FILESYSTEM

SECURITY
 Malware 6/15/2021

2 GENERAL PRINCIPLES

• Files and folders are managed by the operating system

• Applications access files through an API
• Access control entry (ACE)
• Allow/deny a certain type of access to a file/folder by user/group

• Access control list (ACL)

• Collection of ACEs for a file/folder
 Malware 6/15/2021

ACCESS CONTROL ENTRIES AND

LISTS

• An Access Control List (ACL) for a resource (e.g., a file or folder) is a

sorted list of zero or more Access Control Entries (ACEs)
• An ACE specifies that a certain set of accesses (e.g., read, execute and
write) to the resources is allowed or denied for a user or group
• Examples of ACEs for folder “Bob’s CS167 Grades”
• Bob; Read; Allow
• TAs; Read; Allow
• TWD; Read, Write; Allow
• Bob; Write; Deny
• TAs; Write; Allow

3
 Malware 6/15/2021

4 LINUX VS. WINDOWS

• Linux • Windows
• Allow-only ACEs • Allow and deny ACEs
• Access to file depends on ACL of file and of • Access to file depends only on file’s ACL
all its ancestor folders • ACLs of ancestors ignored when
• Start at root of file system access is requested
• Traverse path of folders • Permissions set on a folder usually
• Each folder must have execute (cd) propagated to descendants (inheritance)
permission • System keeps track of inherited ACE’s
• Different paths to same file not equivalent
 Malware 6/15/2021

5 DISCRETIONARY ACCESS
CONTROL (DAC)
• Users can protect what they own
• The owner may grant access to others
• The owner may define the type of access (read/write/execute) given to
others
• DAC is the standard model used in operating systems

• A file handle provides an identifier for a file/folder

• File operations
• Open file: returns file handle
• Read/write/execute file
• Close file: invalidates file handle
 Malware 6/15/2021

6 CLOSED VS. OPEN POLICY

Closed policy Open Policy

• Also called “default secure” • Deny Tom read access to “foo”
• Give Tom read access to “foo” • Deny Bob r/w access to “bar”
• Give Bob r/w access to “bar” • Tom: I would like to read “foo”
• Tom: I would like to read “foo” • Access denied
• Access allowed • Tom: I would like to read “bar”
• Tom: I would like to read “bar” • Access allowed
• Access denied
 7 Malware 6/15/2021

UNIX PERMISSIONS
• Standard for all UNIXes
• Every file is owned by a user and has an associated group
• Permissions often displayed in compact 10-character notation
• To see permissions, use ls –l
jk@sphere:~/test$ ls –l
total 2
-rw-r----- 1 jk ugrad 0 2005-10-13 07:18 file1
-rwxrwxrwx 1 jk ugrad 0 2005-10-13 07:18 file2
 Malware 6/15/2021

8 FILE PERMISSION EXAMPLES

 9 Malware 6/15/2021

WORKING GRAPHICALLY WITH

PERMISSIONS
• Several Linux GUIs exist for displaying
and changing permissions
• Right-click on a file and choose
Properties, and click on the
Permissions tab:
• Changes can be made here
 SHARING DATA ON A MULTIUSER SYSTEM

• Giving write access on your own directory isn't a safe way to

share data.
• This gives the ability to do anything (accidently or deliberately)
to any of the contents of the directory.
• If you want to share your files, allocate read and execute
permission to the directory and read permission to your files.
• Others can then read them or copy them into their own
directories.
 Malware 6/15/2021

11
ROOT

• “root” account is a super-user account, like Administrator on Windows

• Multiple roots possible

• File permissions do not restrict root

• This is dangerous, but necessary, and OK with good practices

 Malware 6/15/2021

12 FILE DESCRIPTORS

• In order for processes to work with files, they need a shorthand way to refer
to those files.
• other than always going to the filesystem and specifying a path to the files in question

• In order to efficiently read and write files stored on disk, modern operating
systems rely on a mechanism known as file descriptors.
• When a program needs to access a file, a call is made to the open system call,
which results in the kernel creating a new entry in the file descriptor table
which maps to the file’s location on the disk
• when finished, the program should issue the close system call to remove the
open file descriptor
 Malware 6/15/2021

13 FILE DESCRIPTOR LEAKS

• A common programming error that can lead to serious security - a
file descriptor leak
• A dangerous scenario can arise when a program with high
privileges:
• opens a file descriptor to a protected file (ex. Password)
• fails to close it, and then
• creates a process with lower permissions.

