docs.daveops.net

Snippets for yer computer needs

Software Security

Viruses

History

Name Description When Author
Elk Cloner First virus on a microcomputer (Apple II) 1982 Rich Skrenta
Morris Worm   November 2, 1988 Bob Morris, Jr.

The Art of Computer Virus Research and Defense by Peter Szor

Von Neumann machine - no difference between code + data

Core War

Instead of writing computer viruses, I strongly recommend playing this harmless and interesting game. In fact, if worms fascinate you, a new version of Corw Wars can be created to link battles in different networks and allow warrior programs to jump from one battle to another to fight new enemies on those machines. Evolving the game to be more networked allows for simulating worm-like warrior programs.

Security:Viruses - history

Books

Kinematic Self-Replicating Machines by Merkle + Freitas

Games with Computer by Antal Csakany + Ferenc Vajda

“Computer Recreation” Scientific American Dewdney

Core War

History

Created by Robert Morris Sr. (NSA Chief Scientist), Victor Vyssotsky and Dennis Ritchie (Bell Labs)

Originally called Darwin, ran on a PDP-1 in Bell Labs

Redcode Assembly Language

10 instructions in original set, 14 in 1999

opcode desc
DAT no-op
MOV  
ADD  
SUB  
MUL  
DIV  
MOD  
JMP  
JMZ  
JMN  
DJN  
CMP  
SLT  
SPL  

Types of programs

Imp

Moves 1 address forward each cycle

Sources

Learning how to break software helps you build more robust software.

Confidentiality, Integrity, Availability

Understand the issues, risks

Assess, plan, design/architect

Principle of Least Privilege

When designing a security policy, be it a firewall rule, or filesystem permissions, never give more than the necessary permissions to get the job done. Doing so reduces the attack surface, and weakens (though does not eliminate) the potency of compromise. It’s easier to loosen rules than to tighten them later.

Appropriateness

The appropriateness of a security architecture is that it meeds the confidentiality/integrity/availability needs of an organization. It balances security, risk mitigation, usability, and costs.

Non-repudiation

Where an action cannot be denied, proof of data integrity.

Business continuity

One of the chief goals of security is that business continuity is ensured. Beyond simple security practices, this is having systems in place that can tolerate failure so that business continues with little/no affect.

Hardening

A hardened system has these characteristics:

Computer Security Incident Response Teams (CSIRT)

Team responsible for receiving, reviewing, and responding to computer security incident reports and activity

Security incident and event management

Monitors security-related events from network devices, servers, etc

Logs and alerts on anomalies, malicious activity, puts it into “single pane of glass”

References / citations

Return-Oriented Programming

Looks for ‘gadgets’ in code, snippets of code in libc and elsewhere in lieu of providing the code itself.

BeyondCorp

https://www.beyondcorp.com/

BeyondCorp is a zero-trust approach to building infrastructure, where instead of an internal network accessible by VPN, each service is publicly available and limited to known users.

Security Life

Resources

Security Conferences

Resources

http://seclists.org http://insecure.org

OpenSCAP

https://www.open-scap.org/

STIG

https://www.stigviewer.com/stigs