SlideShare a Scribd company logo

Lecture # 14: Salami and Linearization Attacks

D
Dr. Ramchandra Mangrulkar

Module 2: Advanced System Security and Digital Forensics

Engineering
1 of 11
Download to read offline
Lecture #14: Salami and Linerization Attacks Program and OS Security -Part III Dr.Ramchandra Mangrulkar September 2, 2020 Dr.Ramchandra Mangrulkar Lecture #14: Salami and Linerization Attacks September 2, 2020 1 / 11
Contents Malicious and Non-Malicious programming errors Targeted Malicious codes Salami Attack Linearization Attack Covert Channel Control against Program threats Dr.Ramchandra Mangrulkar Lecture #14: Salami and Linerization Attacks September 2, 2020 2 / 11
Targeted Malicious codes malicious code is written - for a particular system, - for a particular application, - and for a particular purpose. the attacker or the code writer studies the system carefully identifying its weaknesses. Dr.Ramchandra Mangrulkar Lecture #14: Salami and Linerization Attacks September 2, 2020 3 / 11
Salami Attack The way odd bits of meat and fat are fused together in a sausage or salami. A salami attack merges bits of seemingly inconsequential data to yield powerful results. Programs often disregard small amounts of money in their computations, as when there are fractional pennies as interest or tax is calculated. An example of salami slicing, also known as penny shaving, is the fraudulent practice of stealing money repeatedly in extremely small quantities, usually by taking advantage of rounding to the nearest cent (or other monetary unit) in financial transactions. a programmer modifies the arithmetic routines such as interest computations. Typically, the calculations are carried out to several decimal places beyond the customary 2 or 3 kept for financial records. If the programmer arranges to collect these fractions of pennies in a separate account, a sizable fund can grow with no warning to the financial institution. An embezzler removed 0:20to0.30 from hundreds of accounts two or three times a year. Dr.Ramchandra Mangrulkar Lecture #14: Salami and Linerization Attacks September 2, 2020 4 / 11
In Short Salami attack is Programmer ”Slices off ” Money Slices are hard for victim to detect Dr.Ramchandra Mangrulkar Lecture #14: Salami and Linerization Attacks September 2, 2020 5 / 11
Example : Salami Attack The classic tale of a salami attack involves interest computation. Suppose your bank pays 6.5 percent interest on your account. The interest is declared on an annual basis but is calculated monthly. If, after the first month, your bank balance is $102.87, the bank can calculate the interest in the following way. For a month with 31 days, we divide the interest rate by 365 to get the daily rate, and then multiply it by 31 to get the interest for the month. Thus, the total interest for 31 days is 31/365*0.065*102.87 = $0.5495726. Since banks deal only in full cents, a typical practice is to round down if a residue is less than half a cent, and round up if a residue is half a cent or more. However, few people check their interest computation closely, and fewer still would complain about having the amount $0.5495 rounded down to $0.54, instead of up to $0.55. Most programs that perform computations on currency recognize that because of rounding, a sum of individual computations may be a few cents different from the computation applied to the sum of the balances. More Examples http://www.mekabay.com/nwss/116p--salami_fraud.pdf Dr.Ramchandra Mangrulkar Lecture #14: Salami and Linerization Attacks September 2, 2020 6 / 11
Salami Attacks in Literature Dr.Ramchandra Mangrulkar Lecture #14: Salami and Linerization Attacks September 2, 2020 7 / 11
Linerization Attack eXtended Sparse Linearization (XSL) attack a method of cryptanalysis for block ciphers attack was first published in 2002 by researchers Nicolas Courtois and Josef Pieprzyk in AES, shorten the amount of time it takes to retrieve the secret message without having the key Dr.Ramchandra Mangrulkar Lecture #14: Salami and Linerization Attacks September 2, 2020 8 / 11
Linerization Attack Example Cracking Password based on Password Verification time (Password = ”S123N456”) For Efficiency, Check made one char at a time Can attacker take advantage of it Correct Password; Verification Time Maximum Incorrect password; Verification Time Minimum Attacker tries all 1 char String and finds ”S” takes longer time Attacker tries all 2 char String ”S*” and finds ”S1” takes longer time and so on... attacker is able to get serial number one char at a time Dr.Ramchandra Mangrulkar Lecture #14: Salami and Linerization Attacks September 2, 2020 9 / 11
Advantages of Linearization Suppose serial number is 8 characters and each has 128 possible values 1288 = 256 possible serial numbers attacker would guess in 255 tries with Linearization Attack, the work is about 8 £ (128=2) = 29 Dr.Ramchandra Mangrulkar Lecture #14: Salami and Linerization Attacks September 2, 2020 10 / 11
Problem Suppose password length is 2 characters and each has 32 possible values [ A-Z and 0-5]. With Linearization Attack, how many tries it will require to break the password. Home work http://cse.iitkgp.ac.in/~abhij/publications/XL_ SGE-InfoSecHiComNet11.pdf Dr.Ramchandra Mangrulkar Lecture #14: Salami and Linerization Attacks September 2, 2020 11 / 11

