“Unix. The world's first computer virus.”
title of Chapter 1 of
‘The Unix Haters Handbook’,
written by serious computer scientists ISBN: 1-56884-203-1
Classification of Threats
Threats may exploit weaknesses in
1. operating system (W32,W95, Linux, etc),
2. applications they infect (W97M, WordPro, X97M,
3. language (HTML, VBS, JS, etc).
Delivery of malicious codes to a users machine:
1. the most popular early methods of passing viruses
by floppy disk.
2. Internet borne worms, that require no human
intervention, once started.
Malware, security tools and toolkits:
• Malware : any piece of malicious software.
• Security tools and toolkits : are designed to
be used by security professionals to protect
their sites. These can also be used by
unauthorized individuals to probe for
weaknesses. The purposes, not the approach,
makes a program malicious.
• Many of the programs that fall in the malware
categories have benevolent uses also.
Benevolent Uses:
Worms can be used to distribute computation on idle
Trap doors/ back doors are useful for debugging
A trapdoor: a code that recognizes some
special (unlikely) sequence of inputs or is
triggered by being run from a special ID.
Some programs require special privileges and
authentication to access it. Or they may require long
setup (providing many initial values of variables) and
Benevolent Uses of Trap doors and Viruses:
While debugging one may want to be able to
open the program without going through
these procedures.
A trapdoor allows one to activate the
program even if something be wrong
with the authentication procedure.
Viruses can be written to update source
code and patch bugs.
Classification of Malicious programs:
First Method
Malicious programs
Need Host programs
Trap doors Logic Bombs Trojan Horse Viruses
A Logic Bomb or a Trojan Horse may be part of a Virus or
Classification of malicious programs:
Programs that do not replicate: consist of
fragments of programs that are activated,
when the host program is invoked or
when in the host program, a specific function is
Programs that replicate: consist of
a program fragment (Example : Viruses) Or
an independent program (Example: Worm or bacterium)
that, when executed, may produce one or more
copies of itself on the same system or some other
Classification of Malicious Program:
The Second Method
Malicious Programs
Those that won’t replicate
Trap Doors Logic Bombs Trojan Horses
Those that replicate themselves
*Ref: Fig 19.1 pp.599, Stallings [2003]
Malicious Software
Malicious software: runs under the user’s
authority (without his knowledge and
hence can do all that a user can himself do.
TYPES: Back doors/ trap doors : allow
unauthorized access to your system.
• Logic bombs: programmed threats that lie
dormant for an extended period of time until
they are triggered; at this point, they perform
a function that is not the intended function of
the program in which they are contained .
Triggers for logic Bombs:
Logic bombs usually are embedded in
programs by software developers who have
legitimate access to the system.
Triggers for Logic Bombs:
Presence or absence of certain files.
Particular day of the week or data.
Particular user running the application
Trojan horses:
• Trojan horses: programs that appear to have
one function but actually perform another
• The modern – day Trojan horses resemble a
program that the user wishes to run – a
game, a spreadsheet, or an editor.
• While the program appears to be doing what
the user wants, it is also doing something
else unrelated to its advertised purpose, and
without the user’s knowledge.
Examples of Trojan horse attacks:
Examples of Trojan horse attacks:
A compiler was modified to insert additional
code into certain programs as these are
The code creates a trapdoor in the login
program that permits the author to log on
to the system using a special word. Difficult
to discover, by reading the source code of
the program.
Ref : THOM 84 from Stallings[2003]
Examples of Trojan horse attacks
Attach a program to the regular program for
listing the user’s files in a particular format.
The attached program may change the file
permissions to make them readable by any
user. After the program is executed, any
one can read the files.
• Viruses: “programs” that modify other programs on a
computer, inserting copies of themselves.
Viruses:* not distinct programs
*need to have some host program, of which they are a
part, executed to activate them
*executes secretly, when the host program is run.