• Since the new process inherits the file descriptors of its parent,
• it will be able to read or write to the file
• although the child process might not have permission to open that file in other
circumstances.
 Malware 6/15/2021

14 SYMBOLIC LINKS AND SHORTCUTS

• It is often useful for users to be able to create links or shortcuts to

other files on the system, without copying the entire file to a new
location
• To the user, symlinks appear to reside on the disk like any other file
• but they simply point to another file or folder on disk.
• Symlinks can often provide a means by which malicious parties can
trick applications into performing undesired behavior
 Malware 6/15/2021

15 SYMBOLIC LINKS AND

SHORTCUTS
• Suppose that this program is designed specifically to prohibit the reading of one
particular file, say, /home/admin/passwords.
• An unsafe version of this program would simply check that the filename specified
by the user is not /home/admin/passwords.
• However, an attacker could trick this program by creating a symlink to the
passwords file and specifying the path of the symlink instead.
• How do you solve it? Is this attack common in Windows OSs?
 16 Malware 6/15/2021

APPLICATION PROGRAM SECURITY

• Many attacks don’t directly exploit weaknesses in the OS kernel, but rather
attack insecure programs.
• These programs, operating at the applications layer could include program to
change passwords, which runs with higher privileges than those granted to
common users.
• So these programs should be protected against privilege escalation attacks.
 Malware 6/15/2021

17
SIMPLE BUFFER OVERFLOW ATTACKS
• In any situation where a program allocates a fixed-size buffer in memory in which
to store information
• Care must be taken to ensure that copying user-supplied data to this buffer is
done securely and with boundary checks.
• If this is not the case, then it may be possible for an attacker to provide input
that exceeds the length of the buffer,
• which the program will then attempt to copy to the allotted buffer.

• This copying may overwrite data beyond the location of the buffer in memory
• Potentially allow the attacker to gain control of the entire process and execute arbitrary
code on the machine
 18 Malware 6/15/2021

ARITHMETIC OVERFLOW

• The overflow condition is a limitation having to do with the representation of

integers in memory.
• In most 32-bit architectures, signed integers are expressed in what is known as
two’s compliment notation.
• In hex notation, signed integers 0x00000000 to 0x7ffffff are positive numbers,
• and 0x80000000 to 0xffffffff are negative numbers.

• For example, if a program continually adds very large numbers and eventually
exceeds the maximum value for a signed integer, 0x7fffffff, the representation of
the sum overflows and becomes negative rather than positive
 Malware 6/15/2021

19 AN EXAMPLE VULNERABILITY

• Suppose a network service keeps track of the number of connections it

has received since it has started, and only grants access to the first
five users.
• An unsafe implementation can be as below:
Malware
#include <stdio.h> 6/15/2021

20 int main(int argc, char * argv[ ])

{
unsigned int connections = 0;
// Insert network code here
// . . .
// . . .
// Does nothing to check overflow
conditions
connections++;
if(connections < 5)
grant access();
else deny access();
return 1;
}
 Malware 6/15/2021

21 STACK-BASED BOF (COND)

• Read about other BoF attacks and how to secure these

vulnerabilities
 Malware 6/15/2021

22

MALWARE:
MALICIOUS SOFTWARE
 Malware 6/15/2021

23
MALICIOUS SOFTWARE / MALWARE

• This chapter is devoted to the ways that software systems can be attacked
by malicious software, which is also known as malware.
• Malicious software is software whose existence or execution has
negative and unintended consequences.
• We discuss various kinds of malware, including some case studies, and
how systems and networks can be protected from malware
 Malware 6/15/2021

24 VIRUSES, WORMS, TROJANS,

ROOTKITS
• Malware can be classified into several categories, depending on
propagation and concealment
• Propagation
• Virus: human-assisted propagation (e.g., open email attachment)
• Worm: automatic propagation without human assistance
• Concealment
• Rootkit: modifies operating system to hide its existence
• Trojan: provides desirable functionality but hides malicious operation
• Various types of payloads, ranging from annoyance to crime
 Malware 6/15/2021

25 4.1 INSIDER ATTACKS

• An insider attack is a security breach that is caused or

facilitated by:
• someone who is a part of the very organization that controls or builds the
asset that should be protected.