Recommended

Cyber Threat Prediction using ML
Cyber Threat Prediction using MLCyber Threat Prediction using ML
Cyber Threat Prediction using MLIRJET Journal
 
The only way to survive is to automate your SOC
The only way to survive is to automate your SOCThe only way to survive is to automate your SOC
The only way to survive is to automate your SOCRoberto Sponchioni
 
Taking the offensive Security Leaders V9.1
Taking the offensive Security Leaders V9.1Taking the offensive Security Leaders V9.1
Taking the offensive Security Leaders V9.1Fernando Romero
 
XSS.pdf
XSS.pdfXSS.pdf
XSS.pdfOkan YILDIZ
 
XSS.pdf
XSS.pdfXSS.pdf
XSS.pdfOkan YILDIZ
 
The Custom Defense Against Targeted Attacks
The Custom Defense Against Targeted AttacksThe Custom Defense Against Targeted Attacks
The Custom Defense Against Targeted AttacksTrend Micro
 
Cyber_Security_Action_Plan_2016
Cyber_Security_Action_Plan_2016Cyber_Security_Action_Plan_2016
Cyber_Security_Action_Plan_2016John T. Araneo
 
Economic-Cybercrime-Report
Economic-Cybercrime-ReportEconomic-Cybercrime-Report
Economic-Cybercrime-ReportDr Steve Strickland
 

Recommended

Cyber Threat Prediction using ML
Cyber Threat Prediction using MLCyber Threat Prediction using ML
Cyber Threat Prediction using MLIRJET Journal
 
The only way to survive is to automate your SOC
The only way to survive is to automate your SOCThe only way to survive is to automate your SOC
The only way to survive is to automate your SOCRoberto Sponchioni
 
Taking the offensive Security Leaders V9.1
Taking the offensive Security Leaders V9.1Taking the offensive Security Leaders V9.1
Taking the offensive Security Leaders V9.1Fernando Romero
 
XSS.pdf
XSS.pdfXSS.pdf
XSS.pdfOkan YILDIZ
 
XSS.pdf
XSS.pdfXSS.pdf
XSS.pdfOkan YILDIZ
 
The Custom Defense Against Targeted Attacks
The Custom Defense Against Targeted AttacksThe Custom Defense Against Targeted Attacks
The Custom Defense Against Targeted AttacksTrend Micro
 
Cyber_Security_Action_Plan_2016
Cyber_Security_Action_Plan_2016Cyber_Security_Action_Plan_2016
Cyber_Security_Action_Plan_2016John T. Araneo
 
Economic-Cybercrime-Report
Economic-Cybercrime-ReportEconomic-Cybercrime-Report
Economic-Cybercrime-ReportDr Steve Strickland
 