A typical virus, in a computer, takes control of its Disk
Operating System. Whenever it comes in contact with
any uninfected piece of software, a fresh copy of the
virus is attached to the new program.
Reference: A malicious program was called a Virus by Cohen.
Cohen F.,’Computer Viruses’, Computer Security: A Global
Challenge, Elsevier Press, 1984, p143-158
• Worms: programs that propagate from computer to
computer on a network, without necessarily
modifying other programs on the target machines.
• Worms
• can run independently;
• travel from machine to machine across network connections;
• may have portions of themselves running on many different
• Worms do not change other programs, although they
may carry other code that does (for example, a true
virus or a Trojan horse may be implanted by a
Worms (continued)
To replicate itself, a worm uses some network
vehicle. Examples:
Electronic mail: A worm may mail a copy of itself to
another system.
Remote execution capability: A worm may execute
a copy of itself on another system.
Remote log-in capability: A worm logs on another
system as a user and then uses commands to copy
itself to the remote system.
In a multiprogramming system, a worm
may hide itself by naming itself as a system
Worms (continued)
A Worm may determine whether a host has
been infected before copying itself.
 It may examine the routing tables to locate
the addresses of remote machines, to which
it may connect, without any information to
the owner of the local host.
Examples of Worms:
Morris 1998 for unix systems,
Code Red (July 2001), Code Red II,
NIMDA (late 2001)
Phases of a virus and a worm:
A worm as well as a virus have the
following phases:
Dormant phase:
on some Date or
by presence of some file or program or
some action like the data on disc
exceeding certain limit.
Some viruses may not have this stage.
Phases of a virus and a worm (continued)
2. Propagation phase: Both a worm and a virus
check whether the file/system is already
infected. If not, they do the job.
3. Triggering phase: may be caused by some
system event.
4. Execution phase: Performs a function
Benign function: like showing a message on
Non-benign: to damage/destroy certain files.
Viruses are designed to take advantage of the
weaknesses of the OS and/or a hardware platform.
Spreading Malware via the Internet
Trojan Horse vs Virus:
• Whereas a Trojan horse is delivered pre-built, a virus
Propagation of Virus: Malicious programs arrived via
tapes and disks, and the spread of a virus around the
world took many months.
Today, Trojan horses, and viruses are network
deliverable as
*E-mail, *java applets, *ActiveX controls,
*javaScripted pages, *CGI-BIN scripts, or as *selfextracting packages.
They could arrive as a part of a game or a useful
utility, copied from some electronic bulletin board
Mobile program Systems
Mobile-program system:
Ex.: java and ActiveX.
This technology became popular with Web
servers and browsers, but it is now integrated
(e,g, java into Lotus Notes, and ActiveX into
Outlook) mail systems.
• Security Bugs in both java and ActiveX
A mobile program may act as the carrier of a
Any mechanism for sharing of files – of
programs, data, documents or images – can
transfer a virus
Structure of Viruses:
In the infected binary, at a known byte location in the
file, a virus inserts a signature byte, used to
determine if a potential carrier program has been
previously infected.
• On invoking an infected program, it first transfers
control to the virus part.
• The virus part infects uninfected executable files.
• Secondly it may damage the system in some way.
Or like a logic bomb, the damaging action may
take place in response to some trigger.
• Finally it transfers control to the original program.
Usually the first two steps may take so little time, that
one may fail to notice any difference.
Normal .COM vs. Infected .COM
Structure of a virus program:
If (triggered()){
Do Damage();
Jump to main of infected program;
Structure of a virus program (continued):
Void infectExecutable()
file = choose an uninfected executable file;
Prepend V to file;
Void doDamage(){
int triggered(){
Return (some test? 1:0);
Types of Viruses:
Types of viruses:
Parasitic Viruses:
It attaches itself to executable files and replicates,
when the infected program is executed, by
finding other files to infect.