• In the case of malware:

• an insider attack refers to a security hole that is created in a
software system by one of its programmers.
 Malware 6/15/2021

26 4.1.1 BACKDOORS

• A backdoor, which is also sometimes called a trapdoor,:

• is a hidden feature or command in a program that allows a user to perform actions he or she
would not normally be allowed to do.

• When used in a normal way, the program performs completely as expected and
advertised.
• But if the hidden feature is activated, the program does something unexpected,
often in violation of security policies, such as performing a privilege
escalation.
• Benign example: Easter Eggs in software and games
 Malware 6/15/2021

27 4.1.1 BACKDOORS INSERTED FOR

DEBUGGING PURPOSE
• A programmer is working on an elaborate biometric authentication
system for a computer login program.
• She may wish to provide a special command or password that can bypass
the biometric system in the event of a failure.
• It is useful during the code development and debugging but become a risk
that may allow an attacker to bypass authentication measures.
 Malware 6/15/2021

28 4.1.1 DELIBERATE BACKDOORS

• Deliberately insert backdoors so programmers can perform malicious

actions later.
• For example, a program may add a backdoor using of a sequence of keystrokes
to access a digital entry system for a bank vault.
• Deliberately introduce a vulnerability to a program such as BoF.
• Introducing an exploitable bug into the code of an open source project, allow
programmers to gain access from other machines.
 Malware 6/15/2021

29 4.1.2 LOGIC BOMBS

• A logic bomb is a program that performs a malicious

action as a result of a certain logic condition.
• The classic example of a logic bomb is a programmer coding
up the software for the payroll system who puts in code
that makes the program crash should it ever process two
consecutive payrolls without paying him.
• Another classic example combines a logic bomb with a
backdoor, where a programmer puts in a logic bomb that
will crash the program on a certain date.
 Malware 6/15/2021

30 4.1.2 THE OMEGA ENGINEERING

LOGIC BOMB
• An example of a logic bomb that was actually triggered and caused damage is
one that programmer Tim Lloyd was convicted of using on his former
employer, Omega Engineering Corporation.
• On July 31, 1996, a logic bomb was triggered on the server for Omega
Engineering’s manufacturing operations, which ultimately cost the company millions
of dollars in damages and led to it laying off many of its employees.
 • The Logic Behind the Omega Engineering Time Bomb
Malware 6/15/2021 included the following strings: 31
• 7/30/96
• Date that triggered the bomb; time bomb
4.1.2 THE • F:
OMEGA • Focused attention to volume F, which had critical
BOMB files

CODE • F:\LOGIN\LOGIN 12345

• Login a fictitious user, 12345 (the back door). The
user had supervisory and destroy permissions
but no password.
• CD \PUBLIC
• Change the current directory to the public folder
• FIX.EXE /Y F:\*.*
• Run a program, called FIX, which actually deletes
everything; /Y means each file should be deleted.
F:\ *.* deletes all files.
• PURGE F:\/ALL
• Prevent recovery of the deleted files
 Malware 6/15/2021

32 4.1.3 DEFENSES AGAINST INSIDER

ATTACKS
• Avoid single points of failure.
• Use code walk-throughs.
• Use archiving and reporting tools.
• Limit authority and permissions.
• Physically secure critical systems.
• Monitor employee behavior.
• Control software installations.
 Malware 6/15/2021

33 4.2 COMPUTER VIRUSES

• A computer virus is computer code that can replicate itself by modifying other
files or programs to insert code that is capable of further replication.
• This self-replication property is what distinguishes computer viruses from
other kinds of malware, such as logic bombs.
• Another distinguishing property of a virus is that replication requires some type of
user assistance, such as clicking on an email attachment or sharing a USB drive.
 Malware 6/15/2021

34 VIRUS PHASES

• Dormant phase. During this phase, the virus just exists—the virus is laying low and
avoiding detection.
• Propagation phase. During this phase, the virus is replicating itself, infecting
new files on new systems.
• Triggering phase. In this phase, some logical condition causes the virus to move
from a propagation phase to perform its intended action.
• Action phase. In this phase, the virus performs the malicious action that it was
designed to perform, called payload.
• This action could include something seemingly innocent, like displaying a silly picture on a
computer’s screen, or something quite malicious, such as deleting all essential files on the hard
drive.
 Malware 6/15/2021

35 TYPES OF VIRUSES

• Program Virus / file virus:

• infects a program by modifying the file containing its object code.
• Once the infection occurs, a program virus is sure to be run each time the infected program execute

• Macro virus / document virus

• When a document is opened, it searches for other documents to infect.
• It can insert itself into the document template, which makes the newly created document
infected.
• Further propagation occurs when the infected documents are emailed to other users.