Blockchain#2.pdf
Blockchain#2.pdfBlockchain#2.pdf
Blockchain#2.pdfDr. Ramchandra Mangrulkar
 
Blockchain#1.pdf
Blockchain#1.pdfBlockchain#1.pdf
Blockchain#1.pdfDr. Ramchandra Mangrulkar
 
Blockchain#3.pdf
Blockchain#3.pdfBlockchain#3.pdf
Blockchain#3.pdfDr. Ramchandra Mangrulkar
 
Manuscript Preparation using Latex: A Cloud Based Approach(Overleaf)
Manuscript Preparation using Latex: A Cloud Based Approach(Overleaf)Manuscript Preparation using Latex: A Cloud Based Approach(Overleaf)
Manuscript Preparation using Latex: A Cloud Based Approach(Overleaf)Dr. Ramchandra Mangrulkar
 
Lecture #32: Forensic Duplication
Lecture #32: Forensic DuplicationLecture #32: Forensic Duplication
Lecture #32: Forensic DuplicationDr. Ramchandra Mangrulkar
 
Lecture #32: Digital Forensics : Evidence Handling, Validation and Reporting
Lecture #32: Digital Forensics : Evidence Handling, Validation and ReportingLecture #32: Digital Forensics : Evidence Handling, Validation and Reporting
Lecture #32: Digital Forensics : Evidence Handling, Validation and ReportingDr. Ramchandra Mangrulkar
 
LEcture #28-#30
LEcture #28-#30LEcture #28-#30
LEcture #28-#30Dr. Ramchandra Mangrulkar
 
Lecture #31 : Windows Forensics
Lecture #31 : Windows ForensicsLecture #31 : Windows Forensics
Lecture #31 : Windows ForensicsDr. Ramchandra Mangrulkar
 
Lecture #25 : Oauth 2.0
Lecture #25 : Oauth 2.0Lecture #25 : Oauth 2.0
Lecture #25 : Oauth 2.0Dr. Ramchandra Mangrulkar
 
Lecture #24 : Cross Site Request Forgery (CSRF)
Lecture #24 : Cross Site Request Forgery (CSRF)Lecture #24 : Cross Site Request Forgery (CSRF)
Lecture #24 : Cross Site Request Forgery (CSRF)Dr. Ramchandra Mangrulkar
 
Lecture #22: Web Privacy & Security Breach
Lecture #22: Web Privacy & Security BreachLecture #22: Web Privacy & Security Breach
Lecture #22: Web Privacy & Security BreachDr. Ramchandra Mangrulkar
 
Lecture #22 : Web Privacy & Security Breach
Lecture #22 : Web Privacy & Security BreachLecture #22 : Web Privacy & Security Breach
Lecture #22 : Web Privacy & Security BreachDr. Ramchandra Mangrulkar
 
Lecture #21: HTTPS , SSL & TLS
Lecture #21: HTTPS , SSL & TLSLecture #21: HTTPS , SSL & TLS
Lecture #21: HTTPS , SSL & TLSDr. Ramchandra Mangrulkar
 
Lecture #18 - #20: Web Browser and Web Application Security
Lecture #18 - #20: Web Browser and Web Application SecurityLecture #18 - #20: Web Browser and Web Application Security
Lecture #18 - #20: Web Browser and Web Application SecurityDr. Ramchandra Mangrulkar
 
Lecture #15: Buffer Overflow Attack (Non Malicious Attack)
Lecture #15: Buffer Overflow Attack (Non Malicious Attack)Lecture #15: Buffer Overflow Attack (Non Malicious Attack)
Lecture #15: Buffer Overflow Attack (Non Malicious Attack)Dr. Ramchandra Mangrulkar
 
Lecture #12,#13 : Program and OS Security -Part I
Lecture #12,#13 : Program and OS Security -Part ILecture #12,#13 : Program and OS Security -Part I
Lecture #12,#13 : Program and OS Security -Part IDr. Ramchandra Mangrulkar
 
