2. 1. Computer Security THREATS
a. Computer Security Concepts
b. Threats, Attacks and Assets
c.
d.
Intruders
Malicious Software Overview
SECURITY
e. Viruses, Worms and Bots
f. Rootkits
2. Computer Security TECHNIQUES
a. Authentication
b. Access Control
c. Intrusion Detection
d. Malware Defense
e. Dealing with Buffer Overflow Attacks

5. Computer Security
The protection afforded to an
automated information system in
order to attain the applicable
objectives of preserving the
integrity, availability and
confidentiality of information system
resources.

6. THREE KEY OBJECTIVES
that are at the of computer security:
1. Confidentiality: Preserving authorized
restrictions on information access and
disclosure, including means for protecting
personal privacy and proprietary information.
• Data confidentiality: Assures that private or
confidential information is not made available
or disclosed to unauthorized individuals.
• Privacy: Assures that individuals control or
influence what information related to them
may be collected and stored and by whom and
to whom that information may be disclosed.

7. THREE KEY OBJECTIVES
that are at the of computer security:
2. Integrity: Guarding against improper
information modification or destruction,
including ensuring information non-repudiation
and authenticity.
• Data integrity: Assures that information and
programs are changed only in a specified and
authorized manner.
• System integrity: Assures that a system performs
its intended function in an unimpaired manner,
free from deliberate or inadvertent unauthorized
manipulation of the system.

8. THREE KEY OBJECTIVES
that are at the of computer security:
3. Availability
— Ensuring timely and reliable access to and
use of information.

9. THE SECURITY REQUIREMENTS TRIAD

10. ADDITIONAL CONCEPTS
Authenticity:
The property of being genuine and being
able to be verified and trusted; confidence in
the validity of a transmission, a message, or
message originator.
Accountability:
The security goal that generates the
requirement for actions of an entity to be
traced uniquely to that entity.
BACK

12. FOUR KINDS OF THREAT CONSEQUENCES
1. Unauthorized Disclosure
A circumstance or event whereby an entity
gains access to data for which the entity is
not authorized.
2. Deception
A circumstance or event that may result in
an authorized entity receiving false data and
believing it to be true.

13. FOUR KINDS OF THREAT CONSEQUENCES
3. Disruption
A circumstance or event that interrupts or
prevents the correct operation of system
services and functions.
4. Usurpation
A circumstance or event that results in
control of system services or functions by an
unauthorized entity.

14. KINDS OF ATTACKS
(Unauthorized disclosure)
1. Exposure: Sensitive data are directly
released to an unauthorized entity.
2. Interception: An unauthorized entity
directly accesses sensitive data travelling
between authorized sources and
destinations.

15. KINDS OF ATTACKS
3. Inference: A threat action whereby an
unauthorized entity indirectly accesses
sensitive data by reasoning from
characteristics or byproducts of
communications.
4. Intrusion: An unauthorized entity gains
access to sensitive data

16. KINDS OF ATTACKS
(Deception)
1. Masquerade: An unauthorized entity
gains access to a system or performs a
malicious act by posing as an authorized
entity.
2. Falsification: False data deceive an
authorized entity.
3. Repudiation: An entity deceives another
by falsely denying responsibility for an act.

17. KINDS OF ATTACKS
(Disruption)
1. Incapacitation: Prevents or interrupts
system operation by disabling a system
component.
2. Corruption: Undesirably alters system
operation by adversely modifying system
functions or data.
3. Obstruction: A threat action that
interrupts delivery of system services by
hindering system operation.

18. KINDS OF ATTACKS
Usurpation
1. Misappropriation: An entity assumes
unauthorized logical or physical control of a
system resource.
2. Misuse: Causes a system component to
perform a function or service that is
detrimental to system security.

19. THREATS AND ASSETS
Assets of a computer can be categorized as:
• Hardware
• Software
• Data
• Communication Lines and Networks
BACK

21. THREE CLASSES OF NTRUDERS
1. Masquerader: An individual who is not
authorized to use the computer and who
penetrates a system’s access controls to
exploit a legitimate user’s account.
2. Misfeasor: A legitimate user who accesses
data, programs, or resources for which such
access is not authorized, or who is
authorized for such access but misuses his or
her privileges.

22. THREE CLASSES OF NTRUDERS
3. Clandestine user: An individual who seizes
supervisory control of the system and uses
this control to evade auditing and access
controls or to suppress audit collection.