Memory – resident virus:
stays in main memory as a part of a system
program. Then it infects every program that
executes. (Like Terminate and Stay Resident –
TSR- programs )
Types of viruses (continued)
Boot sector virus:
It infects a boot record and spreads when a
system is booted from the disk containing the
Boot sector contains crucial files. Hence it is made
invisible by the OS.  boot-sector virus files will not show
up in a normal listing of files.
Polymorphic virus:
Creates copies that are functionally equivalent
but have distinctly different bit patterns. Thus
signature of each copy will vary and a virus
scanner will find it difficult to locate it.
Methods used by Polymorphic Viruses
for variation in signature
Random insertion of superfluous instructions
 To interchange the order of independent
 Use of encryption: The virus has a mutation
engine which generates a random key and
then the engine is altered; the key is stored
with the rest of the virus, which is encrypted.
When this virus infects another host, the altered
mutation engine would generate a different
Thus every host would carry a different
signature for the virus.
The Stealth Virus
There are two other types: The Stealth
virus and the Macro virus.
A stealth virus has code in it that seeks to
conceal itself from discovery or defends itself
against attempts to analyze or remove it.
• The stealth virus adds itself to a file or boot
sector but, when you examine, it appears
normal and unchanged.
Methods used by Stealth Virus
The stealth virus performs this trickery by staying
in memory after it is executed. From, there, it
monitors and intercepts your system calls.
When the system seeks to open an infected file, the
stealth virus displays the uninfected version, thus
hiding itself.
The four types of viruses, discussed in slides 32 and
33, make an infected file longer than it was, making
it easy to spot.
There are many techniques to leave the file length
and even a check sum unchanged and yet infect.
Stealth technique:
Keeping the file length unchanged
For example, many executable files often
contain long sequences of zero bytes, which
can be replaced by the virus and regenerated.
It is also possible to compress the original
executable code like the typical Zip programs
do, and uncompress before execution and
pad with bytes so that the check sum comes
out to be what it was.
Macro languages are (often) equal in power to
ordinary programming languages such as C.
A program written in a macro language is
interpreted by the application.
Macro languages are conceptually no different
from so-called scripting languages.
Gnu Emacs uses Lisp, most Microsoft applications
use Visual Basic script as macro languages.
The typical use of a macro in applications, such as
MS Word, is to extend the features of the
Macros (continued)
Can be used to define a sequence of key-strokes in a
macro and to set it up so that when a function key is
input, the whole of the sequence is invoked.
Some of these macros, know as auto-execute
macros, are executed in response to some
events, such as…..
closing a file,
opening a file,
starting an application,
invoking a command such as ‘FileSave’ or
pressing a certain key.
Auto-executing Macros in WORD
Three types of auto-executing Macros:
1.Start-up Auto-execute: executed when WORD
is started.
2.Automacro: executes when some event like
opening/closing a document, creating a new
document, quitting WORD
3.Command:executes when a WORD command,
like FileSave) is executed.
MS has developed a Macro Virus Protection
Tool. It detects suspicious files and alerts the
user to the risk of opening them.
Macro Viruses
Macro Viruses form a large majority of the
total number of viruses today.
A macro virus is a piece of self-replicating code
inserted into an auto-execute macro.
• Once a macro is running, the virus copies
itself to other documents.
• Another type of hazardous macro is one
named for an existing command of an
Macro Viruses (continued)
Example: If a macro named FileSave exists in
the “normal.dot” template of MS Word, that
macro is executed whenever you choose the
Save command on the File menu.
Unfortunately, there is often no way to
disable such features.
Such macro viruses may be carried in the command
part of a text file, a database, a slide presentation or
a spreadsheet. The user sees only the data part –
and not the command part. So he would not be able
to see the malicious code.
Ref: For Loveletter virus for OUTLOOK (May 2000)
Spread of Macro Viruses
Macro Viruses spread fast because
• Macro viruses may be platform independent in that
any hardware/software platform that supports the
particular application can be infected.
• Macro viruses affect documents and not executable
portions of code.