Lecture #9 : Single Sign on and Federation Identity Management
Lecture #9 : Single Sign on and Federation Identity ManagementLecture #9 : Single Sign on and Federation Identity Management
Lecture #9 : Single Sign on and Federation Identity ManagementDr. Ramchandra Mangrulkar
 
Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel Security
Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel SecurityLecture #8: Clark-Wilson & Chinese Wall Model for Multilevel Security
Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel SecurityDr. Ramchandra Mangrulkar
 
Lecture #6: Multilevel Security Models
Lecture #6: Multilevel Security ModelsLecture #6: Multilevel Security Models
Lecture #6: Multilevel Security ModelsDr. Ramchandra Mangrulkar
 
Lecture #7: Bell Lapdula and Biba Model of Multilevel Security
Lecture #7: Bell Lapdula and Biba Model of Multilevel SecurityLecture #7: Bell Lapdula and Biba Model of Multilevel Security
Lecture #7: Bell Lapdula and Biba Model of Multilevel SecurityDr. Ramchandra Mangrulkar
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Christo Ananth
 
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingUNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingrknatarajan
 

More Related Content

More from Dr. Ramchandra Mangrulkar

Manuscript Preparation using Latex: A Cloud Based Approach(Overleaf)
Manuscript Preparation using Latex: A Cloud Based Approach(Overleaf)Manuscript Preparation using Latex: A Cloud Based Approach(Overleaf)
Manuscript Preparation using Latex: A Cloud Based Approach(Overleaf)Dr. Ramchandra Mangrulkar
 
Lecture #32: Digital Forensics : Evidence Handling, Validation and Reporting
Lecture #32: Digital Forensics : Evidence Handling, Validation and ReportingLecture #32: Digital Forensics : Evidence Handling, Validation and Reporting
Lecture #32: Digital Forensics : Evidence Handling, Validation and ReportingDr. Ramchandra Mangrulkar
 
Lecture #24 : Cross Site Request Forgery (CSRF)
Lecture #24 : Cross Site Request Forgery (CSRF)Lecture #24 : Cross Site Request Forgery (CSRF)
Lecture #24 : Cross Site Request Forgery (CSRF)Dr. Ramchandra Mangrulkar
 
Lecture #18 - #20: Web Browser and Web Application Security
Lecture #18 - #20: Web Browser and Web Application SecurityLecture #18 - #20: Web Browser and Web Application Security
Lecture #18 - #20: Web Browser and Web Application SecurityDr. Ramchandra Mangrulkar
 
Lecture #15: Buffer Overflow Attack (Non Malicious Attack)
Lecture #15: Buffer Overflow Attack (Non Malicious Attack)Lecture #15: Buffer Overflow Attack (Non Malicious Attack)
Lecture #15: Buffer Overflow Attack (Non Malicious Attack)Dr. Ramchandra Mangrulkar
 
Lecture #12,#13 : Program and OS Security -Part I
Lecture #12,#13 : Program and OS Security -Part ILecture #12,#13 : Program and OS Security -Part I
Lecture #12,#13 : Program and OS Security -Part IDr. Ramchandra Mangrulkar
 
Lecture #9 : Single Sign on and Federation Identity Management
Lecture #9 : Single Sign on and Federation Identity ManagementLecture #9 : Single Sign on and Federation Identity Management
Lecture #9 : Single Sign on and Federation Identity ManagementDr. Ramchandra Mangrulkar
 
Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel Security
Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel SecurityLecture #8: Clark-Wilson & Chinese Wall Model for Multilevel Security
Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel SecurityDr. Ramchandra Mangrulkar
 
Lecture #7: Bell Lapdula and Biba Model of Multilevel Security
Lecture #7: Bell Lapdula and Biba Model of Multilevel SecurityLecture #7: Bell Lapdula and Biba Model of Multilevel Security
Lecture #7: Bell Lapdula and Biba Model of Multilevel SecurityDr. Ramchandra Mangrulkar
 

