This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
ABSTRACT: Commercial off-the-shelf (COTS) applications are ready-made software available to the end user. These include licensed, shareware and freeware software with commercial support. The use of COTS applications has increased in the recent times due to reduced cost and development time. Since these third party software are generally developed with poor documentation and less security consideration, their use in critical systems can pose security threats. This paper will review the literature of the work done in the past for detection of malicious code in COTS applications. It will lay a foundation for selecting best technique for securing COTS applications. This work will mainly focus on the current trends in COTS applications for coping with the security issues.
Keywords: COTS, Security, Static Analysis, Dynamic Analysis, Malicious code detection, Intrusion Tolerance.
Information technology is inclined to new systems, however the different phases of design, development, testing, and security is very sophisticated task. Building new COTS systems in-house requires substantial time and skills. Generally organizations rely on software already installed rather than opting for custom applications. These trusted software make up large percentage of total software system and with the passage of time new systems become trusted too.
Building new systems securely is crucial, it is more important or even difficult to secure an old system. A system may have run securely for many years but that does not guarantee that the system is 100% secure.
In todayâ€™s integrated IT environment systems are made up of large number of hardware, system software and application software components. Vulnerabilities in these components are generally introduced during upgrades, or when new features are added. Exploitation of vulnerability in any of these components may result in data loss or even system compromise.
Enforcing security in COTS applications is somewhat different or difficult than that of custom software. The custom software are build by organizations through in-house developers or outsourced. The organization being the owner is responsible for ensuring security of custom software.
In case of COTS components, with the exception of open source software, the source code is generally not available. The end user has little or no control over the software. The security in these COTS application is the responsibility of the vendor. Since the organization is not the owner of application but being user they have to ensure security of COTS application.
COTS applications are vulnerable to different types of threats, these are as follows:-
Malicious code is a general term used for segment of the code within a software system with intention to cause undesirable effects like damaging data or system . Malicious code include viruses, worms, Trojan Horses, coding errors etc.
Backdoor are a way of gaining unauthorized access to an online program or computer system without being detected. Backdoors can be divided into three types. System backdoor is used to gain unauthorized access to data at system level. Application backdoors are used to exploit weaknesses in a particular application. Crypto backdoors are flaws inserted in a cryptosystem by the developer for special purposes which the attacker can use to convert cipher text to plain text .
Time bomb is an undesirable piece of code within a software that is executed when a particular time is reached .
In order to mitigate the affects of malicious code in COTS applications a number of techniques are available. The details of these techniques are as follows: -
Static analysis is the method of detecting malicious behavior within a program without running it .
Dynamic analysis is used to analyze program and look for any suspicious activity while the program is executing .
In this technique the compiler besides converting source code to machine code also checks the source code for malicious behavior against certain security specifications .
In intrusion tolerance technique security is addressed in COTS components in such a way that they continue to function normally even if attacked by someone .
In this paper we have discussed different security issues related to COTS applications like vulnerability assessment, malicious code detection etc. Next we have presented different security architectures for COTS applications and analyzed various techniques available for detection and isolation of malicious code in them.
2. LITERATURE REVIEW
COTS components are generally used on a large scale mainly because they provide abstraction, reusability of code and reduced development time. Besides these benefits relying on COTS components to build a secure system is risky. COTS applications are mainly available freely without any guarantee on how the application will function, and the case becomes worse if source code is not available.
Generally security issues arises in COTS applications due to integration with other components. So a method is required to analyze COTS applications for security purposes.
This paper  presented the importance of COTS components and why COTS are prone to security risks. A case study regarding security risks in Java has been discussed. The study shows that if even Java (build with security in mind) is vulnerable to different types of attacks, what would be the security level in general COTS applications.
The strength of the paper is that it presented different methods for developers to test each COTS component for security before integration into a large system.
The weakness is that the testing methods suggested in the paper are general purpose and no real technique for detection of malicious code in COTS application is presented.
COTS applications may be subject to malicious activities like virus or Trojan horse attack largely due to reusability of code segments. The vulnerable code might be inserted into program segment either intentionally or unintentionally. The programmers create a backdoor or loophole intentionally in COTS application for remote monitoring or testing purposes. The unintentional insertion generally called a program bug is due to coding errors or race conditions in program segments.
Since malicious code can be embedded into COTS applications, even after completion of program development either during distribution or installation, a continuous monitoring system is required for detection of malicious behavior.
This paper  discusses three types of analysis (manual source code analysis, partially-automated analysis and fully-automated analysis) used for malicious code detection in trusted software.
The strength of the paper is that it provides comprehensive material and detailed steps for performing manual, partially-automated or fully-automated analysis of COTS applications for malicious behavior detection. It also gives a tabular comparison among the three analysis types. The paper also suggests the properties of the tool that can be developed for malicious code detection in COTS systems.