• Spread easily – by e-mail.
Ex: A virus, called Melissa, used a micro, embedded in a
WORD document attached to an e-mail. …………………….
On opening the WORD attachment of e-mail,
• it damages the local machine and
• it sends itself to all the addresses in the e-mail
address book.
In 1999, new e-mail viruses appeared. These
would be able to infect, as soon as one opens
the carrier e-mail, and not by opening an
Unix/Linux Viruses:
The most famous of the security incidents in the last
decade was the internet Worm incident which began
from a Unix system.
Several Linux viruses have been discovered.
The Staog virus first appeared in 1996 and was
written in assembly language by the VLAD virus
writing group, the same group responsible for
creating the first Windows 95 virus called Boza.
Like the Boza virus, the Staog virus is a proof-ofconcept virus to demonstrate the potential of Linux
virus writing without actually causing any real
Unix/Linux Viruses (continued)
The second known Linux virus is called the
Bliss virus.
Unlike the Staog virus, the Bliss virus can not
only spread in the wild, but also possesses a
potentially dangerous payload that could wipe
out data.
Zombie: A program that takes over a
computer, without any authorization and
without informing the owner of the system.
The program originates from some other host.
It then uses the computer, that has been
taken over, for attacking a victim.
Objectives: To hide the originator of the attack
To attack the victim through a large
number of zombie computers (as in a DDoS
Bacteria or rabbit
• Bacteria, or rabbit program, replicates
without bound to overwhelm a computer
system’s resources.
• Bacteria do not explicitly damage any files.
Their sole purpose is to replicate themselves.
• A typical bacteria program may do nothing
more than execute two copies of itself
simultaneously on multiprogramming
systems, or perhaps create two new files,
each of which is a copy of the original source
file of the bacteria program.
Bacteria continued:
• Both of those programs then may copy
themselves twice, and so on. Bacteria
reproduce exponentially, eventually taking up
all the processor capacity, memory, or disk
space, denying the user access to those
• A dropper: a program that is not a virus, nor
is it infected with a virus, but when the
program is run, it installs a virus into memory,
on to the disk, or into a file.
• Droppers have been written sometimes as a
convenient carrier for a virus, and sometimes
as an act of sabotage.
• Some anti-virus programs try to detect
Virus Detection:
“Virus” is used, (in the following slidesfor- detection-and-removal of viruses,)
to stand for all types of malicious
Virus detection programs analyze a suspect
program for the presence of known viruses.
Fred Cohen has proven mathematically: that
perfect detection of unknown viruses is
impossible: no program can look at other
program and say either “a virus is present” or
“no virus is present”, and always be correct.
Virus Detection (continued):
Most new viruses are sufficiently like old
viruses:  the scanning for old viruses may
find the new ones.
• There are a large number of heuristic tricks
that anti-virus programs use to detect new
viruses, based either on how they look, or
what they do.
• Since brand-new viruses are comparatively
rare, these methods may suffice.
After detection of a virus, its identification and
removal is required.
‘generations’ of virus scanners
The first generation virus scanners: obtained a
virus signature, a bit pattern, to detect a known
They record and check the length of all
The second generation scans executables with
heuristic rules, looking for fragments of code
associated with a typical virus.
They also do integrity checking by calculating a
checksum of a program and storing somewhere
else the encrypted checksum.
‘generations’ of virus scanners
Second generation (continued)….A better method is
storing a hash function rather than a checksum.
The encryption key is stored at a separate place.
The third generation: use a memory resident
program to monitor the execution behavior of
programs to identify a virus by the types of
action that the virus takes.
The fourth generation: combines all the
previous approaches and includes access
control capabilities so that system penetration
and access to files may be denied.
Advanced Anti virus Techniques
1) Generic Decryption (GD) Technology
It uses the following components :
a) CPU Emulator: Consisting of a virtual computer
with software versions of all registers and other
processor hardware.
b) Virus signature scanner
c) Emulator control module
Virus elements are usually activated immediately after a
program starts execution.
