PROGRAMS AND

PROGRAMMING
 Unintentional (Nonmalicious) Programming
Oversights
Programs and their computer code are the basis of computing.
Without a program to guide its activity, a computer is pretty
useless.
Because the early days of computing offered few programs for
general use, early computer users had to be programmers too-
they wrote the code and then ran it to accomplish some task.
Today’s computer users sometimes write their own code, but
more often they buy programs off the shelf; they even buy or
share code components and then modify them for their own
uses.
And all users gladly run programs all the time: spreadsheets,
music players, word processors, browsers, email handlers,
games, simulators, and more.
 Indeed, code is initiated in myriad ways, from turning on a
mobile phone to pressing “start” on a coffee-maker or
microwave oven.
But as the programs have become more numerous and
complex, users are more frequently unable to know what the
program is really doing or how.
More importantly, users seldom know whether the program
they are using is producing correct results.
If a program stops abruptly, text disappears from a document,
or music suddenly skips passages, code may not be working
properly.
Sometimes these interruptions are intentional, as when a CD
player skips because the disk is damaged or a medical device
program stops in order to prevent an injury.
These flaws, seen and unseen, can be cause for concern in
several ways.
As we all know, programs are written by fallible humans, and
program flaws can range from insignificant to catastrophic.
Despite significant testing, the flaws may appear regularly or
sporadically, perhaps depending on many unknown and
unanticipated conditions.
Program flaws can have two kinds of security implications:
They can cause integrity problems leading to harmful output or
action, and they offer an opportunity for exploitation by a
malicious actor.
A program flaw can be a fault affecting the correctness of the
program’s result —that is, a fault can lead to a failure.
On the other hand, even a flaw from a benign cause can be
exploited by someone malicious.
If an attacker learns of a flaw and can use it to manipulate the
program’s behavior, a simple and nonmalicious flaw can
become part of amalicious attack.
 Buffer Overflow

We start with a particularly well known flaw, the buffer

overflow.
Although the basic problem is easy to describe, locating and
preventing such difficulties is challenging.
Furthermore, the impact of an overflow can be subtle and
disproportionate to the underlying oversight.
Indeed, a buffer overflow is often the initial toehold for
mounting a more damaging strike.
Most buffer overflows are simple programming oversights, but
they can be used for malicious ends.
This outsized effect is due in part to the exploits that people
have achieved using overflows.
Memory Allocation:
Memory is a limited but flexible resource; any memory
location can hold any piece of code or data.
To make managing computer memory efficient, operating
systems jam one data element next to another, without regard
for data type, size, content, or purpose.
Users and programmers seldom know, much less have any
need to know, precisely which memory location a code or data
item occupies.
Computers use a pointer or register known as a program
counter that indicates the next instruction.
As long as program flow is sequential, hardware bumps up the
value in the program counter to point just after the current
instruction as part of performing that instruction.
The malicious programmer thinks deviously: What data values
could I insert to cause mischief or damage, and what planned
instruction codes could I force the system to execute?
There are many possible answers, some of which are more
malevolent than others.
Here are two buffer overflow attacks that are used frequently.
First, the attacker may replace code in the system space.
The operating system’s code and data coexist with a user’s
code and data.
 The heavy line between system and user space is only to
indicate a logical separation between those two areas; in
practice, the distinction is not so solid.
Every program is invoked by an operating system that may run
with higher privileges than those of a regular program.
Thus, if the attacker can gain control by masquerading as the
operating system, the attacker can execute commands in a
powerful role.
Therefore, by replacing a few instructions right after returning
from his or her own procedure, the attacker regains control
from the operating system, possibly with raised privileges.
This technique is called privilege escalation.
If the buffer overflows into system code space, the attacker
merely inserts overflow data that correspond to the machine
code for instructions.
In the other kind of attack, the intruder may wander into an
area called the stack and
heap.
Subprocedure calls are handled with a stack, a data structure in
which the most
recent item inserted is the next one removed (last arrived, first
served).
This structure works well because procedure calls can be
nested, with each return causing control to transfer back to the
immediately preceding routine at its point of execution.
Each time a procedure is called, its parameters, the return
address (the address immediately after its call), and other local
values are pushed onto a stack.
An old stack pointer is also pushed onto the stack, and a stack
pointer register is reloaded with the address of these new
values.
Control is then transferred to the subprocedure.
As the subprocedure executes, it fetches parameters that it
finds by using the address pointed to by the stack pointer.
Typically, the stack pointer is a register in the processor.
Therefore, by causing an overflow into the stack, the attacker
can change either the old stack pointer changing the context or
return address allows the attacker to redirect execution to code
written by the attacker.
Overwriting Memory:
The buffer overflow attack will
Affects Your Own Data
Affects an Instruction of Yours
Affects the Operating System or a Critical Application
 The Stack and the Heap
 The stack is a key data structure necessary for interchange of data between
procedures,
 as we described earlier in this chapter. Executable code resides at one end of
memory,
 which we depict as the low end; above it are constants and data items whose size is
known
 at compile time; above that is the heap for data items whose size can change during
 execution; and finally, the stack.
Stack Overflow
Overflow into system space can redirect execution
immediately or on exit from the current called procedure.
The attacker wants to overwrite stack memory, sometimes
called Stack Smashing, in a purposeful manner: Arbitrary data
in the wrong place causes strange behavior, but particular data
in a predictable location causes a planned impact.
 Here are some ways the attacker can produce effects from an
overflow attack:
 Overwrite the program counter stored in the stack so that
when this routine exits, control transfers to the address pointed
at by the modified program counter address.
 Overwrite part of the code in low memory, substituting the
attacker’s instructions for previous program statements.
 Overwrite the program counter and data in the stack so that the
program counter now points into the stack, causing the data
overwritten into the stack to be executed.
Data driven attacks are directed by specially chosen data the
attacker feeds a program as input.
 Overflow Countermeasures
The most obvious countermeasure to overwriting memory is to
stay within bounds.
Maintaining boundaries is a shared responsibility of the
programmer, operating system, compiler, and hardware.
All should do the following:
• Check lengths before writing.
• Confirm that array subscripts are within limits.
• Double-check boundary condition code to catch possible
off-by-one errors.
• Monitor input and accept only as many characters as can be
handled.
• Use string utilities that transfer only a bounded amount of data.
• Check procedures that might overrun their space.
• Limit programs’ privileges, so if a piece of code is overtaken
maliciously, the violator does not acquire elevated system
privileges as part of the compromise.
 Overflow Countermeasures
Programming Controls
Language Features
Code Analyzers
Separation
Stumbling Blocks
Incomplete Mediation
Validate All Input
Guard Against Users’ Fingers
Complete Mediation
Time-of-Check to Time-of-Use
 Countermeasures
Undocumented Access Point
Backdoor
Protecting Against Unauthorized Entry
Off-by-One Error
Integer Overflow
Unterminated Null-Terminated String
Parameter Length, Type, and Number
Unsafe Utility Program
Race Condition
Unsynchronized Activity
Malware—Viruses, Trojan Horses, and Worms

