. Furthermore, malicious codes have the ability to cause as much harm, as well as its prolonged existence, either created by accident or intended.
Types of malicious code that existed today are as follows:
Spywares are a new type of malicious/non-malicious code. It is a term for tracking software deployed without adequate notice, consent, or control for the user. Often the tracking is done by reporting information (anything from browsing history to credit-card or personal details) to a third party.
Below are the effects of viruses and causes:
| Virus Effect | Causes |
| Attach to executable program | Modify file directory Write to executable program |
| Attach to data or control file | Modify directory Rewrite data Append to data Append data to itself |
| Remain in memory | Intercept interrupt by modifying interrupt handler address table Load self in non-transient memory area |
| Infect disks | Intercept interrupt Intercept operating system |
| Conceal self | Intercept system calls that would reveal self and falsify result classify self as "hidden" file |
| Spread infection | Infect boot sector Infect systems program Infect ordinary program Infect data ordinary program reads to control its execution |
| Prevent deactivation | Activate before deactivating program and block deactivation Store sopy to reinfect after deactivation |
The above notes regarding malicious codes are anonymous codes that are not targeted to a specific system, application or a particular purpose. The main focus of the targeted malicious code are trapdoors and salami attack.
Trapdoors are undocumented entry point to a module. It is usually inserted by software developers during code development testing. Its initial purpose is to provide "hooks" by which to connect future modifications and enhancements, or basically to just allow access if the module should have future failures. Aside from its legitimate use, trapdoors allow a programmer access to a program once it is placed in production. The main causes of trapdoors includes programmer's forgetfulness of removing them, programmer's intention to leave them for testing, maintenance, and or later covert means of access.
As for the salami attack, this code merges bits of seemingly inconsequenial data to yield powerful results, for instance programs that often disregard small amounts of money in their interest computations.
The top ten web application vulnerabilities that we normally see in the world today are:
Cross-site scripting
Injection flaws
Malicious file execution
Insecure direct object reference
Cross site request forgery
Information leakage and improper error handling
Broken authentication and session management
Insecure crypto storage
Insecure communications
Failure to restrict URL access
There are a few aspects to control against program threats. We can see some signs that show that there are viruses within a system because they leave certain trails, however sometimes they can be very hard to detect because they can self-modify. A program scanner with a considerably good checksum can be used to detect changes in self-modifying codes.
Viruses may be invisible and hiding in large programs, compilers, database or file managers. The popular hiding place for viruses in within an attachment of emails or a public download file. A virus has phases to go through before it is fully activated – Dormant phase, propagation phase, triggering phase and execution phase.
For preventing virus infection, a system should have a virus detection and identification tool a.k.a. scanners. Removal tools are also essential to clean viruses. What I personally think is that a system should have an internet security package that has antivirus protection to actively protect files from infection. This protection mechanism should include real-time file system protection, document protection, email client protection and web access protection. Nevertheless, daily updates of virus definitions is necessary.
Other ways of preventing virus detection include using only well-known software, do software testing in an isolated PC, and not opening unknown email attachments. Besides that, backups are necessary too.
0 comments:
Post a Comment