1) Base of hexadecimal number system? Answer : 16 2) Universal gate in digital logic? Answer : NAND 3) Memory type that is non-volatile? Answer : ROM 4) Basic building block of digital circuits? Answer : Gate 5) Device used for data storage in sequential circuits? Answer : Flip-flop 6) Architecture with shared memory for instructions and data? Answer : von Neumann 7) The smallest unit of data in computing? Answer : Bit 8) Unit that performs arithmetic operations in a CPU? Answer : ALU 9) Memory faster than main memory but smaller in size? Answer : Cache 10) System cycle that includes fetch, decode, and execute? Answer : Instruction 11) Type of circuit where output depends on present input only? Answer : Combinational 12) The binary equivalent of decimal 10? Answer : 1010 13) Memory used for high-speed temporary storage in a CPU? Answer : Register 14) Method of representing negative numbers in binary? Answer : Two's complement 15) Gate that inverts its input signal? Answer : NOT 16)...
Program Threats
* There are many familiar threats to modern systems. Only a few are discussed here.
Trojan Horse
* A Trojan Horse is a program that secretly performs some maliciousness in extra to its visible actions.
* Some Trojan horses are deliberately written as such, and others are the result of legitimate programs that have become infected with viruses, (see below.)
* One dangerous opening for Trojan horses is long search paths, and in specific paths which include the current directory (“.”) as part of the path. If a dangerous program having the same name as a authorized program (or a common mis-spelling, such as "sl" instead of "ls”) is placed anywhere on the path, then an unsuspecting user may be fooled
into running the wrong program by mistake.
* Another classic Trojan Horse is a login imitator, which records a users account name and password, problems a "password incorrect" message, and then logs off the system. The user then tries again (with a proper login prompt), logs in successfully, and doesn't realize that their information has been stolen.
* Two solutions to Trojan Horses are to have the system print usage statistics on logouts, and to require the typing of non-trappable key sequences such as Control-Alt-Delete in order to log in. (This is why modern Windows systems needs the Control-Alt-Delete sequence to commence logging in, which cannot be emulated or caught by ordinary programs. I.e. that key series always transfers control over to the operating system. )
* Spy ware is a version of a Trojan Horse that is often included in "free" software
downloaded off the Internet. Spy ware programs generate pop-up browser windows, and may also accumulate information about the user and deliver it to some central site. (This is an example of convert channels, in which secret communications occur.) Another common task of spyware is to send out spam e-mail messages, which then purportedly come from the infected user.
Trap Door
* A Trap Door is when a designer or a programmer (or hacker) intensionly
adds a security hole that they can use later to access the system.
* Because of the chances of trap doors, once a system has been in an untrustworthy state, that system can never be trusted again. Even the backup tapes may contain a duplicate of some cleverly hidden back door.
* A clever trap door could be added into a compiler, so that any programs compiled with that compiler would contain a security hole. This is specially dangerous, because inspection of the code being compiled would not reveal any problems.
Logic Bomb
* A Logic Bomb is code that is not constructed to cause havoc all the time, but only when a certain set of circumstances occurs, such as when a particular date or time is extented or some other noticeable event.
* A classic example is the Dead-Man Switch, which is constructed to check
whether a certain person (e.g. the author) is logging in every day, and if they don't log in for a long time (privately because they've been fired), then the logic bomb goes off and either opens up security holes or causes some problems.
Stack and Buffer Overflow
* This is a basic method of attack, which exploits bugs in system code that allows buffers to overflow. Consider what happens in the following code, for example, if argv[ 1 ] limits 256 characters:
• The strcpy command will exceeds the buffer, overwriting adjacent areas of memory.
• (The problem could be avoided using strncpy, with a limit of 255 characters copied plus room for the null byte.)
C program with buffer-overflow condition.
#include
#define BUFFER_SIZE 256
int main( int argc, char * argv[ ] )
{
char buffer[ BUFFER_SIZE ];
if( argc < 2 )
return -1;
else {
strcpy( buffer, argv[ 1 ] );
return 0;
}
}
* So how does overflowing the buffer cause a security violation? Well the first step is to realize the structure of the stack in memory:
• The "bottom" of the stack is literally at a high memory address, and the stack grows towards lower addresses.