23. EXAMPLES OF INTRUSION
• Performing a remote root compromise of an
e-mail server
• Defacing a Web server
• Guessing and cracking passwords
• Copying a database containing credit card
numbers

24. EXAMPLES OF INTRUSION
• Viewing sensitive data, including payroll
records and medical information, without
authorization
• Running a packet sniffer on a workstation to
capture usernames and passwords
• Using a permission error on an anonymous
FTP server to distribute pirated software and
music files
• Dialing into an unsecured modem and
gaining internal network access

25. EXAMPLES OF INTRUSION
• Posing as an executive, calling the help desk,
resetting the executive’s e-mail password,
and learning the new password
• Using an unattended, logged-in workstation
without permission

26. INTRUDER BEHAVOR PATTERNS
• Hackers
• Criminals
• Insider Attacks

27. INTRUDER BEHAVOR PATTERNS - HACKERS

28. INTRUDER BEHAVOR PATTERNS - CRIMINALS

29. INTRUDER BEHAVOR PATTERNS – INSIDER ATTACKS
BACK

31. TERMINOLOGY OF MALICIOUS PROGRAMS
Virus
Malware that, when executed, tries to
replicate itself into other executable code;
when it succeeds the code is said to be
infected. When the infected code is
executed, the virus also executes.
Worm
A computer program that can run independently
and can propagate a complete working version
of itself onto other hosts on a network.

32. TERMINOLOGY OF MALICIOUS PROGRAMS
Logic Bomb
A program inserted into software by an
intruder. A logic bomb lies dormant until a
predefined condition is met; the program
then triggers an unauthorized act.
Backdoor (trapdoor)
Any mechanisms that bypasses a normal security
check; it may allow unauthorized access to
functionality.

33. TERMINOLOGY OF MALICIOUS PROGRAMS
Trojan Horse
A computer program that appears to have a
useful function, but also has a hidden and
potentially malicious function that evades
security mechanisms, sometimes by
exploiting legitimate authorizations of a
system entity that invokes the Trojan horse
program.

34. TERMINOLOGY OF MALICIOUS PROGRAMS
Mobile Code
Software (e.g., script, macro, or other portable
instruction) that can be shipped unchanged
to a heterogeneous collection of platforms
and execute with identical semantics.
Exploits
Code specific to a single vulnerability or set of
vulnerabilities.

35. TERMINOLOGY OF MALICIOUS PROGRAMS
Downloaders
Program that installs other items on a machine
that is under attack. Usually, a downloader is
sent in an e-mail.
Auto-rooter
Malicious hacker tools used to break into new
machines remotely.
Kit (virus generator)
Set of tools for generating new viruses
automatically.

36. TERMINOLOGY OF MALICIOUS PROGRAMS
Spammer programs
Used to send large volumes of unwanted e-
mail.
Flooders
Used to attack networked computer systems
with a large volume of traffic to carry out a
denial-of-service (DoS) attack.
Keyloggers
Captures keystrokes on a compromised system

37. TERMINOLOGY OF MALICIOUS PROGRAMS
Rootkit
Set of hacker tools used after attacker has
broken into a computer system and gained
root-level access.
Zombie, bot
Program activated on an infected machine that
is activated to launch attacks on other
machines.

38. TERMINOLOGY OF MALICIOUS PROGRAMS
Spyware
Software that collects information from a
computer and transmits it to another
system.
Adware
Advertising that is integrated into software. It
can result in pop-up ads or redirection of a
browser to a commercial site.

39. MULTIPLE-THREAT MALWARE
A multipartite virus infects in multiple ways.
Typically, the multipartite virus is capable of
infecting multiple types of files, so that virus
eradication must deal with all of the possible
sites of infection.
A blended attack uses multiple methods of
infection or transmission, to maximize the
speed of contagion and the severity of the
attack. Some writers characterize a blended
attack as a package that includes multiple
types of malware. BACK

41. Viruses
A computer virus is a piece of
software that can “infect”
other programs by modifying
them
Nature of Viruses
A virus can do anything that other
programs do. The only difference is
that it attaches itself to another
program and executes secretly when
the host program is running.

42. THREE PARTS OF COMPUTER VIRUS
Infection Mechanism – the means by
which a virus spreads, enabling it to
replicate.
Trigger – event or condition that determines
when the payload is activated or delivered.
Payload – what the virus does, besides
spreading

43. FOUR PHASES OF VIRUS
Dormant Phase – the virus idle
Propagation Phase – the virus places an
identical copy of itself into other programs or
into certain system areas on the disk
Triggering Phase – the virus is activated to
perform the function for which it was intended.
Execution Phase – the functioned is performed.

