CSE 127: Lecture 25

Today's lecture covered database security, viruses, worms, and Trojan horses, and virus detection software. Next lecture (the last one) will be an overview, with questions.

Database security

Suppose that you have a database full of sensitive information. For example, suppose you are in charge of the US Census data for 2000. The income of each person in the database is private data, and you should not allow queries that reveal this. However, you may want to allow queries that reveal aggregate information, such as the average income of all people in a given zip code. Then the question is, is it safe to allow any query about aggregate statistics, as long as it comes from a large enough population?

Consider the following example: suppose we have a database of the height of everyone in our class, and that the height of each individual is supposed to be kept a secret. Also, let's assume we have one basketball player in the class, and the height of the basketball player is key information for opposing teams. What if we were to allow the following two queries:

ah1 = select avg(height) from class;
ah2 = select avg(height) from class where basketball_player = false;

Assuming we know the number of people in the class n and that there is only one basketball player in the class, we can determine the height of the basketball player:

basketball player height = n * ah1 - (n-1) * ah2

Viruses, Worms, and Trojan Horses

Trojan horses
The name comes from the Iliad, by Homer. An explanation from http://darter.ocps.k12.fl.us/classroom/who/darter1/trhorse.htm:
For ten years , the Greeks had lain siege to the city of Troy without success of getting into the city, or with getting Helen back. The layout and build of the city walls made the ancient metropolis impenetrable. After Achilles left the war, the Greeks' progress slowed to almost a dead stop. Troy was not going to be taken by sheer numbers.

The Trojans, led by Hector, began to repel the Greeks. Eventually the Greeks were driven back to their own ships. Achilles rejoined the battle, and killed Hector to avenge a good friend's death. Greek morale shot through the roof!

The Greeks needed a war machine. The siege machines of the time weren't getting the Greeks anywhere. They needed something new. So the Greeks devised a plan and put it to work.

The Greeks built a giant, wooden horse with a hollow belly. A handful of armed Greeks climbed into the hollow opening, and sealed it up. Meanwhile, the rest of the Greek army piled into their ships and sailed away. Due to a convincing Greek spy , the Trojans came out of Troy to recive the huge horse as an offering of peace. The Trojans rejoiced at the thought of the Greek army running away like dogs!

The Trojans then decided to celebrate. By nightfall the whole city was in a drunken uproar. They celebrated far into the night. In the small hours of the morning, while everyone was drunk or asleep, the Greeks unsealed the belly of the horse, and climbed down from it. Silently, they killed the Trojan sentries at all the city gates. The gates were then opened to the bulk of the Greek army. In their drunkeness, the Trojans did not see the Greek fleet return to their shores.

Now, the Greeks were finally inside the city after ten years of useless battle. The Greeks finally had their chance at capturing victory. They slaughtered men and boys alike. The women, and girls were kept and later sold as slaves. By daylight, everyone in Troy was either dead, or in bondage.

In computer security, a Trojan horse is a program that appears innocuous, but has malicious code which executes when a user accepts and runs the program. An example would be Christmas greeting cards which are executable programs, which may hide malicious code.

A virus is a piece of code which attaches itself to larger executable programs. Often it operates by appending itself to the end of an executable (e.g. Microsoft Word), and inserting a jump command at the place where the program normally starts execution. The jump command will cause the program to actually start execution at the virus code, and then when the virus has finished executing, it will jump back to start executing the real application.

          / | jump to virus code    | <--- entry point
          | |                       | <--- first real instruction
 original | |                       |
 code    -+ |                       |
          | |                       |
          | |                       |
          | |                       |
          \ |                       |
 virus    / | malicious code        |
 code    -+ |                       |
          \ | jump to original code |

The primary purpose of a virus is to propagate itself, much like a biological virus. However, it may also contain malicious code. A virus may be introduced by a Trojan horse.

A worm is a program that also replicates itself, but instead of attaching itself to existing programs, a worm operates on its own. It often propagates by exploiting holes in network servers. This page http://world.std.com/~franl/worm.html describes the first severe Internet-based worm. Many of the recent "email viruses" are actually classified as worms, because they propagate by emailing themselves to people in the infected user's address book.

Virus detection

Virus detection software usually operates by scanning executing programs or files on the hard drive and looking for signatures. Virus detection companies keep large databases of viruses and try to determine unique patterns of instructions that identify the virus (called its signature). Of course, these databases must be kept up-to-date to identify new viruses. If the software labels a file as infected when it is not, that is a false positive. If it misses identifying an infected file, that is called a false negative. The goal of virus detection software is to minimize both false positives and false negatives.

Virus detectors can work by scanning all the files on a hard drive at one time, or each time a program is run. It can place hooks into the operating system so that whenever an application is run, the virus detection software is invoked to check the program before it is run.

One problem with the signature-based approach is that sophisticated viruses may be polymorphic, and may change its instructions by randomly replacing instruction sequences with different sequences that have the same effect. Another way to identify viruses is to keep a database of hashes on each executable program, and each time a program is run or periodically, to check that the hash is the same. Programs such as tripwire implement this sort of policy.

[ search CSE | CSE | bsy's home page | links | webster | MRQE | google | yahoo | citeseer | certserver ]
picture of bsy

bsy+cse127w02@cs.ucsd.edu, last updated Mon Mar 25 15:22:10 PST 2002. Copyright 2002 Bennet Yee.
email bsy.

Don't make me hand over my privacy keys!