The weak point about the paper is that it contains quite unnecessary material like description about generally known terms like viruses, worms, backdoors, Trojan horses etc. Secondly the paper discussed different analysis techniques but does not suggest which one is better.
With large scale usage of COTS applications, the vulnerability assessment of these software has become a major concern especially for organizations relying on these software. Generally security in COTS components have been calculated on economic basis.
Most currently available vulnerability rating systems rate confidentiality, integrity and availability (CIA) equally. Therefore a model is required to analyze the correct vulnerability rating.
In this paper  a Threat Modeling method (T-MAP) is proposed which dynamically ranks COTS vulnerabilities based on Attacking Path Analysis.
The strength of the paper is that T-MAP is the first automated framework that uses user consideration and effectively evaluate vulnerabilities with respect to value. With T-MAP, COTS security can be assessed in early system life-cycle.
Limitations of the paper is that T-MAP can evaluate known vulnerabilities only.
COTS components are different from custom software where secure systems are to be built from unsecured COTS components. With rapid upgrades in COTS systems new vulnerabilities are introduced therefore traditional top-down modeling applied to custom software cannot be used.
Since vulnerabilities are introduced into COTS components mainly during upgrades, so a model for vulnerability detection in COTS components is required.
This paper  introduces a security modeling for COTS applications based on many features from currently available models.
The good point about the model is that it uses object oriented approach that allows active analysis of distributed systems rather than static analysis. The model does not require COTS source code or any specifications for implementation. The model allows adding new components to existing COTS system without reanalyzing whole system.
The drawback of this model is that no clear method is suggested for populating the model from component library and secondly the model does not show how to compare vulnerabilities in COTS with vulnerability database.
Large number of COTS application is used in distributed systems mainly due to low cost components. One of the drawbacks of COTS systems is that usually security considerations are met in final stages of development.
Since COTS components have little security services available they cannot be used to build a secure distributed system. To address security consideration in COTS system an architecture is required.
In this paper  the authors have proposed a security architecture for COTS based distributed system. The architecture has four steps. In the first step software security analysis is used to identify potential threats to COTS components. The second step is definition of security policy. Next step is choosing secure COTS components based on minimum threat level. The last step is testing the efficiency of system.
The good point about the paper is that the author has implemented the proposed architecture on two different COTS systems. Secondly the paper showed the impact of addition of new COTS components on overall system.
The drawback of the paper is that implementation is not generalized but specific to the two COTS systems on which the tests were conducted.
Many organizations are switching from custom software to COTS based systems. This shifting poses threat in term of security, reliability, confidentiality and integrity of COTS systems. Since COTS systems consists of diverse components they are liable to malicious activities. Therefore to detect malicious behavior in COTS components some mechanism is required.
This paper  presents a structured approach for detection of malicious behavior in COTS applications through static slicing of binary code. The model consists of code analysis level and detection process level. In code analysis phase the binary code is disassembled and converted into a high level form. In detection phase the code is divided into segments and checked against predefined database.
The strength of the paper is that static slicing technique works on binary code and does not need source code. The slicing of whole binary code into segments helps to select specific piece of code critical from security point of view rather than checking whole program. The slicing improves analysis of code but does not change program meanings.
The weakness of the paper is that for disassembling binary code no specific COTS disassembler is mentioned.
COTS applications are ready-made software components used to build large systems. With the exception of open source software, the source code of COTS components is generally not available. Without source code it is difficult to detect malicious code in COTS.
In the absence of source code a method is required for malicious behavior detection in COTS application.
This paper  solves the problem by using binary code for detection of malicious activity through static analysis.
The paper discussed the two methods static analysis and dynamic analysis used for detection of malicious code in COTS. The strength of the paper is that it suggests that static analysis is better than dynamic analysis. In static analysis malicious code is detected without running a program which minimizes execution overhead while dynamic analysis require program execution. The proposed technique is based on semantic analysis that can even detect unknown malicious code. The paper described the prototype of a tool build for static detection and tested the tool on some known malicious applications. Another good point is that the authors have appreciated the comments of anonymous referees about their paper.
The weak point in the paper is that since static analysis is time consuming and may be ineffective if malicious code is inserted after analysis is done.
The weak point in the paper is that no proper method is presented for developing security policy which is used in static verification phase. Secondly the developed tool can work on Windows platform only.
Backdoors are program segments that provide unauthorized access to data on remote system. Once the system security is bypassed backdoor is launched which allows the intruder to access the system at will in future. This allows remote user to use the system as a launching pad to attack other systems. It this way the malicious user can avoid detection from the system under attack. There are generally three types of backdoors; application backdoors, system backdoors and crypto backdoors. Application backdoors are the one inserted into software for illegal purposes. These backdoors can attack network devices, server application or operating systems.