44. Virus Structure - A virus can be prepended or
postpended to an executable program, or it
can be embedded in some other fashion.
Initial Infection - Once a virus has gained
entry to a system by infecting a single
program, it is in a position to potentially
infect some or all other executable files on
that system when the infected program
executes.

46. VIRUS CLASSIFICATION by target
Boot sector infector – infects a master boot
record
File Infector – infects files that the OS or shell
consider to be executable
Macro Virus – infects files with macro code that
is interpreted by an application.

47. VIRUS CLASSIFICATION by concealment strategy
Encrypted virus – a typical approach is as
follows. A portion of the virus creates a random
encryption key and encrypts the remainder of the
virus.
Stealth virus – a form of virus explicity designed
to hide itself from by antivirus software.
Polymorphic virus – a virus that mutates with
every infection, making detection by the
“signature” of the virus impossible.
Metamorphic virus – a virus mutates with
every infection. The difference is that it rewrites
completely at each iteration, increasing the
difficulty of detection.

48. Virus Kits
– another weapon in the virus writers’
armory is the virus-creation toolkit
Macro Viruses
– is platform independent
– infect Microsoft Word documents or other
Microsoft Office documents.
– infect documents, not executable portions
of code
– are easily spread. A very common method
is by electronic mail.

49. E-Mail Viruses – a more recent development
in malicious software is the email virus
If the recipient opens the email attachment,
the Word macro is activated. Then
1. The e-mail virus sends itself to everyone on
the mailing list in the user’s e-mail package.
2. The virus does local damage on the user’s
system.

50. WORMS
It is a program that can replicate itself
and send copies from computer to
computer across network connections.

51. BOTS
A bot (robot), also known as a zombie or
drone, is a program that secretly takes over
another Internet-attached computer and then
uses that computer to launch attacks that are
difficult to trace to the bot’s creator.

52. USES OF BOTS
Distributed denial-of-service attacks: a DDoS
attack is an attack on a computer system or
network that causes a loss of service to users.
Spamming: with the help of a botnet and
thousands of bots, an attacker is able to send
massive amounts of bulk e-mail (spam).
Sniffing traffic: bots can also use a packet sniffer
to watch for interesting cleartext data passing by
a compromised machine.

53. USES OF BOTS
Keylogging: if the compromised machine uses
encrypted communication channels, then just
sniffing the network packets on the victim’s
computer is useless because the appropriate key
to decrypt the packets is missing.
Spreading new malware: botnets are used to
spread new bots.
Installing advertisement add-ons and browser
helper objects (BHOs): botnets can also be used
to gain financial advantages.

54. USES OF BOTS
Installing advertisement add-ons and
browser helper objects (BHOs): botnets can
also be used to gain financial advantages.
Attacking IRC chat networks: Botnets are
also used for attacks against Internet relay
chat (IRC) networks.
Manipulating online polls/games: online
polls/games are getting more and more
attention and it is rather easy to manipulate
them with botnets. BACK

56. Rootkit
- a set of programs installed on a system
to maintain administrator (or root) access
to that system.

57. Rootkits can be classified based on whether they
can survive a reboot and execution mode.
A rootkit may be:
1. Persistent: Activates each time the system
boots. The rootkit must store code in a
persistent store, such as the registry or file
system, and configure a method by which the
code executes without user intervention.
2. Memory based: Has no persistent code and
therefore cannot survive a reboot.

58. 3. User mode: Intercepts calls to APIs (application
program interfaces) and modifies returned
results. For example, when an application
performs a directory listing, the return results
don’t include entries identifying the files
associated with the rootkit.
4. Kernel mode: Can intercept calls to native APIs
in kernel mode. The rootkit can also hide the
presence of a malware process by removing it
from the kernel’s list of active processes.

59. Rootkit Installation - unlike worms or bots,
rootkits do not directly rely on vulnerabilities or
exploits to get on a computer.
The following sequence is representative of a
hacker attack to install a rootkit.
1. The attacker uses a utility to identify open ports
or other vulnerabilities.
2. The attacker uses password cracking, malware,
or a system vulnerability to gain initial access
and, eventually, root access.

