Lecture 14 Program Flaws CS 450/650 Fundamentals of Integrated Computer Security Slides are modified from Csilla Farkas and Brandon Phillips
Dec 17, 2015
Lecture 14
Program Flaws
CS 450/650
Fundamentals of Integrated Computer Security
Slides are modified from Csilla Farkas and Brandon Phillips
Program Flaws
• Taxonomy of flaws:– how (genesis)– when (time)– where (location)
• the flaw was introduced into the system
2CS 450/650 Lecture 14: Program Flaws
Security Flaws by Genesis• Genesis
– Intentional• Malicious: Trojan Horse, Trapdoor, Logic Bomb, Worms,
Virus• Non-malicious
– Inadvertent• Validation error• Domain error• Serialization error• Identification/authentication error• Other error
3CS 450/650 Lecture 14: Program Flaws
Flaws by time
• Time of introduction– During development
• Requirement/specification/design• Source code• Object code
– During maintenance
– During operation
4CS 450/650 Lecture 14: Program Flaws
Flaws by Location
• Location– Software
• Operating system: system initialization, memory management, process management, device management, file management, identification/authentication, other
• Support tools: privileged utilities, unprivileged utilities• Application
– Hardware
5CS 450/650 Lecture 14: Program Flaws
Malware?
CS 450/650 Lecture 14: Program Flaws 6
Malware Evolution• 1980s
– Malware for entertainment (pranks)
– 1983: “virus”– 1988: Internet Worm
• 1990s– Malware for social status /
experiments– 1990: antivirus software
• Early 2000s– Malware to spam
• Mid 2000s– Criminal malware
CS 450/650 Lecture 14: Program Flaws 7
Malware Targets
Platform %
*nix (Linux, BSD) 0.052%
Mac (OS X primarily) 0.005%
Mobile (Symbian, WinCE) 0.020%
Other (MySQL, IIS, DOS) 0.012%
Windows (XP SP2, SP3, Vista, 7) 99.91%
CS 450/650 Lecture 14: Program Flaws 8
Browser-based Exploits• 10% Adobe Flash• 8% RealPlayer• 8% Microsoft
(Microsoft Security Intelligence Report 6)
CS 450/650 Lecture 14: Program Flaws 9
Bank Logons• A Washington Mutual Bank account in
the U.S. with an available balance of $14,400 is priced at 600 euros ($924), while a Citibank UK account with an available balance of 10,044 pounds is priced at 850 euros ($1,310).
• It may appear to be less dangerous to resell access to a bank account rather than to use it directly.
McAfee ©2008
CS 450/650 Lecture 14: Program Flaws 10