Notes for November 30, 1998
- Greetings and Felicitations!
- Ideal: program to detect malicious logic
- Can be shown: not possible to be precise in most general case
- Can detect all such programs if willing to accept false positives
- Can constrain case enough to locate specific malicious logic
- Can use: writing, structural detection (patterns in code),
common code analyzers, coding style analyzers, instruction analysis
(duplicting OS), dynamic analysis (run it in controlled environment and
watch)
- Best approach: data, instruction typing
- On creation, it's type "data"
- Trusted certifier must move it to type "executable"
- Duff's idea: executable bit is "certified as
executable" and must be set by trusted user
- Practise: blocking writing to communicate information or do damage
- Limit writing (use of MAC if available; show how to arrange
system executables)
- Isolation
- Quarantine
- Practise: Trust
- Untrusted software: what is it, example (USENET)
- Check source, programs (what to look for); C examples
- Limit who has access to what
- Your environment (how do you know what you're executing); UNIX examples
- Least privilege; above with root
- Practise: detecting writing
- Integrity check files à la binaudit, tripwire; go
through signature block
- LOCUS approach: encipher program, decipher as you execute.
- Co-processors: checksum each sequence of instructions, compute
checksum as you go; on difference, complain
You can also see this document
in its native format,
in Postscript,
in PDF,
or
in ASCII text.
Send email to
[email protected].
Department of Computer Science
University of California at Davis
Davis, CA 95616-8562
Page last modified on 12/2/98