Malicious code or rogue programs or malware (short for

Malicious Software) is the general name for programs or
program parts planted by an agent with malicious intent to
cause unanticipated or undesired effects.
Malicious code can be directed at a specific user or class of
users, or it can be for anyone
A virus is a program that can replicate itself and pass on
malicious code to other nonmalicious programs by modifying
them.
 The term “virus” was coined because the affected program
acts like a biological virus: It infects other healthy subjects by
attaching itself to the program and either destroying the
program or coexisting with it.
 Because viruses are insidious, we cannot assume that a clean
program yesterday is still clean today.
Moreover, a good program can be modified to include a copy
of the virus program, so the infected good program itself
begins to act as a virus, infecting other programs.
The infection usually spreads at a geometric rate, eventually
overtaking an entire computing system and spreading to other
connected systems.
A virus can be either transient or resident.
A transient virus has a life span that depends on the life of its
host; the virus runs when the program to which it is attached
executes, and it terminates when the attached program ends.
(During its execution, the transient virus may spread its
infection to other programs.)
 A resident virus locates itself in memory; it can then remain
active or be activated as a stand-alone program, even after its
attached program ends.
A worm is a program that spreads copies of itself through a
network.
The primary difference between a worm and a virus is that a
worm operates through networks, and a virus can spread
through any medium (but usually uses a copied program or
data files).
 Additionally, the worm spreads copies of itself as a stand-
alone program, whereas the virus spreads copies of itself as a
program that attaches to or embeds in other programs.
A bot (short for robot), is a kind of worm used in vast numbers
by search engine hosts like Bing and Google. Armies of these
agents run on any computers on which they can install
themselves.
 Their purpose is to scan accessible web content continuously
and report back to their controller any new content they have
found.
In this way, the agents find pages that their controllers then
catalog, enabling the search engines to return these results in
response to individuals’ queries.
Thus, when you post a new web page (or modify an old one)
with results of your research on why people like peanut butter,
a crawler soon notices that page and informs its controller of
the contents and whereabouts of your new page.
A Trojan horse is malicious code that, in addition to its
primary effect, has a second,
nonobvious, malicious effect.
 The name is derived from a reference to the Trojan war.
Legends tell how the Greeks tricked the Trojans by leaving a
great wooden horse outside the Trojans’ defensive wall.
The Trojans, thinking the horse a gift, took it inside and gave it
pride of place. But unknown to the naïve Trojans, the wooden
horse was filled with the bravest of Greek soldiers.
 In the night, the Greek soldiers descended from the horse,
opened the gates, and signaled their troops that the way in was
now clear to capture Troy.
In the same way, Trojan horse malware slips inside a program
undetected and produces unwelcome effects later on.
Zero day attack: Active malware exploiting a product
vulnerability for which the manufacturer has no
countermeasure available.
Malware doesn’t attack just individual users and single
computers. Major applications and industries are also at
risk.
 Transmission and Propagation
A printed copy of code does nothing and threatens no one.
Even executable code sitting on a disk does nothing. What
triggers code to start? For malware to do its malicious work
and spread itself, it must be executed to be activated.
Fortunately for malware writers but unfortunately for the rest
of us, there are many ways to ensure that programs will be
executed on a running computer.
 Attached File
A more common means of virus activation is in a file attached
to an email message or embedded in a file.
In this attack, the virus writer tries to convince the victim (the
recipient of the message or file) to open the object.
Once the viral object is opened (and thereby executed), the
activated virus can do its work.
 Some modern email handlers, in a drive to “help” the receiver
(victim), automatically open attachments as soon as the
receiver opens the body of the email message.
The virus can be executable code embedded in an executable
attachment, but other types of files are equally dangerous.
 For example, objects such as graphics or photo images can
contain code to be executed by an editor, so they can be
transmission agents for viruses.
In general, forcing users to open files on their own rather than
having an application do it automatically is a best practice;
programs should not perform potentially security-relevant
actions without a user’s consent.
However, ease-of-use often trumps security, so programs such
as browsers, email handlers, and viewers often “helpfully”
open files without first asking the user.
 Document Viruses