• However the address of an array is the lowest address of the array, and higher array elements expand to higher addresses. (I.e. an array "grows" towards the bottom of the stack.)
• In particular, writing past the top of an array, as occurs when a buffer overflows with too much input data, can eventually overwrite the return address, effectively changing where the program jumps to when it returns.
* Now that we know how to modify where the program returns to by overflowing the
buffer, the second step is to insert some nefarious code, and then get the program to jump to our inserted code.
* Our only chance to enter code is via the input into the buffer, which means there isn't room for very much. One of the simplest and most obvious approaches is to insert the code for "exec ( /bin/sh )". To do this needs compiling a program that contains this instruction, and then using an assembler or debugging tool to extract the minimum extent that includes the necessary instructions.
* The bad code is then padded with as many additional bytes as are needed to overflow the buffer to the correct extent, and the address of the buffer inserted into the return address location. ( Note, however, that neither the bad code nor the padding can contain null bytes, which would terminate the strcpy. )
* The resulting block of information is given as "input", duplicate into the buffer by the original program, and then the return statement causes control to jump to the location of the buffer and start executing the code to launch a shell.
* Unfortunately famous hacks such as the buffer overflow attack are well published and well known, and it doesn't take a lot of skill to observe the instructions and start attacking lots of systems until the law of averages eventually works out. ( Script Kiddies are those hackers with only rudimentary skills of their own but the ability to copy the efforts of others. )
* Fortunately modern hardware now adds a bit in the page tables to mark certain pages as non-executable. In this case the buffer-overflow attack would work up to a point, but as soon as it "returns" to an address in the data space and tries executing statements there,
an exception would be thrown crashing the program.
Viruses
* A virus is a fragment of code embedded in an otherwise legitimate program, designed to replicate itself (by infecting other programs), and (eventually) wreaking havoc.
* Viruses are more likely to infect PCs than UNIX or other multi-user systems,because
programs in the latter systems have limited authority to modify other programs or to access critical system structures (such as the boot block.)
* Viruses are delivered to systems in a virus dropper, usually some form of a Trojan Horse, and usually via e-mail or unsafe downloads.
* Viruses take many forms (see below.) Figure shows typical operation of a boot
sector virus:
* Some of the forms of viruses include:
• File - A file virus attaches itself to an executable file, causing it to run the virus code first and then jump to the start of the original program. These viruses are termed parasitic, because they do not leave any new files on the system, and the original program is still fully functional.
• Boot - A boot virus occupies the boot sector, and runs before the OS is loaded. These are also known as memory viruses, because in operation they reside in memory, and do not appear in the file system.
• Macro - These viruses exist as a macro (script) that is run automatically by certain macro-capable programs such as MS Word or Excel. These viruses can exist in word processing documents or spreadsheet files.
• Source code viruses look for source code and infect it in order to spread.
• Polymorphic viruses change every time they spread - Not their underlying
functionality, but just their signature, by which virus checkers recognize them.
• Encrypted viruses travel in encrypted form to escape detection. In practice they are self-decrypting, which then allows them to infect other files.
• Stealth viruses try to avoid detection by modifying parts of the system that could be used to detect it. For example the read() system call could be modified so that if an infected file is read the infected part gets skipped and the reader would see the original unadulterated file.
• Tunneling viruses attempt to avoid detection by inserting themselves into the interrupt handler chain, or into device drivers.
• Multipartite viruses attack multiple parts of the system, such as files, boot sector, and memory.
• Armoured viruses are coded to make them hard for anti-virus researchers to decode and understand. In addition many files associated with viruses are hidden, protected, or given innocuous looking names such as "...".
* In 2004 a virus exploited three bugs in Microsoft products to infect hundreds of Windows servers ( including many trusted sites ) running Microsoft Internet Information Server, which in turn infected any Microsoft Internet Explorer web browser that visited any of the infected server sites. One of the back-door programs it installed was a keystroke
logger, which records user’s keystrokes, including passwords and other sensitive
information.
* There is some debate in the computing community as to whether a monoculture, in which nearly all systems run the same hardware, operating system, and applications, increases the threat of viruses and the potential for harm caused by them.