• Boot section virus:

• Infects the code in the boot sector of a drive, which is run each time the computer is turned o
or restarted.
 Malware 6/15/2021

36
4.2.2 DEFENCES AGAINST VIRUSES - SIGNATURE

• Scan and compare the analyzed object with a database of signatures

• A signature is a virus fingerprint
– E.g., a string with a sequence of instructions specific for each virus

• A file is infected if there is a signature inside its code

– Fast pattern matching techniques to search for signatures

• All the signatures together create the malware database that usually is
proprietary
• Common Malware Enumeration (CME)
• Digital Immune System (DIS)
 Malware 6/15/2021

37 4.2.2 DEFENCES AGAINST VIRUSES -- QUARANTINE

• A suspicious file can be isolated in a folder called quarantine:

• The suspicious file is not deleted but made harmless: the user can decide when to
remove it or eventually restore for a false positive
– Interacting with a file in quarantine is possible only through the antivirus program

• The file in quarantine is harmless because it is encrypted

• Usually the quarantine technique is proprietary and the details are kept secret
 Malware 6/15/2021

38
4.2.3 ENCRYPTED VIRUSES

• The presence of their virus in a file is more stealthy if the main body of
the program is encrypted, especially the replication code and payload
• The virus code’s new structure: the decryption key, the key and the
encrypted virus code.
• This structure becomes a kind of virus signature
• The arm race continues: Signature based detection  encrypted viruses
 look for encryption code
 39 Malware 6/15/2021

4.2.4 POLYMORPHIC AND METAMORPHIC VIRUSES

• Another technique used by viruses to fight back against signature-based
detection is mutating as they replicate, thereby creating many different varieties
of the same virus
• Polymorphic virus
• Using encryption.
• Each copy of the virus is encrypted using a different key.
• Detect by generic code for an encryption algorithm

• Metamorphic virus
• Non-cryptographic obfuscation techniques, such as instruction reordering, inclusion of useless
instructions.
• Challenging to detect
 Malware

40 4.3 MALWARE ATTACKS --

TROJAN HORSES

• A Trojan horse (or Trojan) is a malware

program that appears to perform some useful
task, but which also does something with
negative consequences (e.g., launches a
keylogger).
• Trojan horses can be installed as part of the
payload of other malware but are often
installed by a user or administrator, either
deliberately or accidentally.
 Malware 6/15/2021

41
4.3 MALWARE ATTACKS -- TROJAN HORSES

• The AIDS Trojan

• It was first distributed by mailing floppy disks in 1989
• it would encrypt the user’s hard drive, Then the Trojan would offer to give the user
the password to decrypt the hard drive, but only after she paid a fee. (similar to
ransomeware)

• Mocmex
• it was discovered that several Chinese made digital photo frames
• malware is copied from the frame to the computer and begins collecting and
transmitting passwords
 Malware 6/15/2021

42 4.3 MALWARE ATTACKS --

COMPUTER WORMS
• A computer worm is a malware program that spreads copies of itself
without the need to inject itself in other programs, and usually without
human interaction.
• Thus, computer worms are technically not computer viruses (since they
don’t infect other programs), but some people nevertheless confuse the
terms, since both spread by self-replication.
• In most cases, a computer worm will carry a malicious payload, such as
deleting files or installing a backdoor.
 Malware 6/15/2021

43
WORM DEVELOPMENT

• Typically spread by exploiting vulnerabilities (e.g. BoF) in application

run by Internet-connected computer systems that have a security
hole.
• A worm then propagates by having each infected computer attempt
to infect other target machines by connecting to them over the
Internet.
• If a target machine is also vulnerable to this attack, then it will be
infected and will try to infect some other machines in turn
 Malware 6/15/2021