More from Dr. Ramchandra Mangrulkar (20)

Blockchain#2.pdf
Blockchain#2.pdfBlockchain#2.pdf
Blockchain#2.pdf
 
Blockchain#1.pdf
Blockchain#1.pdfBlockchain#1.pdf
Blockchain#1.pdf
 
Blockchain#3.pdf
Blockchain#3.pdfBlockchain#3.pdf
Blockchain#3.pdf
 
Manuscript Preparation using Latex: A Cloud Based Approach(Overleaf)
Manuscript Preparation using Latex: A Cloud Based Approach(Overleaf)Manuscript Preparation using Latex: A Cloud Based Approach(Overleaf)
Manuscript Preparation using Latex: A Cloud Based Approach(Overleaf)
 
Lecture #32: Forensic Duplication
Lecture #32: Forensic DuplicationLecture #32: Forensic Duplication
Lecture #32: Forensic Duplication
 
Lecture #32: Digital Forensics : Evidence Handling, Validation and Reporting
Lecture #32: Digital Forensics : Evidence Handling, Validation and ReportingLecture #32: Digital Forensics : Evidence Handling, Validation and Reporting
Lecture #32: Digital Forensics : Evidence Handling, Validation and Reporting
 
LEcture #28-#30
LEcture #28-#30LEcture #28-#30
LEcture #28-#30
 
Lecture #31 : Windows Forensics
Lecture #31 : Windows ForensicsLecture #31 : Windows Forensics
Lecture #31 : Windows Forensics
 
Lecture #25 : Oauth 2.0
Lecture #25 : Oauth 2.0Lecture #25 : Oauth 2.0
Lecture #25 : Oauth 2.0
 
Lecture #24 : Cross Site Request Forgery (CSRF)
Lecture #24 : Cross Site Request Forgery (CSRF)Lecture #24 : Cross Site Request Forgery (CSRF)
Lecture #24 : Cross Site Request Forgery (CSRF)
 
Lecture #22: Web Privacy & Security Breach
Lecture #22: Web Privacy & Security BreachLecture #22: Web Privacy & Security Breach
Lecture #22: Web Privacy & Security Breach
 
Lecture #22 : Web Privacy & Security Breach
Lecture #22 : Web Privacy & Security BreachLecture #22 : Web Privacy & Security Breach
Lecture #22 : Web Privacy & Security Breach
 
Lecture #21: HTTPS , SSL & TLS
Lecture #21: HTTPS , SSL & TLSLecture #21: HTTPS , SSL & TLS
Lecture #21: HTTPS , SSL & TLS
 
Lecture #18 - #20: Web Browser and Web Application Security
Lecture #18 - #20: Web Browser and Web Application SecurityLecture #18 - #20: Web Browser and Web Application Security
Lecture #18 - #20: Web Browser and Web Application Security
 
Lecture #15: Buffer Overflow Attack (Non Malicious Attack)
Lecture #15: Buffer Overflow Attack (Non Malicious Attack)Lecture #15: Buffer Overflow Attack (Non Malicious Attack)
Lecture #15: Buffer Overflow Attack (Non Malicious Attack)
 
Lecture #12,#13 : Program and OS Security -Part I
Lecture #12,#13 : Program and OS Security -Part ILecture #12,#13 : Program and OS Security -Part I
Lecture #12,#13 : Program and OS Security -Part I
 
Lecture #9 : Single Sign on and Federation Identity Management
Lecture #9 : Single Sign on and Federation Identity ManagementLecture #9 : Single Sign on and Federation Identity Management
Lecture #9 : Single Sign on and Federation Identity Management
 
Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel Security
Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel SecurityLecture #8: Clark-Wilson & Chinese Wall Model for Multilevel Security
Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel Security
 
Lecture #6: Multilevel Security Models
Lecture #6: Multilevel Security ModelsLecture #6: Multilevel Security Models
Lecture #6: Multilevel Security Models
 