GD begins execution of an executable file in the CPU
emulator. As each instruction is executed, the signature
scanner tries to expose the virus.
Advanced Anti virus Techniques:
Generic Decryption (GD) Technology
A polymorphic virus would decrypt itself and be
recognized by the signature scanner.
This process does not affect the computer, since
the CPU emulator provides a safe and controlled
How many instruction may be interpreted
through the emulator ? - is a design issue
The user would complain if the GD scanner uses
a great deal of computer resources and these
are not available to the user.
Advanced Anti virus Techniques:
IBM’s Digital Immune System
2) IBM’s Digital Immune System (DIS):
Since the viruses spread through e-mail,
internet and mobile code, IBM has developed
the system for fast response.
When a new virus enters the system of an
organization, DIS captures it, analyzes it, adds
detection and shielding for it, removes it and
informs other systems running IBM anti-virus
about it
Components of DIS
1) Monitoring Program - on each PC - uses
heuristics based on
system behaviour
 changes to programs
 virus signatures
to monitor the presence of a virus in a program.
Such an infected program is sent to an Administrative
Machine in the organization
Components of DIS
2) Administrative Machines : one machines located
at each site
 It encrypts suspect program received for any PC.
 It sends the encrypted suspect program to the
Central Virus Analysis machine.
3) Central Virus Analysis machine :
 It provides a safe environment for running the
suspect program (like the CPU emulator and
Emulation Control module of the GD scanner).
Components of DIS
3) Central Virus Analysis machine :
It generates a prescription for identifying and
removing the virus.
The prescription is sent to all the clients in the
world through their Administrative Machines.
Advanced Anti virus Techniques:
Behavior Blocking Software
3) Behavior Blocking Software: monitors
and blocks malicious actions like
Attempts to open, view, delete or modify files
Attempt to format a disk or other non-recoverable
disk operations.
Modifying logic of executable files or macros
Modification of critical settings like start-up
Initiation of network communication
sending executable content through e-mail or
instant messaging.
Behavior Blocking Software
Irrespective of complexity of a virus, this realtime blocking of malicious request can keep
the system safe.
However even a behavior, which may look
normal, may be problematic, thus shuffling of
files may make them unusable. So if shuffling
of files is not blocked, a virus may still
succeed in making the system unusable.
But can we/ should we block shuffling of
Prevention, Detection & Removal of Viruses
Use software acquired from reliable vendors only
Test all new software on isolated computers
with no hard disk and
not connected to a network and
with boot disk removed
Check for any unexpected behavior.
Scan with an up-to-date virus scanner, which
should have been installed before running the
new software.
Prevention, Detection & Removal of Viruses
Open an attachment only if it is safe.
When the system is known to be virus free,
prepare a recoverable system image and
store it safely in a write-protected medium
Prepare and store safely back-up copies of
executable system files
Use virus scanners and update them
Prevention, Detection & Removal of Viruses
Removal of a virus : possible only if it is
detected and eliminated faster than it
A resident virus may disable system calls,
used for deleting it.
A virus may be hidden in a variety of files even in normally hidden system files.
Example of Viruses:
Brain: It locates itself in the upper part of
Traps interrupt 19 (used in PCs for disk-read) by
resetting the interrupt address table to point to
Uses interrupt 6 (unused in PCs) to point to the
‘former address’ of interrupt 19
Thus it receives all disk read calls and shows
only the original uninfected boot sector to a
user (thus hiding itself.)
Example of Viruses:
It uses the boot sector and 6 other sectors on
the disk.
The brain virus splits itself into 3 parts. The
first part is in the boot sector. The other 2
parts are in the two other sector of the disk.
The 3rd sector of the disk contains the original
boot sector code.
Another copy of the virus is stored in the
remaining 3 sectors on the disk
Example of Viruses:
The virus marks the six disk sectors as faulty,
so that OS may not use them.