A virus type that used to be quite popular is what we call the

document virus, which is implemented within a formatted
document, such as a written document, a database, a slide
presentation, a picture, or a spreadsheet.
 These documents are highly structured files that contain both
data (words or numbers) and commands (such as formulas,
formatting controls, links).
 The commands are part of a rich programming language,
including macros, variables and procedures, file accesses, and
even system calls.
The writer of a document virus uses any of the features of the
programming language to perform malicious actions.
The ordinary user usually sees only the content of the
document (its text or data), so the virus writer simply includes
the virus in the commands part of the document, as in the
integrated program virus.
 Autorun
Autorun is a feature of operating systems that causes the
automatic execution of code based on name or placement.
An early autorun program was the DOS file autoexec.bat, a
script file located at the highest directory level of a startup
disk.
As the system began execution, it would automatically execute
autoexec.bat, so a goal of early malicious code writers was to
augment or replace autoexec.bat to get the malicious code
executed.
Similarly, in Unix, files such as .cshrc and .profile are
automatically processed at system startup (depending on
version).
 Appended Viruses
A program virus attaches itself to a program; then, whenever
the program is run, the virus is activated.
 This kind of attachment is usually easy to design and
implement.
In the simplest case, a virus inserts a copy of itself into the
executable program file before the first executable instruction.
Then, all the virus instructions execute first; after the last virus
instruction, control flows naturally to what used to be the first
program instruction.
 Viruses That Surround a Program
An alternative to the attachment is a virus that runs the original
program but has control before and after its execution.
For example, a virus writer might want to prevent the virus
from being detected.
If the virus is stored on disk, its presence will be given away
by its file name, or its size will affect the amount of space used
on the disk.
 The virus writer might arrange for the virus to attach itself to
the program that constructs the listing of files on the disk.
 If the virus regains control after the listing program has
generated the listing but before the listing is displayed or
printed, the virus could eliminate its entry from the listing and
falsify space counts so that it appears not to exist.
Integrated Viruses and Replacements
 Boot Sector Viruses
A special case of virus attachment, but formerly a fairly
popular one, is the so-called boot sector virus.
Attackers are interested in creating continuing or repeated
harm, instead
of just a one-time assault.
For continuity the infection needs to stay around and become
an integral part of the operating system.
In such attackers, the easy way to become permanent is to
force the harmful code to be reloaded each time the system is
restarted.
Actually, a similar technique works for most types of malicious
code, so we first describe the process for viruses and then
explain how the technique extends to other types.
 Memory-Resident Viruses
Some parts of the operating system and most user programs
execute, terminate, and disappear, with their space in memory
then being available for anything executed later.
For frequently used parts of the operating system and for a few
specialized user programs, it would take too long to reload the
program each time it is needed.
Instead, such code remains in memory and is called “resident”
code.
Examples of resident code are the routine that interprets keys
pressed on the keyboard, the code that handles error conditions
that arise during a program’s execution, or a program that acts
like an alarm clock, sounding a signal at a time the user
determines.
 Resident routines are sometimes called TSRs or “terminate
and stay resident” routines.
 Polymorphic Viruses
The virus signature may be the most reliable way for a virus
scanner to identify a virus.
If a particular virus always begins with the string
0x47F0F00E08 and has string 0x00113FFF located at word 12,
other programs or data files are not likely to have these exact
characteristics.
For longer signatures, the probability of a correct match
increases.
If the virus scanner will always look for those strings, then the
clever virus writer can cause something other than those strings
to be in those positions.
Certain instructions cause no effect, such as adding 0 to a
number, comparing a number to itself, or jumping to the next
instruction.
These instructions, sometimes called no-ops (for “no
operation”), can be sprinkled into a piece of code to distort any
pattern.
For example, the virus could have two alternative but
equivalent beginning words; after being installed, the virus will
choose one of the two words for its initial word.
 Then, a virus scanner would have to look for both patterns.
 A virus that can change its appearance is called a
Polymorphic virus.