Transcript System Threats

Lecture 30
Security II
Based on Silberschatz & Galvin’s slides
And Stallings’ slides
30.1
System Threats
•
•
•
Most operating systems provide a means for processes to spawn
other processes.
In such an environment, it is possible to create a situation where
operating-system resources and user files are misused
Methods for achieving this misuse
– Worms
– Viruses
– Bacteria
30.2
System Threats
•
Worms
– Use network connections to spread form system to system
– Electronic mail facility
 a worm mails a copy of itself to other systems
– Remote execution capability
 a worm executes a copy of itself on another system
– Remote log-in capability
 a worm logs on to a remote system as a user and then uses
commands to copy itself from one system to the other
30.3
System Threats
•
Viruses
– Program that can infect other programs by modifying them
 modification includes copy of virus program
 the infected program can infect other programs
30.4
Virus Stages
•
•
Dormant phase
– virus is idle
Propagation phase
– virus places an identical copy of itself into other programs or
into certain system areas on the disk
30.5
Virus Stages
•
•
Triggering phase
– virus is activated to perform the function for which it was
intended
– caused by a variety of system events
Execution phase
– function is performed
30.6
Types of Viruses
•
•
Parasitic
– attaches itself to executable files and replicates
– when the infected program is executed, it looks for other
executables to infect
Memory-resident
– lodges in main memory as part of a resident system
program
– once in memory, it infects every program that executes
30.7
Types of Viruses
•
•
Boot sector
– infects boot record
– spreads when system is booted from the disk containing the
virus
Stealth
– designed to hide itself form detection by antivirus software
– may use compression
30.8
Types of Viruses
•
Polymorphic
– mutates with every infection, making detection by the
signature of the virus impossible
– creates copies of itself that are functionally equivalent but
have distinctly different bit patterns
30.9
Antivirus Approaches
•
First-generation
– scanner identifies virus by its signature
– virus has same structure and bit pattern in all copies
– maintains a record of the length of the programs and looks
for changes in length
30.10
Antivirus Approaches
•
Second-generation
– uses heuristic rules to search for probable virus infection
– looks for fragments of code that are often associated with
viruses
30.11
Antivirus Approaches
•
Third-generation
– memory-resident programs that identify a virus by its actions
rather than its structure
– intervene when these actions take place
30.12
Antivirus Approaches
•
Fourth-generation
– consists of a variety of antivirus techniques used in
conjunction
30.13
System Threats
•
Bacteria
– Purpose is to replicate themselves
– Reproduce exponentially
 take up all the processor capacity
 take up memory
 take up disk space
 deny users access to resources
30.14
Threat Monitoring
•
Check for suspicious patterns of activity – i.e., several incorrect
password attempts may signal password guessing.
•
Audit log – records the time, user, and type of all accesses to an
object; useful for recovery from a violation and developing better
security measures.
•
Scan the system periodically for security holes; done when the
computer is relatively unused.
30.15
Threat Monitoring (Cont.)
•
Check for:
– Short or easy-to-guess passwords
– Unauthorized set-uid programs
– Unauthorized programs in system directories
– Unexpected long-running processes
– Improper directory protections
– Improper protections on system data files
– Dangerous entries in the program search path (Trojan
horse)
– Changes to system programs: monitor checksum values
30.16