Signature: in 5th and 6th bytes of the file, it
stores 1234 ( HEX ).
Action : with every disk read, it examines the
file for its signature. If it is not there, it
infects the file.
Name: It changes the label of any disk it
attacks to the word BRAIN.
Morris Worm
Released on Internet in the evening of Nov 2,
1988 by Robert T. Morris Jr., a grad student
of Cornell.
In 1990 he was sentenced to a fine of $10,000,
a suspended 3 year jail and 400 hours of
community service.
Morris exploited three flaws:
1. Unix Password file is stored in encrypted
But any one can read the ciphertext.
Morris Worm: the first flaw
To connect to a remote system, it tries to
crack the local password file by trying
the following:
 the 432 words (like password, guest,
coffee, coke, aaa etc) included in the
 all the words in the dictionary file stored
on the system for spell-check.
Morris Worm: the second flaw
2.) the second flaw- in fingered:
 fingered continuously runs to service requests, from
other computers, about system users.
 Security flaw in fingered : overflow of input buffer
spills in to the return address stack
 when a fingered call terminates, it may execute
instructions, pushed through buffer overflow. This
may cause the worm to connect to a remote shell.
Morris Worm: the third flaw
3) the third flaw --- in sendmail - in debug
mode –
Normally sendmail runs in the background. It
receives a ‘send’ instruction along with dest
However in debug mode the worm can send
a command string, in place of dest address.
Then this command string may be executed.
Assume that the Worm has been able to
enter a host (without its knowledge or
Morris Worm: action
It examines the following lists on the host:
tables giving lists of trusted machines,
mail forwarding lists,
tables stating the access rights of the local host on remote
status of network connections
It selects a suitable target.
Uses - one of the three flaws - to send a
bootstrap program of 99 lines of C code.
Through the host, it sends a command to
execute the program on the target machine.
Then the host logs off.
Morris Worm: action
The bootstraps-on-target now connects to the
host to get the rest of the worm.
The bootstrap authenticates by sending a
password (so that a system admin should not be
able to get the rest of the worm)
The host sends the rest of the worm
Efforts at stealth:
if any transmission error occurs while
transferring, the bootstrap deletes all record,
received till then.
Morris Worm: Efforts at Stealth
After receiving the full code of the worm, it is
encrypted. The original copies are deleted from
the target.
It changes its name and identifier periodically
Because of a flaw in the code of Morris, it
created many copies of the worm on the
same machine, thereby degrading its
performance to normal tasks.
After Morris, a Computer Emergency Response
Team was set up in Carnegie - Mellon
Code Red
Uses a security hole in MS Internet
Information Server (IIS).
On July 12, one in 8 of the 6 million IIS
servers were affected.
The first version shows the following text on
the web :
Welcome to http://www.worm.com !
Hacked by Chinese !
Code Red: Action
Day 1 to 19th, spawns 99 parallel threads & scans
for other computers for infecting them;
day 20-27 it attacked www.whitehouse.gov by
from day 28 to end of month it lies dormant.
It disables the system File Checker in windows.
It uses random IP addresses to spread to other
Code Red: Action
It suspends its activities periodically and then
Code Red II also installs a backdoor to permit a
hacker to be able to use the victim machines.
It would automatically stop after Oct 2002.
Finally it reboots after 24/48 hours, wipes itself
from memory but leaves the Trojan in place.
Code Red: Technique
Vulnerability in IIS: buffer overflow in dynamic
link library called idq.dll
Code red II creates a trapdoor by copying
%windir%\cmd.exe to 4 locations
d :\inetpub\scripts\root.ext
Code Red: Technique
Code red also includes its own copy of explorer.exe on
c: and d: drives.
It modifies system registry to allocate Read, Write and
execute permission in some directories to every one.
The Trojan horse continues to run in the background,
resetting the registry every 10 minutes.
Thus even if a system admin notices the changes in the
registry and removes them, the Trojan will again create
Code red may be beta test for ‘information war fare.’