60. 3. The attacker uploads the rootkit to the victim’s
machine.
4. The attacker can add a virus, denial of service, or
other type of attack to the rootkit’s payload.
5. The attacker then runs the rootkit’s installation
script.
6. The rootkit replaces binaries, files, commands,
or system utilities to hide its presence.
7. The rootkit listens at a port in the target server,
installs sniffers or keyloggers, activates a
malicious payload, or takes other steps to
compromise the victim. BACK

63. User Authentication
- is the fundamental building block and
the primary line of defense in most computer
security environments. It is the basis for most
types of access control and for user
accountability.
(RFC 2828 definition)
- the process of verifying an identity
claimed by or for a system entity.

64. An authentication process consists of two
steps:
• Identification step:
Presenting an identifier to the security
system.
• Verification step:
Presenting or generating authentication
information that validates the binding
between the entity and the identifier.

65. IDENTIFICATION (example)
User User Identifier Password
Sara Bucayu SJGSBUCAYU 12345
• The password is kept secret (known only to
Sara and to the system).
• Sara’s user ID and password enables
administrators to set up Sara’s access
permissions and review or check her activity.

66. AUTHENTICATION
Identification
is the means by which a user provides a
claimed identity to the system.
User authentication
is the means of establishing the validity
of the claim.

67. MEANS OF AUTHENTICATION
4 General means of authenticating a user’s identity, which
can be used alone or in combination:
1. Something the individual knows:
Examples: password,
personal identification number (PIN),
or answers to a prearranged set of
questions
2. Something the individual possesses:
Examples: electronic keycards,
smart cards, and physical keys.

68. MEANS OF AUTHENTICATION
3. Something the individual is
(static biometrics):
Examples: recognition by
fingerprint, retina, and face.
4. Something the individual does
(dynamic biometrics):
Examples: recognition by voice
pattern, handwriting characteristics,
and typing rhythm.

69. PASSWORD-BASED AUTHENTICATION
The system compares the password to a
previously stored password for that user ID,
maintained in a system password file. The
password serves to authenticate the User ID of
the individual logging on to the system.
USER ID Stored Password Password Input
Sara ●●●●●● ●●●●●●

70. PASSWORD-BASED AUTHENTICATION
The User ID provides security in the following ways:
• The ID determines whether the user is authorized
to gain access to a system.
• The ID determines the privileges accorded to the
user.
• The ID is used in what is referred to as
discretionary access control.

71. THE USE OF HASHED PASSWORDS
A widely used password security technique
is the use of hashed passwords and a salt
value. This scheme is found on virtually all
UNIX variants as well as on a number of other
operating systems.

72. UNIX PASSWORD SCHEME
Password
Salt Value
ae08wi930ks… Hash
Slow
Function
sjgbucayu 0219

73. UNIX PASSWORD SCHEME

74. THE USE OF HASHED PASSWORDS
The salt serves three purposes:
User ID Salt Value Password Hashed Password
• It prevents duplicate passwords from being
Sara 3982 12345 ae02thd403odk..
Ricavisible in the password12345
3210 file. jd893sjs1qjz63j..
• It greatly increases the difficulty of offline
dictionary attacks.
• It becomes nearly impossible to find out
whether a person with passwords on two or
more systems has used the same password
on all of them.

75. UNIX IMPLEMENTATIONS
Since the original development of UNIX, most
implementations have relied on the following
password scheme:
Scheme Max Password length No. of Encryptions Salt Value Hash Value
(Length) (Length)
DES Algorithm 8 characters 25 12 bits 64 bits
MD5 Secure No limitation 1000 48 bits 128 bits
Hash Algorithm
Blowfish 55 characters 128 bits 192 bits
symmetric
block cipher
*The most secure version of the UNIX hash/salt scheme was developed
for OpenBSD, another widely used open source UNIX. This scheme uses a
hash function based on the Blowfish symmetric block cipher.

76. TOKEN-BASED AUTHENTICATION
Tokens - Objects that a user possesses for the purpose
of user authentication.
1. Memory Cards
Memory cards can store but not process data.
The most common such card is the bank card with a
magnetic stripe on the back. A magnetic stripe can
store only a simple security code, which can be read
by an inexpensive card reader.

77. TOKEN-BASED AUTHENTICATION
Potential drawbacks for memory cards:
• Requires special reader - This increases the
cost of using the token and creates the
requirement to maintain the security of the
reader’s hardware and software.
• Token loss - A lost token temporarily prevents
its owner from gaining system access.
• User dissatisfaction - Although users may
have no difficulty in accepting the use of a
memory card for ATM access, its use for
computer access may be deemed
inconvenient.

