Malicious Logic and Defenses

Malicious Logic

• Trojan Horse– A Trojan horse is a program with an overt

(documented or known) effect and covert (undocumented or unknown) effects.

– A Propagating Trojan horse is a Trojan horse that creates a copy of itself

– Example of Trojan horse is the game animal.– The central idea is that the Trojan horse modifies

the compiler to insert itself into specific programs, including future version of the compiler itself.

Malicious Logic• Computer Viruses– When Trojan horse can propagate freely and insert a

copy of itself into another file, it becomes a computer virus.

– A computer virus is a program that insert itself into one or more files and then performs some action.

– The first phase in which the virus insert itself into a file is called the insertion phase and the second phase, in which it perform some action, is called the execution phase.

– Computer viruses have no covert purpose it only have overt purpose which is to infect and execute

Malicious Logic

• Types of Computer Viruses– Boot Sector Infectors

• A boot sector injector is a virus that insert itself into the boot sector of a disk.

– Executable Infector• An executable infector is a virus that infects executable

program.• Generally .exe, .com files are infected by this virus.

– Multipartite viruses• A multipartite virus is one that can infect either boot sector

or applications.

Malicious Logic

– TSR Viruses• A terminate and stay resident (TRS) virus is one that

stays active in the memory after application has been terminated. • TSR virus can be boot sector or executable infectors.

– Stealth Virus• Stealth viruses are viruses that conceal the infection of

files.– Encrypted viruses• An encrypted virus is one that enciphers all the virus

code except for a small decryption routine

Malicious Logic

– Polymorphic Virus• A polymorphic virus is a virus that changes its form

each time it inserts itself into another program.

– Macro Virus• A macro virus is a virus composed of a sequence of

instructions that is interpreted, rather than executed directly.• This type of virus can execute on any system that can

interpret the instruction.• It can infect either executable or data files.

Malicious Logic• Computer Worms– Computer worm is a program that copies itself from

one computer to another computer.• Other Forms of Malicious Logic– Rabbits and Bacteria

• A Bacterium or a rabbit is a program that absorbs all of some class of resource.

• Creates DOS attacks.– Logic Bombs

• A logic bombs is a program that performs an action that violates the security policy when some external event occurs.

Defenses• Defending against malicious logic takes advantage of

several different characteristics of malicious logic to detect or to block, its execution.

• Sandboxing– Sandboxing are Virtual machines implicitly restrict process

right.– Common implementation of this approach is to restrict the

program by modifying it.– Special instructions inserted into the object code cause

traps whenever an instruction violates the security policy.– The executable dynamically loads libraries, special libraries

with the desired restrictions replace the standard libraries.

Defenses• Information flow metrics– This approach is to limit the distance a virus can spread.

• Reducing the rights– The user can reduce her/his associated protection

domain when running a suspect program.– It follows the principle of least privilege.

• Malicious logic altering files• Proof-carrying code• Notion of trust

Introduction to Virtual Machine

• Virtual Machine(VM) structure– A VM runs on a virtual monitor. – Monitor virtualizes the resources of the underlying system and

presents to each VM the illusion that it and it alone is using the hardware.

• Virtual machine monitor(VMM)– The VMM runs at the highest level of privilege.– Keeps track of the state of each VM just as an ordinary Operating

System keeps track of the state of its processes. – When a privileged instruction is executed, the hardware cause a trap

to the VMM.– The monitor services the interrupt and restores the state of the caller.