Two more well-known viruses
NIMDA: It had multiple spread modes:
 e-mail
 client-to-client through open network
 web-server to client
 client to web-server
 by using backdoor left by Code Red II
It modifies html files and some executable
files. It creates numerous copies under
various names.
The "Slammer" virus
The "Slammer" virus ( also known as the "SQL"
or "Sapphire" worm):
 launched at midnight ET on Saturday in Jan 2003,
shut down MS IIS based web-servers worldwide.
 By Sunday morning, about 150,000 to 200,000
servers had been compromised.
 By quickly copying itself and seeking to spread to
the computers that manage Internet traffic, the
worm overwhelmed networks worldwide,
causing probably the most damaging attack in a year
and a half.
“Malware payloads have been boring……..
Payloads can be malign and I expect that
we’ll see more devious payloads over the
next few years.”
- Bruce Schneier
author of Applied Cryptography
Types of Security Threats: Additions
Denial of service
Illegitimate use
IP spoofing
Sniffing the password
Playback Attack
Bucket-brigade attack
Generic threats: Backdoors, Trojan horses,
viruses etc
Types of Attack
A Revision
Most Internet security problems are
access control or
authentication ones
Denial of service is also popular, but mostly an annoyance
Types of Attack
• A Passive attack can only observe communications or data
• An Active attack can actively modify communications or data
• Often difficult to perform, but very powerful
– Mail forgery/modification
– TCP/IP spoofing/session hijacking
Security Services:
A Revision
Security Services
• From the OSI definition:
• Access control: Protects against unauthorized use.
• Authentication: Provides assurance of someone's identity.
• Confidentiality: Protects against disclosure to unauthorized
• Integrity: Protects from unauthorized data alteration.
• Non-repudiation: Protects against originator of
communications later denying it.
Virus detection and cleaning of the files are additional services,
required in a networked system.
Security Mechanisms:
Security Mechanisms
Three basic building blocks are used:
• Encryption is used to provide confidentiality;
can also provide authentication and integrity protection
• Digital signatures are used to provide authentication,
integrity protection, and non-repudiation
• Checksums/hash algorithms are used to provide integrity
protection, can provide authentication
One or more security mechanisms are combined to provide
a security service
Services, Mechanisms, Algorithms:
Services, Mechanisms, Algorithms
A typical security protocol provides one or more services
Services in a security protocol
SHAI MD5 Algorithms
• Services are built from mechanisms
• Mechanisms are implemented using
Security Protocol Layers:
Security Protocol Layers
E commerce protocols
Higher level
IP Sec
Data Link
Hardware encryption
Higher level
Data Link
Security Protocol Layers (continued):
The further down you go, the more transparent it is; the
further up you go, the easier it is to deploy.
 Link level security: If security is provided at the link level, all
the frames over the link will receive the security services.
 Network layer security: Both TCP segments and UDP
datagrams will benefit from the host to host security
service. (Chapter 13)
 Transport protocol security: All applications that use the
protocol will enjoy the security services of the protocol.
(Chapter 14)
 Application security: The application protocol can be
provided with services like authentication, data integrity etc.
(Example: e-mail security: Chapter 12)
Security at Network Layer only?
Security at network layer
can encrypt all the data, and it
can authenticate the IP addresses.
But it cannot provide user-level security
services like user authentication.
Thus security functions are required to be built
into the higher layer applications, in addition to
the provision of blanket coverage at network
Ease of deployment
It is easy to deploy security functionality
at higher layers.
Thus PGP has come to be used widely for
providing e-mail security, while IPSec is
yet to be rolled out on the Internet.
An effective security system can be built
by carefully choosing an appropriate
combination of protocols and algorithms
Multi-pronged approach
Attacks: from various fronts.
So security has also to be multi-faceted.
Example: A mobile user A, who may be a salesman,
may be allowed to access a company network,
protected by a firewall.
