Salami Attack
We noted in Chapter 1 an attack known as a salami attack. This approach gets its
name from the way odd bits of meat and fat are fused in a sausage or salami. In
the same way, a salami attack merges bits of seemingly inconsequential data to
yield powerful results. For example, programs often disregard small amounts of
money in their computations, as when there are fractional pennies as interest
or tax is calculated. Such programs may be subject to a salami attack, because the
small amounts are shaved from each computation and accumulated elsewheresuch as
in the programmer's bank account! The shaved amount is so small that an
individual case is unlikely to be noticed, and the accumulation can be done so
that the books still balance overall. However, accumulated amounts can add up
to a tidy sum, supporting a programmer's early retirement or new car. It is
often the resulting expenditure, not the shaved amounts, that gets the
attention of the authorities.
Examples of Salami Attacks
The classic tale of a salami
attack involves interest computation. Suppose your bank pays 6.5 percent
interest on your account. The interest is declared on an annual basis but is
calculated monthly. If, after the first month, your bank balance is $102.87,
the bank can calculate the interest in the following way. For a month with 31
days, we divide the interest rate by 365 to get the daily rate, and then
multiply it by 31 to get the interest for the month. Thus, the total interest
for 31 days is 31/365*0.065*102.87 = $0.5495726. Since banks deal only in full
cents, a typical practice is to round down if a residue is less than half a
cent, and round up if a residue is half a cent or more. However, few people
check their interest computation closely, and fewer still would complain about
having the amount $0.5495 rounded down to $0.54, instead of up to $0.55. Most
programs that perform computations on currency recognize that because of
rounding, a sum of individual computations may be a few cents different from
the computation applied to the sum of the balances.
What happens to these
fractional cents? The computer security folk legend is told of a programmer who
collected the fractional cents and credited them to a single account: hers! The
interest program merely had to balance total interest paid to interest due on
the total of the balances of the individual accounts. Auditors will probably
not notice the activity in one specific account. In a situation with many
accounts, the roundoff error can be substantial, and the programmer's account
pockets this roundoff.
But salami attacks can net more and be far more
interesting. For example, instead of shaving fractional cents, the programmer
may take a few cents from each account, again assuming that no individual has
the desire or understanding to recompute the amount the bank reports. Most
people finding a result a few cents different from that of the bank would
accept the bank's figure, attributing the difference to an error in arithmetic
or a misunderstanding of the conditions under which interest is credited. Or a
program might record a $20 fee for a particular service, while the company
standard is $15. If unchecked, the extra $5 could be credited to an account of
the programmer's choice. The amounts shaved are not necessarily small: One
attacker was able to make withdrawals of $10,000 or more against accounts that
had shown little recent activity; presumably the attacker hoped the owners were
ignoring their accounts.
Why Salami Attacks Persist
Computer computations are
notoriously subject to small errors involving rounding and truncation,
especially when large numbers are to be combined with small ones. Rather than
document the exact errors, it is easier for programmers and users to accept a
small amount of error as natural and unavoidable. To reconcile accounts, the
programmer includes an error correction in computations. Inadequate auditing of
these corrections is one reason why the salami attack may be overlooked.
Usually the source code of a
system is too large or complex to be audited for salami attacks, unless there
is reason to suspect one. Size and time are definitely on the side of the
malicious programmer.
Related Topics
Privacy Policy, Terms and Conditions, DMCA Policy and Compliant
Copyright © 2018-2023 BrainKart.com; All Rights Reserved. Developed by Therithal info, Chennai.