Transcript presentationA

Mobile Code Data Base
by Arthur Reloj
Overview:
What's Mobile Code
Purpose of a Mobile Code Data Base
Problems concerning Mobile Code
& Basic Design Specifics
What's Mobile Code?
Comes from the term Malicious Mobile Code (MMC)
MMC refers to any software program designed to
move from computer to computer, network to
network, in order to intentionally modify systems
without the consent of the owner/operator
Includes viruses, Trojan horses, worms, script
attacks, and rogue Internet code
Use to be limited to Dos viruses, Trojans and worms
Scripting languages have expanded the range and
scope of harmful programs:
macro viruses, HTML, Java, applets, ActiveX,
VBScript, JavaScript, instant messaging...
Not all mobile code has malicious intent
Maintenance viruses: to replace older program with
newer versions.
Data mining worm: to gather/retrieve data for a given
period from multiple sources through a distributed
database
Marketing programs: mobile code to distribute
advertisements
Pupose of a Mobile Code Data Base
 Repository for MMC and Non Malicious Mobile
Code
 Data Mining tool
 Factual resource
 Developers resource
Problems concerning Mobile Code
& Basic Design Specifics
Storage: keeping live, complete code
confined within a system
 Limited Transitivity, Limited Sharing, Limited Function
Transfer/Capture: confining mobile code in
the wild & getting mobile code where you
want it
 Honey Pots, Goat files, Firewalls, Incompatible
packaging, multiple packages, encrypted/compressed
packages
Naming/Filing
Storage: Limited Transitivity
A may give Information to B.
B may give information to C.
But the rules do not allow
A to give information to B
which B then passes to C.
B
A
A
With this scheme, if A is
infected, B could get it.
A
But if A wrote a virus B received,
it could not be passed to C.
Currently no feasible way to implement.
C
B
C
B
C
Storage: Limited Sharing
Bell-Padula security
model.
A given secrecy level
can’t read more
classified data to prevent
leak to them.
And can’t write data to a
less classified area to
prevent data to leak out.
High
No Read
…
Read/Write
Low
No Write
Storage: Limited Sharing
Biba integrity model.
A given integrity level
can’t read data of lower
level, so it cannot corrupt
you.
And can’t write data of
higher integrity so you
cannot corrupt it.
High
No Write
…
Read/Write
Low
No Read
Storage: Limited Sharing
No Read
Read/Write
No Write
No Write
+
Read/Write
No Read
Combining secrecy and integrity
eliminates all sharing.
No Access
=
Read/Write
No Access
N
F
C
M
O
Q
D
P
R
T
E
B
S
H
A
U
Case of limited Sharing.
Partially Ordered set (POset)
V
Limited Function
Private functions vs. Public functions
Form filing
Limited Data entry
Real World Example: ETF (Electronic Funds Transfer)
Any information on the network is treated as from account, to
account, and amount of money, and as check string.
Transfer/Capture: confining mobile code in
the wild & moving it
Many of the methods for capture can also be
implemented for transfer.
 Firewalls: block network traffic by port number and IP address; can
be used to isolate a compromised system
 Honey Pots: assumes a system will be compromised; are “fake”
systems designed to mimic legitimate environments; may be corrupted
many times without endangering actual systems.
 Goat files: blank .COM and .EXE files; used to capture clean
copies of viruses.
 Incompatible packaging: Many viruses only function in specific
environments; viruses placed in incompatible formats cannot be
interpreted are relatively safe .
Example: Lehigh Virus launched in fall of 1987 at Lehigh University
infected over 500 system by spreading on floppy disks. However it was
designed to only infect 5.25” disks.
 Multiple packages: Dividing dangerous code into multiple parts
 Encryption/Compression: Altering the original code in such a way
that is recoverable but not interpretable
Naming/Filing
CARO naming convention: 1991, Computer Antivirus Researchers
Organization developed standard naming scheme
Family name
Group name
Major variant
Minor variant
Modifier
6 Other rules
No names after location
No company or brand names
Don’t invent a new name if there is an existing name
Type prefix has been added to the CARO convention because of the
many new ways of infection.
Examples: Cascade virus variant, plays music, is now Cascade.1701.A
Cascade is the family name, 1701 group name is because of
different sized variants, and A because it was the first variant
Melissa virus variant becomes WM97.Melissa.AA
WM97 prefix means this is a Word macro virus, 97-specific
Conclusion
A Mobile Code Data Base must resolve
several unique problems within the DB
before it can be implemented:
1. Effectively containing selfreplicating/mobile program.
2. Safely moving/copying programs
3. Identifying rogue/wild programs within the
system