- A seemingly innocent program contains code to perform an unexpected and undesirable function
- The function includes:
- modifying, deleting, or encrypting the user file
- copying user files to a place where the cracker can retrieve later
- sending the files to the cracker or a temporary safe hiding place via email/FTP
- To run a Trojan horse, the person must first executed the program. (often found in free games, MP3, or something attract users’ attention)
- Once it starts, Trojan horse can do anything the user can do and it does not require the author of the Trojan horse to break into victim’s computer.
- Unix path variable is another way to inserting Trojan horse to the machine
- get the username and password by making a fake login page that tricks the users to enter their passwods
–> Windows asks users to hit Ctrl+Alt+Del before the login page for this reason.
- A piece of code written by one of a company’s (currently employed) programmer and was secretly inserted into the production operating system.
- The programmer feeds it a daily password and if fired one day by the company, no password will be provided to the program and the logic bomb “goes off”
–> Happened in payroll
- “Going off” might mean cleaning disk, erasing files at random, or other hard-to-detect changes to key programs.
- The company can call the police, but will never get the files back.
- Allow a system programmer to bypass the whole authentication
–> i.e. To select a login name that no matter what the password the user type, the access is granted
- This can be prevented by Code Review, which is to have the programmers explain their code line by line periodically.
- Particular for C programming
- C compiler don’t have array bound checking, so it is possible to overwrite some byte of memory outside an array.
- Suppose a dynamic array is copied to a static array (e.g. Name)
- If the characters of the dynamic array exceeds the size of the static array, the name will overflow in the static and overwrite the address and corrupt it.
- Prevention process
- feed it with a reasonable size first and see if it dumps core.
- Analyze core dump to see where the long stream is stored.
- Figure out the overwritten data from there.
Generic Security Attack
- tiger/penetration team: a group of experts hired by the company to see if they can break in the system
- Common successful attacks:
- Request memory pages, disk space, or tapes and just read them
- Try illegal system calls, or legal calls with illegal parameters, or legal calls and legal but not reasonable parameter.
- Start logging in and hit break keys (e.g. DEL) to kill the login checking program
- Try modifying complex operating system structure kept in user space
- Look at manual and do the “Do not do…”
- Convince the system programmer to add a trap door with your user name
- Bribe the secretary
- The system design should be public
- The default should be no access.
- Check for current authority
- Give each process the least privilege possible
- The protection mechanism should be simple, uniform, and built into the lowest layers of the system.
- The scheme chosen must be psychologically acceptable.
- KEEP THE DESIGN SIMPLE!