78. TOKEN-BASED AUTHENTICATION
2. Smart Cards
• Physical characteristics
Smart tokens include an embedded microprocessor. A
smart token that looks like a bank card is called a smart
card. Other smart tokens can look like calculators, keys, or
other small portable objects.
• Interface
Manual interfaces include a keypad and display for
human/token interaction.
• Authentication protocol
The purpose of a smart token is to provide a means
for user authentication.

79. TOKEN-BASED AUTHENTICATION
Three categories of authentication protocols used
with smart tokens :
1. Static
With a static protocol, the user authenticates
himself or herself to the token and then the
token authenticates the user to the computer.

80. TOKEN-BASED AUTHENTICATION
2. Dynamic password generator
The token generates a unique password
periodically. This password is then entered into
the computer system for authentication, either
manually by the user or electronically via the
token.
3. Challenge-response
In this case, the computer system generates
a challenge, such as a random string of numbers.
The smart token generates a response based on
the challenge.

81. BIOMETRIC AUTHENTICATION (STATIC)
A biometric authentication system
attempts to authenticate an individual based
on his or her unique physical characteristics
Different types of physical characteristics for
users authentication:
1. Facial characteristics
Facial characteristics are the most
common means of human-to-human
identification.

82. BIOMETRIC AUTHENTICATION (STATIC)
2. Fingerprints
Fingerprints have been used as a means
of identification for centuries, and the
process has been systematized and
automated particularly for law enforcement
purposes.
3. Hand geometry
Hand geometry systems identify features
of the hand, including shape, and lengths
and widths of fingers.

83. BIOMETRIC AUTHENTICATION (STATIC)
4. Retinal pattern
The pattern formed by veins
beneath the retinal surface is
unique and therefore suitable for
identification.
5. Iris
Another unique physical
characteristic is the detailed
structure of the iris.

84. BIOMETRIC AUTHENTICATION (DYNAMIC)
6. Signature
Each individual has a unique style of
handwriting, and this is reflected especially in
the signature, which is typically a frequently
written sequence.
7. Voice
Voice patterns are more closely tied to the
physical and anatomical characteristics of the
speaker.
BACK

86. An Access Control Policy dictates what types of access
are permitted, under what circumstances, and by
whom.
Access control policies are generally grouped into the
following categories:
• Discretionary access control (DAC)
Controls access based on the identity of the
requestor and on access rules (authorizations) stating
what requestors are (or are not) allowed to do.
- Implemented using Access Control List (ACL).
- Default access control mechanism for most desktop
operating systems

87. Windows ACL

88. • Mandatory access control (MAC)
Controls access based on comparing security
label with security clearances. This policy is termed
mandatory because an entity that has clearance to
access a resource may not, just by its own volition,
enable another entity to access that resource.
• Role-based access control (RBAC)
Controls access based on the roles that users
have within the system and on rules stating what
accesses are allowed to users in given roles.

89. • Mandatory access control (MAC)
Controls access based on comparing security
label with security clearances. This policy is termed
mandatory because an entity that has clearance to
access a resource may not, just by its own volition,
enable another entity to access that resource.
• Role-based access control (RBAC)
Controls access based on the roles that users
have within the system and on rules stating what
accesses are allowed to users in given roles.

90. ROLE-BASED ACCESS CONTROL
Users, Roles, and Resources

91. ACCESS CONTROL POLICIES
BACK

93. Security intrusion
A security event, or a combination of
multiple security events, that constitutes a
security incident in which an intruder gains,
or attempts to gain, access to a system
without having authorization to do so.
Intrusion detection
A security service that monitors and
analyzes system events for the purpose of
finding, and providing real-time or near real-
time warning of, attempts to access system
resources in an unauthorized manner.

94. INTRUSION DETECTION SYSTEM
IDSs can be classified as follows:
• Host-based IDS
Monitors the characteristics of a single host
and the events occurring within that host for
suspicious activity
• Network-based IDS:
Monitors network traffic for particular
network segments or devices and analyzes
network, transport, and application
protocols to identify suspicious activity

95. INTRUSION DETECTION SYSTEM
An IDS comprises three logical components:
• Sensors
– responsible for collecting data
• Analyzers
– receive input from one or more sensors
or from another analyzer
• User Interface
– enables a user to view output from the
system or control the behavior of the system.