Lecture #7: Bell Lapdula and Biba Model of Multilevel Security
Lecture #7: Bell Lapdula and Biba Model of Multilevel SecurityLecture #7: Bell Lapdula and Biba Model of Multilevel Security
Lecture #7: Bell Lapdula and Biba Model of Multilevel Security
 

Recently uploaded

Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Christo Ananth
 
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingUNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingrknatarajan
 
UNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISUNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISrknatarajan
 
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Call Girls in Nagpur High Profile
 
Vivazz, Mieres Social Housing Design Spain
Vivazz, Mieres Social Housing Design SpainVivazz, Mieres Social Housing Design Spain
Vivazz, Mieres Social Housing Design Spaintimesproduction05
 
Thermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VThermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VDineshKumar4165
 
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...ranjana rawat
 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTbhaskargani46
 
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Bookingdharasingh5698
 
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordCCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordAsst.prof M.Gokilavani
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756dollysharma2066
 
data_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfdata_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfJiananWang21
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlysanyuktamishra911
 
UNIT-IFLUID PROPERTIES & FLOW CHARACTERISTICS
UNIT-IFLUID PROPERTIES & FLOW CHARACTERISTICSUNIT-IFLUID PROPERTIES & FLOW CHARACTERISTICS
UNIT-IFLUID PROPERTIES & FLOW CHARACTERISTICSrknatarajan
 
Call for Papers - International Journal of Intelligent Systems and Applicatio...
Call for Papers - International Journal of Intelligent Systems and Applicatio...Call for Papers - International Journal of Intelligent Systems and Applicatio...
Call for Papers - International Journal of Intelligent Systems and Applicatio...Christo Ananth
 
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdfONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdfKamal Acharya
 

Recently uploaded (20)

Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
 
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingUNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
 
UNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISUNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSIS
 
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
 
Vivazz, Mieres Social Housing Design Spain
Vivazz, Mieres Social Housing Design SpainVivazz, Mieres Social Housing Design Spain
Vivazz, Mieres Social Housing Design Spain
 
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
 
Thermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VThermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - V
 
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
 
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
 
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
 
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPT
 
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
 
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordCCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
 
data_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfdata_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdf
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghly
 
UNIT-IFLUID PROPERTIES & FLOW CHARACTERISTICS
UNIT-IFLUID PROPERTIES & FLOW CHARACTERISTICSUNIT-IFLUID PROPERTIES & FLOW CHARACTERISTICS
UNIT-IFLUID PROPERTIES & FLOW CHARACTERISTICS
 
Call for Papers - International Journal of Intelligent Systems and Applicatio...
Call for Papers - International Journal of Intelligent Systems and Applicatio...Call for Papers - International Journal of Intelligent Systems and Applicatio...
Call for Papers - International Journal of Intelligent Systems and Applicatio...
 
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdfONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
 