A may have a wireless network at home, which may get
connected to the company network.
A malicious user, who may be a neighbor or even a
computer, in a parked vehicle near A’s home, could in
turn become a part of the wireless network.
Thus firewall alone may not be able to provide a
protection from such a malicious user.
Multi Pronged Protection Systems
Based on Behavior Blocking Software idea of slide 55
monitor traffic characteristics.
Use anomalies to develop real time warning and
defensive actions.
During an attack, MPPS determines the
characteristics of malicious attack traffic by
tracking various attributes of packets
Source and destination socket addresses
Packet length
Multi Pronged Protection Systems
Characterization of the malicious traffic: by
identifying the highest volume values for each
packet attribute and comparing current
distributions of the attribute values to normal
Two types of Triggers:
 Bandwidth triggers based on packet and
byte rates. They indicate attempts to flood a
network and consume its bandwidth.
 Suspicious traffic triggers based on
packets that target resources on the network,
such as TCP SYN flood attack packets.
Once an attack is detected, there are
two solution approaches:
Black-hole routing allows the
administrator to take all malicious traffic
and route it to a null IP address or drop it.
Sinkhole routing The malicious traffic is
sent to an IP address where it can be
Multi Pronged Protection Systems
Both Black-hole and Sink-hole routing can be
 at the enterprise level. Or
 at the ISP level, who can prevent the
malicious traffic from reaching the
customer's network. (Most ISPs have some level of
DDoS traffic crossing their networks virtually all the time.
This costs them money in terms of bandwidth and annoys
DISADVANTAGE of using Filtering at ISP:
the possibility of catching legitimate traffic as
To end
three news-item on security
one on ticking time-bombs in the
weakest link – the PCs
two on 1st April pranks by security
A honey-pot is added
Bill McCarty, an Associate Professor of Web
and Information Technology at Azusa Pacific
University, Calif., said a Windows 2000 "honey
pot" machine that he runs has been added to
several bot networks, or botnets – reportedly
many hundreds of thousand strong as of
(A honey pot is a machine connected to the Internet
and left defenseless so that security experts can
observe hackers' activities or methods.)
Two pranks of April 1, 2003
A news-item in the Register, a U.K. IT news
Web site: Availability of an Intruder
Retaliation Systems (IRS) by a new (fake)
security company. The first IRS, called the
Payback 1.0: an application that
instantly and dynamically 'traces' the IP source
address—no matter how well masked—of the
network attack/infection and
responds by launching either a Domain Name or
mail server flood attack in the direction of the
The second prank:An advisory posted to BugTraq
(by an Internet security company –
but not on Internet security)
A (fake) company called S.E.L.L.warns that "a DDoS
condition is present in the election system in many
polypartisan democratic countries. A group of
determined but unskilled and not equipped lowincome individuals, usually between 0.05% and 2%
of the overall population of the country, can cause
serious disruptions or even a complete downfall of
the democratic system and its institutions.
The fix for this vulnerability: for affected
parliaments to either "establish a convenient
dictatorship or a monarchy, or [become] the
51st state."
IPSec: IP Sec protocol
SSL: Secure Socket layer
TLS: Transport Level Security
SSH: Secure SHell
Kerberos:Project Athena’s Authentication Service
SHA: Secure Hash Algorithm
DSA: Digital Signature Algorithm
RSA: RSA Laboratories named after its founders: Ron Rivest,
Adi Shamir, Leonard Adelman
DES: Data Encryption Standard
MD: Message Digest
1.To study the details of a scanner
Sandeep Kumar, and Gene Spafford, “A Generic Virus Scanner in
C++,” Proceedings of the 8th Computer Security Applications
Conference, IEEE Press, Piscataway, NJ; pp.210-219, 2-4 Dec
2.For a complete list of known viruses
3.For cryptography
G.C.Kessler, “An Overview of Cryptography”
RSA Laboratories, “RSALabs FAQ,”
4.For MPPS