96. INTRUSION DETECTION SYSTEM
Basic Principles of IDS:

97. False positives – authorized users identified as intruders
False negatives – intruders not identified as intruders

98. HOST-BASED INTRUSION DETECTION TECHNIQUES
Two General Approaches to ID:
• Anomaly detection
- Involves the collection of data relating to the
behavior of legitimate users over a period of
time
 Threshold detection
 Profile based
• Signature detection
- Involves an attempt to define a set of rules or
attack patterns that can be used to decide that
a given behavior is that of an intruder.

99. AUDIT RECORDS
A fundamental tool for intrusion
detection is the audit record. Some record of
ongoing activity by users must be maintained
as input to an IDS.

100. AUDIT RECORDS
Two plans are used in Audit Records:
1. Native audit records
- virtually all multiuser operating systems
include accounting software that collects
information on user activity.
Advantage : no additional collection software is needed
Disadvantage: may not contain the needed information
or may not contain it in a convenient form

101. AUDIT RECORDS
2. Detection-specific audit records
– a collection facility can be implemented that
generates audit records containing only that
information required by the IDS.
Advantage : it could be made vendor independent and
ported to a variety of systems
Disadvantage: extra overhead involved in having, in
effect, two accounting packages running on a machine
BACK

103. ANTIVIRUS APPROACHES
• The ideal solution to the threat of viruses is
prevention.
• The next best approach is to be able to do
the following:
Detection
Identification:
Removal

104. GENERIC DECRYPTION
• GD technology enables the antivirus program
to easily detect even the most complex
polymorphic viruses while maintaining fast
scanning speeds
• GD scanner contains the ff elements:
CPU emulator
Virus signature scanner
Emulation control module

105. DIGITAL IMMUNE SYSTEM
• The digital immune system is a comprehensive
approach to virus protection developed by IBM
and subsequently refined by Symantec.
• The success of the digital immune system
depends on the ability of the virus analysis
machine to detect new and innovative virus
strains. By constantly analyzing and monitoring
the viruses found in the wild, it should be
possible to continually update the digital
immune software to keep up with the threat.

106. DIGITAL IMMUNE SYSTEM
Two major trends in Internet technology have had an
increasing impact on the rate of virus propagation in
recent years:
– Integrated mail systems
Systems such as Lotus Notes and Microsoft
Outlook make it very simple to send anything to
anyone and to work with objects that are
received.
– Mobile-program systems
Capabilities such as Java and ActiveX allow
programs to move on their own from one system
to another.

107. DIGITAL IMMUNE SYSTEM

108. BEHAVIOR-BLOCKING SOFTWARE
• It Integrates with the operating system of a
host computer and monitors program
behavior in real time for malicious actions.
• It blocks potentially malicious actions before
they have a chance to affect the system

109. BEHAVIOR-BLOCKING SOFTWARE
Monitored behaviors can include:
Attempts to open, view, delete, and/or modify
files;
Attempts to format disk drives and other
unrecoverable disk operations;
Modifications to the logic of executable files or
macros;
Modification of critical system settings, such as
start-up settings;
Scripting of e-mail and instant messaging clients to
send executable content; and
Initiation of network communications.

110. BEHAVIOR-BLOCKING SOFTWARE

111. WORM COUNTERMEASURE
Requirements for an effective worm
countermeasure scheme:
Generality
Timeliness
Resiliency
Minimal denial-of-service costs
Transparency
Global and local coverage

112. BOT COUNTERMEASURE
Intrusion Detection System
Digital Immune System
But the primary objective is to try to detect
and disable the botnet during its construction
phase.

113. ROOTKIT COUNTERMEASURE
• Rootkits can be extraordinarily difficult to detect and
neutralize, particularly so for kernel-level rootkits. Many of
the administrative tools that could be used to detect a
rootkit or its traces can be compromised by the rootkit
precisely so that it is undetectable.
• Another approach is to do some sort of file integrity
check. An example of this is RootkitRevealer, a freeware
package from SysInternals
• If a kernel-level rootkit is detected, by any means, the only
secure and reliable way to recover is to
do an entire new OS install on the infected machine.
BACK

115. BUFFER OVERFLOW ATTACK DEFENSE
There is consequently a need to defend
systems against buffer overflow by either
preventing them, or at least detecting and
aborting such attacks.
2 Categories of Implementing Protections:
 Compile-time defenses
 Run-time defenses

116. BUFFER OVERFLOW ATTACK DEFENSE
Compile-time defense
- aims to harden programs to resist
attacks in new programs
Run-time defense
- aims to detect and abort attacks in
existing programs