Program Flaws

Download Report

Transcript Program Flaws

Lecture 14
Program Flaws
CS 450/650
Fundamentals of
Integrated Computer Security
Slides are modified from Csilla Farkas and Brandon Phillips
Program Flaws
• Taxonomy of flaws:
– how (genesis)
– when (time)
– where (location)
• the flaw was introduced into the system
CS 450/650 Lecture 14: Program Flaws
2
Security Flaws by Genesis
• Genesis
– Intentional
• Malicious: Trojan Horse, Trapdoor, Logic Bomb, Worms,
Virus
• Non-malicious
– Inadvertent
•
•
•
•
•
Validation error
Domain error
Serialization error
Identification/authentication error
Other error
CS 450/650 Lecture 14: Program Flaws
3
Flaws by time
• Time of introduction
– During development
• Requirement/specification/design
• Source code
• Object code
– During maintenance
– During operation
CS 450/650 Lecture 14: Program Flaws
4
Flaws by Location
• Location
– Software
• Operating system: system initialization, memory
management, process management, device
management, file management,
identification/authentication, other
• Support tools: privileged utilities, unprivileged utilities
• Application
– Hardware
CS 450/650 Lecture 14: Program Flaws
5
Malware?
CS 450/650 Lecture 14: Program Flaws
6
Malware Evolution
• 1980s
– Malware for entertainment
(pranks)
– 1983: “virus”
– 1988: Internet Worm
• 1990s
– Malware for social status /
experiments
– 1990: antivirus software
• Early 2000s
– Malware to spam
• Mid 2000s
– Criminal malware
CS 450/650 Lecture 14: Program Flaws
7
Malware Targets
Platform
%
*nix (Linux, BSD)
0.052%
Mac (OS X primarily)
0.005%
Mobile (Symbian, WinCE)
0.020%
Other (MySQL, IIS, DOS)
0.012%
Windows (XP SP2, SP3, Vista, 7)
99.91%
CS 450/650 Lecture 14: Program Flaws
8
Browser-based Exploits
• 10% Adobe Flash
• 8% RealPlayer
• 8% Microsoft
CS 450/650 Lecture 14: Program Flaws
(Microsoft Security Intelligence Report 6)
9
Bank Logons
McAfee ©2008
•
A Washington Mutual Bank account in
the U.S. with an available balance of
$14,400 is priced at 600 euros ($924),
while a Citibank UK account with an
available balance of 10,044 pounds is
priced at 850 euros ($1,310).
•
It may appear to be less dangerous to
resell access to a bank account rather
than to use it directly.
CS 450/650 Lecture 14: Program Flaws
10