44
WORM DEVELOPMENT
• Once a system is infected, a worm must take steps to ensure that it persists on the victim
machine and survives rebooting.
• On Windows machines, this is commonly achieved by modifying the Windows Registry, a
database used by the operating system that includes entries that tell the operating system
to run certain programs and services or load device drivers on startup.
• One of the most common registry entries for this purpose is called
• HKEY LOCAL MACHINE \SOFTWARE \Microsoft \Windows \CurrentVersion \Run

• Associating with this entry the path to the executable file of the worm will result in Windows
executing the worm on startup.
• Thus, malware detection software always checks this entry (and other registry entries
specifying programs to run at startup) for suspicious executable names.
 Malware 6/15/2021

45
WORM PROPAGATION

• Worms propagate by finding and

infecting vulnerable hosts. initial infection
• They need a way to tell if a host is
vulnerable
• They need a way to tell if a host is
already infected.
 Malware 6/15/2021

46 REAL WORLD WORMS

• ILOVEYOU. This is an email worm (a worm sent as an email attachment)

first observed in 2000.
• LOVE-LETTER-FORYOU.TXT.vbs.
• When executed on a computer running Microsoft Windows, sends itself to
everyone in the user’s address book and then replaces documents and
pictures on the user’s hard drive with copies of itself.
 Malware 6/15/2021

47 REAL WORLD WORMS

• Blaster. This is a computer worm that exploited a previous buffer over

flow vulnerability in computers running Microsoft Windows XP and
Windows 2000 in 2003.
• It spread by sending copies of itself to random computers on the Internet,
hoping to find other machines with the buffer-overflow vulnerability.
• Its payload was designed to launch a denial-of-service attack against
Microsoft’s update web site.
 Malware 6/15/2021

48 DETECTING WORMS

• The detection of worms can be performed with signature-based file

scanning techniques similar to those described for viruses.
• In addition, network-level scanning and filtering, which consists of
analyzing the content of network packets before they are delivered to a
machine, allows to detect and block worms in real time.
 Malware 6/15/2021

49 4.3.3 ROOTKITS

• A rootkit is an especially stealthy type of malware.

• A rootkit alter system utilities or the OS itself to prevent detection
– Infect Windows process monitor utility, which list current running processes
– Infect utilities that allow the user to browse files, such as Windows Explore to hide files on disk
– Rootkits are often used to hide the malicious actions of other types of malware such as Trojan Horse

– User-mode rootkits
• Alter system utilities or libraries on disk
• Insert code to another user-mode process’s address space to alter its behavior, such as DLL injection

• Kernel mode rootkits

• Loaded as device drivers which allows user to easily install drivers for keyboard, audio or video devices.
• Function hooking to achieve stealth. Modify kernel memory to replace OS functions with customized
versions.
 Malware 6/15/2021

50 4.3.3 ROOTKITS

• Detecting Rootkit
• Two scans of file system (counting files)
• High-level scan using the Windows API
• Raw scan using disk access methods
• Discrepancy reveals presence of rootkit
• Could be defeated by rootkit that intercepts and modifies results of raw scan
operations
 Malware 6/15/2021

51 4.3.4 ZERO-DAY ATTACKS

• A zero-day attack is an attack that exploits a vulnerability that was

previously unknown, even to the software designers who create the
system containing this vulnerability.
• Which means a malware attack exploits a vulnerability that the
developers did not know about.
 Malware 6/15/2021

52 4.3.4 ZERO-DAY ATTACKS --

HEURISTIC ANALYSIS
• Useful to identify new and “zero day” malware
• Code analysis
– Based on the instructions, the antivirus can determine whether or not
the program is malicious, i.e., program contains instruction to delete
system files,

• Execution emulation
– Run code in isolated emulation environment
– Monitor actions that target file takes
– If the actions are harmful, mark as virus

• Heuristic methods can trigger false alarms

 Malware 6/15/2021

53
4.3.5 BONTNETS
• Malware can turn a computer in to a zombie, which is a machine that is
controlled externally to perform malicious attacks, usually as a part of a
botnet.

Botnet Controller (Attacker)

Attack Commands

Botnet:

Attack Actions

Victim
Malware 6/15/2021

QUESTIONS?