Lecture # 14: Salami and Linearization Attacks

  • 1. Lecture #14: Salami and Linerization Attacks Program and OS Security -Part III Dr.Ramchandra Mangrulkar September 2, 2020 Dr.Ramchandra Mangrulkar Lecture #14: Salami and Linerization Attacks September 2, 2020 1 / 11
  • 2. Contents Malicious and Non-Malicious programming errors Targeted Malicious codes Salami Attack Linearization Attack Covert Channel Control against Program threats Dr.Ramchandra Mangrulkar Lecture #14: Salami and Linerization Attacks September 2, 2020 2 / 11
  • 3. Targeted Malicious codes malicious code is written - for a particular system, - for a particular application, - and for a particular purpose. the attacker or the code writer studies the system carefully identifying its weaknesses. Dr.Ramchandra Mangrulkar Lecture #14: Salami and Linerization Attacks September 2, 2020 3 / 11
  • 4. Salami Attack The way odd bits of meat and fat are fused together in a sausage or salami. A salami attack merges bits of seemingly inconsequential data to yield powerful results. Programs often disregard small amounts of money in their computations, as when there are fractional pennies as interest or tax is calculated. An example of salami slicing, also known as penny shaving, is the fraudulent practice of stealing money repeatedly in extremely small quantities, usually by taking advantage of rounding to the nearest cent (or other monetary unit) in financial transactions. a programmer modifies the arithmetic routines such as interest computations. Typically, the calculations are carried out to several decimal places beyond the customary 2 or 3 kept for financial records. If the programmer arranges to collect these fractions of pennies in a separate account, a sizable fund can grow with no warning to the financial institution. An embezzler removed 0:20to0.30 from hundreds of accounts two or three times a year. Dr.Ramchandra Mangrulkar Lecture #14: Salami and Linerization Attacks September 2, 2020 4 / 11
  • 5. In Short Salami attack is Programmer ”Slices off ” Money Slices are hard for victim to detect Dr.Ramchandra Mangrulkar Lecture #14: Salami and Linerization Attacks September 2, 2020 5 / 11
  • 6. Example : Salami Attack The classic tale of a salami attack involves interest computation. Suppose your bank pays 6.5 percent interest on your account. The interest is declared on an annual basis but is calculated monthly. If, after the first month, your bank balance is $102.87, the bank can calculate the interest in the following way. For a month with 31 days, we divide the interest rate by 365 to get the daily rate, and then multiply it by 31 to get the interest for the month. Thus, the total interest for 31 days is 31/365*0.065*102.87 = $0.5495726. Since banks deal only in full cents, a typical practice is to round down if a residue is less than half a cent, and round up if a residue is half a cent or more. However, few people check their interest computation closely, and fewer still would complain about having the amount $0.5495 rounded down to $0.54, instead of up to $0.55. Most programs that perform computations on currency recognize that because of rounding, a sum of individual computations may be a few cents different from the computation applied to the sum of the balances. More Examples http://www.mekabay.com/nwss/116p--salami_fraud.pdf Dr.Ramchandra Mangrulkar Lecture #14: Salami and Linerization Attacks September 2, 2020 6 / 11
  • 7. Salami Attacks in Literature Dr.Ramchandra Mangrulkar Lecture #14: Salami and Linerization Attacks September 2, 2020 7 / 11
  • 8. Linerization Attack eXtended Sparse Linearization (XSL) attack a method of cryptanalysis for block ciphers attack was first published in 2002 by researchers Nicolas Courtois and Josef Pieprzyk in AES, shorten the amount of time it takes to retrieve the secret message without having the key Dr.Ramchandra Mangrulkar Lecture #14: Salami and Linerization Attacks September 2, 2020 8 / 11
  • 9. Linerization Attack Example Cracking Password based on Password Verification time (Password = ”S123N456”) For Efficiency, Check made one char at a time Can attacker take advantage of it Correct Password; Verification Time Maximum Incorrect password; Verification Time Minimum Attacker tries all 1 char String and finds ”S” takes longer time Attacker tries all 2 char String ”S*” and finds ”S1” takes longer time and so on... attacker is able to get serial number one char at a time Dr.Ramchandra Mangrulkar Lecture #14: Salami and Linerization Attacks September 2, 2020 9 / 11
  • 10. Advantages of Linearization Suppose serial number is 8 characters and each has 128 possible values 1288 = 256 possible serial numbers attacker would guess in 255 tries with Linearization Attack, the work is about 8 £ (128=2) = 29 Dr.Ramchandra Mangrulkar Lecture #14: Salami and Linerization Attacks September 2, 2020 10 / 11
  • 11. Problem Suppose password length is 2 characters and each has 32 possible values [ A-Z and 0-5]. With Linearization Attack, how many tries it will require to break the password. Home work http://cse.iitkgp.ac.in/~abhij/publications/XL_ SGE-InfoSecHiComNet11.pdf Dr.Ramchandra Mangrulkar Lecture #14: Salami and Linerization Attacks September 2, 2020 11 / 11