Due to diverse attacking capabilities of application backdoors they are divided into four different categories logic based, invisible behavior, network based and security vital parameters. Since application backdoors can exist anywhere some technique is needed for their detection and isolation.
This paper  introduces static analysis of code for detection of backdoor in COTS applications. The author claims that static inspection is the best method since many backdoors using hidden functionality cannot be detected through dynamic analysis. The paper discussed various types of backdoors and classifies application backdoors into different types.
The good point about the paper is that it not only contains practical examples of each category of application backdoor but also gave solution for their detection.
The weakness of the paper is that it discusses detection of backdoors in source code or binary code during development but does not talk about their detection after development.
COTS applications developed with embedded malicious code can go un-noticed for long time and cause series of threats to overall security of a system. Malicious code may be introduced into COTS components any time in development phase especially during upgrades. Different techniques are available for detection of malicious code in COTS applications. Ad hoc analysis system detects suspicious activity by examining code against known signatures. This technique is generally used for known virus detection. Static analysis is a flow based inspection technique used to examine code without running the program. Dynamic analysis searches for unknown activity against a given security policy while COTS application is still running. The drawback of above techniques is that they detect malicious code after the COTS application has been developed and is ready for use.
To detect malicious code in early stages of COTS application development a mechanism is required.
This paper  introduces a technique called certifying compilers for detection of malicious code in COTS application. In this technique the compilers (used to translate source code to machine code) are made intelligent to not only produce machine code but also check the source code against a security policy.
The strength of the paper is that it suggests a method called annotation that can be used for compilation in case source code is not available. Early detection also ensures secure software from the beginning.
The weak point is that certifying compilers technique cannot detect malicious code once the COTS application is integrated in distributed environment.
COTS applications are very attractive due to reduced cost and development time. But at the same time they can be vulnerable to malicious attacks. Time bomb is one type of malicious code that can exist in COTS applications. Time bomb is a piece of code in an application that is activated when a specific time is reached. The time can be a predefined date and time or it can be elapsed time. The time bomb can be a malicious code like virus activation at a particular date and time or it can be a legitimate program like updating virus definitions or taking backups at specific time.
Since time bombs use complex and hidden logic it is quite difficult to distinguish between a legitimate code and malicious code. To crack a time bomb some method is required.
This paper  presents detection of malicious code in COTS applications through dynamic analysis. This paper argues that despite many advantages of static analysis, for detection of time bomb only dynamic analysis will work.
The good point about the paper is that the author has given a real world example of time bomb. The paper discussed different code segments in time bomb used to get program installation time, current system time and comparing installed time to current time. The author has discussed two methods to detect time bomb in COTS applications and proposed a tool that can be developed having properties of both these methods. The paper also presented the results of three commercially available COTS products used for malicious code detection.
The drawback of the paper is that although it emphasized on dynamic analysis but the proposed model combines the attributes of both static and dynamic analysis methods.
COTS components are generally used in information systems due to low cost and timely availability. These ready-made software however pose security concerns because they are made with no or less security considerations.
To ensure security and reliability of operational system some monitoring strategy is required. This paper  discusses a dynamic monitoring mechanism which continuously checks system for malicious activity. The system dynamically enforces a security policy. Generally three types of solutions certifying compilers, static analysis and dynamic analysis are available for malicious behavior detection in COTS application
The author favors dynamic approach by saying that certifying compiler and static analysis will not be able to detect malicious code inserted after the analysis has been completed. The good point about the paper is that it discussed a dynamic monitoring tool build to run on Windows NT. The tool is capable of stopping certain malicious actions based on the combined accesses to critical resources.
The weakness of the paper is that the developed tool is capable of preventing against specific malicious attacks only. Secondly the developed tool can run on Windows NT only.
COTS components are generally developed with less or no security considerations. The security that is available in COTS is mainly to prevent intruder from gaining access to COTS system. Today much attention is paid to intrusion detection and intrusion prevention techniques, but these will be void once COTS system is compromised.
For smooth functioning of COTS system even if attacked by an intruder some mechanism is required.
In this paper  the authors have presented an intrusion tolerance method based on Fragmentation-Redundancy-Scattering (FRS) technique. The purpose of this method is to make the system available to desired users all the time even if attacked. The FRS technique provides tolerance by first slicing the information into small segments, secondly for redundancy make copies of each segment and lastly for tolerance place copies of each segment on different locations.
The strength of the paper is that it discussed a case study, pointing out different phases during lifetime of COTS system, where an intruder can attack. The intrusion tolerance FRS technique presented based on analysis of case study can avoid DOS attack on COTS system. The redundancy can provide fault tolerance while scattering can secure system from attacks.
