4

Operating Systems

Computer Security ThreatsComputer Security TechniquesCloud Computing SecurityOperating Systems Overview

Computer Security Threats

Computer Security

Last Update Unknown

Computer Security Triad

Three key objectives are at the heart of computer security


Confidentiality

  • Assures that private or confidential information is not made available or disclosed to unauthorised individuals


Integrity

  • Assures that information and programs are changed only in a specified and authorised manner


Availability

  • Assures that systems work promptly and service is not denied to authorised users

Two further concepts are often added to the core of computer security


Authenticity

  • The property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or message originator.


Accountability

  • The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity. 

Threats

Unauthorised Disclosure

  • A circumstance or event whereby an entity gains access to data for which the entity is not authorised.


Deception

  • A circumstance or event that may result in an authorised entity receiving false data and believing it to be true.


Disruption

  • A circumstance or event that interrupts or prevents the correct operation of system services and functions.


Usurpation

  • A circumstance or event that results in control of system services or functions by an unauthorised entity

Attacks resulting in Unauthorised Disclosure

Unauthorised Disclosure is a threat to confidentiality.


Attacks include:

Exposure (deliberate or through error)

  • This can be deliberate, as when an insider intentionally releases sensitive information, such as credit card numbers, to an outsider.
  • Can also be the result of a human, hardware, or software error, which results in an entity gaining unauthorized knowledge of sensitive data.


Interception

  • On a shared local area network (LAN), such as a wireless LAN or a broadcast Ethernet, any device attached to the LAN can receive a copy of packets intended for another device.
  • On the Internet, a determined hacker can gain access to e-mail traffic and other data transfers.


Inference

  • An adversary is able to gain information from observing the pattern of traffic on a network, such as the amount of traffic between particular pairs of hosts on the network.
  • Another example is the inference of detailed information from a database by a user who has only limited access


Intrusion

  • An adversary gaining unauthorised access to sensitive data by overcoming the system’s access control protections.

Attacks resulting in Deception

Deception is a threat to either system integrity or data integrity.


Attacks include:

Masquerade

  • An attempt by an unauthorised user to gain access to a system by posing as an authorized user; this could happen if the unauthorised user has learned another user’s logon ID and password.


Falsification

  • This refers to the altering or replacing of valid data or the introduction of false data into a file or database. For example, a student my alter his or her grades on a school database.


Repudiation

  • A user either denies sending data or a user denies receiving or possessing the data

Attacks resulting in Disruption

Disruption is a threat to availability or system integrity.


Attacks include:

Incapacitation

  • This is an attack on system availability.


Corruption

  • This is an attack on system integrity.


Obstruction

  • One way to obstruct system operation is to interfere with communications by disabling communication links or altering communication control information.
  • Another way is to overload the system by placing excess burden on communication traffic or processing resources.

Attacks resulting in Usurpation

Usurpation is a threat to system integrity.


Attacks include:

Misappropriation

  • This can include theft of service.


Misuse

  • Misuse can occur either by means of malicious logic or a hacker that has gained unauthorized access to a system. 

Intruders

Three main classes of intruders:


1. Masquerader (Typically an outsider)

  • An individual who is not authorised to use the computer and who penetrates a system’s access controls to exploit a legitimate user’s account


2. Misfeasor (Often an insider and legitimate user)

  • A legitimate user who accesses data, programs, or resources for which such access is not authorised, or who is authorised for such access but misuses his or her privileges


3. Clandestine user

  • An individual who seizes supervisory control of the system and uses this control to evade auditing and access controls or to suppress audit collection

Malware

General term for any Malicious software

  • Software designed to cause damage
  • Or use up the resources of a target computer.

Some malware is parasitic

  • Contained within other software


Some malware is self-replicating, others require some other means to propagate.

Backdoor

A Trapdoor / secret entry point which is useful for programmers debugging

  • But allows unscrupulous programmers to gain unauthorised access.

Logic Bomb

Explodes when certain conditions are met

  • Presence or absence of certain files
  • Particular day of the week
  • Particular user running application

Trojan Horse

Useful program that contains hidden code that when invoked performs some unwanted or harmful function.

Can be used to accomplish functions indirectly that an unauthorised user could not accomplish directly.

  • User may set file permission so everyone has access

Mobile Code

Transmitted from remote system to local system and can be executed on local system without the user’s explicit instruction
  • Common example is cross-site scripting attacks

Multiple-Threat Malware

Multipartite virus infects in multiple ways as it is a blended attack which uses multiple methods.

e.g. Nimda has worm, virus, and mobile code characteristics.

Virus

Software that “infects” other software by modifying them.


Modification includes:

  • An infection mechanism – The means by which a virus spreads, enabling it to replicate.
  • Trigger – The event or condition that determines when the payload is activated or delivered.
  • Payload – What the virus does, besides spreading (may involve damage).


Virus Stages

During its lifetime, a typical virus goes through the following four phases:

  • Dormant phase
  • Propagation phase
  • Triggering phase
  • Execution phase


Virus Structure

• May be prepended, postpended, or embedded in an executable

• When the executable runs, it first executes the virus, then calls the original code of the program


Virus Classification

There is no simple or universally agreed upon classification scheme for viruses.


It is possible to classify a virus by a number of means including:


By target

Boot sector infector

  • Infects a master boot record or boot record and spreads when a system is booted from the disk containing the virus


File infector

  • Infects files that the operating system or shell consider to be executable


Macro virus

  • Infects files with macro code that is interpreted by an application


By Concealment strategy

Encrypted virus

  • Random encryption key encrypts remainder of virus


Stealth virus

  • Hides itself from detection of antivirus software


Polymorphic virus

  • Mutates with every infection


Metamorphic virus

  • Mutates with every infection
  • Rewrites itself completely after every iteration


Macro Viruses

Platform independent

  • Most infect Microsoft Word documents
Infect documents, not executable portions of code

Easily spread as file system access controls are of limited use in preventing spread


E-Mail Viruses

May make use of MS Word macro’s

If someone opens the attachment it accesses the local address book and sends copies of itself to contacts

It can also perform local damage

Worms

Replicates itself and uses network connections to spread from system to system

Email virus has elements of being a worm (self-replicating) but normally requires some intervention to run, so classed as a virus rather than worm


Worm Propagation

Electronic mail facility

  • A worm mails a copy of itself to other systems


Remote execution capability

  • A worm executes a copy of itself on another system


Remote log-in capability

  • A worm logs on to a remote system as a user and then uses commands to copy itself from one system to the other

Bots

Program secretly takes over another Internet-attached computer

  • Launch attacks that are difficult to trace to bot’s creator
  • Collection of bots is a botnet

Rootkit

Set of programs installed on a system to maintain administrator (or root) access to that system

  • Hides its existence
  • Attacker has complete control of the system.


Rootkit classification

Rootkits can be classified based on whether they can survive a reboot and execution mode.

  • Persistent – Activates each time the system boots. The rootkit must store code in a persistent store, such as the registry or file system, and configure a method by which the code executes without user intervention.
  • Memory based – Has no persistent code and therefore cannot survive a reboot.
  • User mode – Intercepts calls to APIs (application program interfaces) and modifies returned results.
  • Kernel mode – Can intercept calls to native APIs in kernel mode. The rootkit can also hide the presence of a malware process by removing it from the kernel’s list of active processes.


Rootkit installation

  • Often as a trojan
  • Commonly attached to pirated software
  • Installed manually after a hacker has gained root access


System Call Table Modification by Rootkit

  • Programs operating at the user level interact with the kernel through system calls.
  • Thus, system calls are a primary target of kernel-level rootkits to achieve concealment.