The weakness of the paper is that the proposed technique focuses solely on integrity of application data but not addressing confidentiality and availability of system.
3. CRITICAL ANALYSIS
Gary McGraw and John Viega
How to address security issues arising in COTS applications due to their integration with other components.
The paper presented different steps to carry out before integration of COTS components into a large system.
The methods suggested are general purpose and no real technique is presented.
How to monitor COTS applications for malicious code, embedded after completion of program development, either during distribution or installation.
The paper provides detailed steps for performing manual, partially-automated or fully-automated analysis of COTS applications. The paper also suggests the properties of the tool that can be developed for malicious code detection in COTS systems.
The paper discussed different analysis techniques but does not suggest which one is better.
Yue Chen and Dr. Barry W. Boehm
How to effectively rate vulnerabilities in COTS applications quantitatively with respect to confidentiality, integrity and availability.
The proposed model is the first automated framework that uses user consideration for evaluating vulnerabilities with respect to value. Through this model security in COTS can be assessed in early system life-cycle.
Limitations of the paper is that the model can evaluate known vulnerabilities only.
Tom Markham, Dwight Colby and Mary Denz
To develop a security strategy for detecting vulnerabilities introduced in COTS components mainly during upgrades.
The model uses active analysis of distributed systems rather than static analysis. The model does not require COTS source code for implementation. The model allows adding new components to existing COTS system without reanalyzing whole system.
No clear method is presented for populating the model from component library. Secondly the model does not show how to compare vulnerabilities with vulnerability database.
Pierre Bieber and Pierre Siron
How to develop an architecture for building a secure distributed system from insecure COTS components.
The architecture is implemented on two different COTS systems. The paper showed the impact of addition of new COTS components on overall system.
The implementation is not generalized but specific to the two COTS systems on which the tests were conducted.
J. Bergeron, M. Debbabi, M.M. Erhioui and B. Ktari
COTS systems consists of diverse components which are liable to malicious activities. How to detect malicious behavior in COTS systems.
The proposed static slicing technique works on binary code and does not need source code. Slicing of whole program into segments improves analysis of individual code segment.
For disassembling binary code no specific COTS disassembler is mentioned.
J. Bergeron, M. Debbabi, J. Desharnais, M.M. Erhioui, Y. Lavoie and N. Tawbi
How to detect malicious behavior in executable programs in the absence of source code?
The proposed technique is based on semantic analysis that can even detect unknown malicious code.
Secondly the authors have build and tested the tool for static detection on some known malicious applications.
No proper method for developing security policy is presented. The developed tool can work on Windows platform only.
Chir Wysopal and Chris Eng
How to detect and isolate application backdoors in COTS components?
The paper presented practical examples of different types of application backdoor and also gave solution for their detection.
The paper discusses detection of backdoors in source code or binary code during development of COTS applications but does not talk about their detection after development.
Robert Charpentier and Martin Salois
COTS applications developed with embedded malicious code can go un-noticed and cause serious threats to overall security of a system. How to detect malicious code in early stages of software development.
The suggested method can be used during compilation for malicious code detection in case source code is not available. Early detection also ensures secure software from the beginning.
Certifying compilers technique cannot detect malicious code once the COTS application is integrated in distributed environment.
Martin Salois and Robert Charpentier
Time bomb is a piece of code in an application with hidden and complex logic that is activated when a specific time is reached. How to detect time bomb in an application.
The paper presented a real world example of time bomb and discussed two methods to detect it. The paper proposed a tool that can be developed based on the methods discussed in the paper.
The paper emphasized on dynamic analysis but the proposed model combines the attributes of both static and dynamic analysis methods.
M. Salois and N. Tawbi
How to ensure security and reliability of operational COTS system.
The paper discussed a dynamic monitoring tool build to run on Windows NT. The tool is capable of stopping certain malicious actions based on the combined accesses to critical resources.
The developed tool is capable of preventing against specific malicious attacks only. Another limitation is that the tool is platform dependent.
Manish Rathi, Farooq Anjum, Rabih Zbib, Abhrajit Ghosh and Amjad Umar
How to make COTS applications function smoothly even if attacked by an intruder.
The paper discussed a case study, pointing out different phases during lifetime of COTS system, where an intruder can attack. The proposed technique can avoid DOS attack and provide fault tolerance.
The proposed technique focuses solely on integrity of application data but not addressing confidentiality and availability of system.
In this paper we have reviewed the current and past trends for tackling the security concerns in COTS applications. We have discussed different security threats and analyzed various models available for detection of malicious code in COTS software. Further different malicious code detection methods like static analysis, dynamic analysis, certifying compilers and intrusion tolerance are discussed.
5. FUTURE WORK
Future work includes developing a security framework that can integrate the different detection techniques currently available. The model should be capable of detecting malicious code throughout the life of COTS application.