slides03.tex
author Christian Urban <urbanc@in.tum.de>
Mon, 22 Oct 2012 11:42:45 +0100
changeset 50 33b26c8efa03
parent 40 11681bbf0e01
permissions -rw-r--r--
added hw
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
28
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
     1
\documentclass[dvipsnames,14pt,t]{beamer}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
     2
\usepackage{beamerthemeplainculight}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
     3
\usepackage[T1]{fontenc}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
     4
\usepackage[latin1]{inputenc}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
     5
\usepackage{mathpartir}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
     6
\usepackage[absolute,overlay]{textpos}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
     7
\usepackage{ifthen}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
     8
\usepackage{tikz}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
     9
\usepackage{pgf}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    10
\usepackage{calc} 
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    11
\usepackage{ulem}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    12
\usepackage{courier}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    13
\usepackage{listings}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    14
\renewcommand{\uline}[1]{#1}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    15
\usetikzlibrary{arrows}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    16
\usetikzlibrary{automata}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    17
\usetikzlibrary{shapes}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    18
\usetikzlibrary{shadows}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    19
\usetikzlibrary{positioning}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    20
\usetikzlibrary{calc}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    21
\usepackage{graphicx} 
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    22
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    23
\definecolor{javared}{rgb}{0.6,0,0} % for strings
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    24
\definecolor{javagreen}{rgb}{0.25,0.5,0.35} % comments
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    25
\definecolor{javapurple}{rgb}{0.5,0,0.35} % keywords
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    26
\definecolor{javadocblue}{rgb}{0.25,0.35,0.75} % javadoc
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    27
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    28
\lstset{language=Java,
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    29
	basicstyle=\ttfamily,
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    30
	keywordstyle=\color{javapurple}\bfseries,
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    31
	stringstyle=\color{javagreen},
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    32
	commentstyle=\color{javagreen},
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    33
	morecomment=[s][\color{javadocblue}]{/**}{*/},
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    34
	numbers=left,
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    35
	numberstyle=\tiny\color{black},
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    36
	stepnumber=1,
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    37
	numbersep=10pt,
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    38
	tabsize=2,
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    39
	showspaces=false,
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    40
	showstringspaces=false}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    41
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    42
\lstdefinelanguage{scala}{
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    43
  morekeywords={abstract,case,catch,class,def,%
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    44
    do,else,extends,false,final,finally,%
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    45
    for,if,implicit,import,match,mixin,%
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    46
    new,null,object,override,package,%
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    47
    private,protected,requires,return,sealed,%
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    48
    super,this,throw,trait,true,try,%
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    49
    type,val,var,while,with,yield},
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    50
  otherkeywords={=>,<-,<\%,<:,>:,\#,@},
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    51
  sensitive=true,
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    52
  morecomment=[l]{//},
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    53
  morecomment=[n]{/*}{*/},
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    54
  morestring=[b]",
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    55
  morestring=[b]',
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    56
  morestring=[b]"""
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    57
}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    58
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    59
\lstset{language=Scala,
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    60
	basicstyle=\ttfamily,
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    61
	keywordstyle=\color{javapurple}\bfseries,
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    62
	stringstyle=\color{javagreen},
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    63
	commentstyle=\color{javagreen},
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    64
	morecomment=[s][\color{javadocblue}]{/**}{*/},
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    65
	numbers=left,
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    66
	numberstyle=\tiny\color{black},
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    67
	stepnumber=1,
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    68
	numbersep=10pt,
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    69
	tabsize=2,
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    70
	showspaces=false,
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    71
	showstringspaces=false}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    72
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    73
% beamer stuff 
39
Christian Urban <urbanc@in.tum.de>
parents: 37
diff changeset
    74
\renewcommand{\slidecaption}{APP 03, King's College London, 9 October 2012}
28
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    75
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    76
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    77
\begin{document}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    78
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    79
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    80
\mode<presentation>{
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    81
\begin{frame}<1>[t]
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    82
\frametitle{%
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    83
  \begin{tabular}{@ {}c@ {}}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    84
  \\
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    85
  \LARGE Access Control and \\[-3mm] 
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    86
  \LARGE Privacy Policies (3)\\[-6mm] 
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    87
  \end{tabular}}\bigskip\bigskip\bigskip
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    88
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    89
  %\begin{center}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    90
  %\includegraphics[scale=1.3]{pics/barrier.jpg}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    91
  %\end{center}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    92
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    93
\normalsize
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    94
  \begin{center}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    95
  \begin{tabular}{ll}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    96
  Email:  & christian.urban at kcl.ac.uk\\
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    97
  Of$\!$fice: & S1.27 (1st floor Strand Building)\\
29
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
    98
  Slides: & KEATS (also home work is there)\\
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
    99
               & \alert{\bf (I have put a temporary link in there.)}\\
28
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   100
  \end{tabular}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   101
  \end{center}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   102
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   103
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   104
\end{frame}}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   105
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   106
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   107
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   108
\mode<presentation>{
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   109
\begin{frame}[c]
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   110
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   111
\begin{center}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   112
\includegraphics[scale=0.45]{pics/trainwreck.jpg}\\
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   113
one general defence mechanism is\\\alert{\bf defence in depth}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   114
\end{center}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   115
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   116
  
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   117
\end{frame}}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   118
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   119
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   120
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   121
\mode<presentation>{
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   122
\begin{frame}<1-2>[c]
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   123
\frametitle{Defence in Depth}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   124
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   125
\begin{itemize}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   126
\item \alt<1>{overlapping}{{\LARGE\bf overlapping}} systems designed to provide\\ security even if one of them fails.
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   127
\end{itemize}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   128
29
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   129
\only<2->{
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   130
\begin{textblock}{11}(2,12)
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   131
\small otherwise your ``added security'' can become the point of failure 
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   132
\end{textblock}}
28
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   133
  
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   134
\end{frame}}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   135
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   136
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   137
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   138
\mode<presentation>{
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   139
\begin{frame}[c]
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   140
\frametitle{PALs}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   141
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   142
\begin{itemize}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   143
\item \alert{Permissive Action Links} prevent unauthorised use of nuclear weapons (so the theory)
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   144
\end{itemize}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   145
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   146
\begin{center}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   147
\includegraphics[scale=0.25]{pics/nuclear1.jpg}\hspace{3mm}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   148
\includegraphics[scale=0.25]{pics/nuclear2.jpg}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   149
\end{center}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   150
  
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   151
  
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   152
\onslide<3->{
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   153
modern PALs also include a 2-person rule
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   154
} 
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   155
 
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   156
 \only<2->{
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   157
\begin{textblock}{11}(3,2)
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   158
\begin{tikzpicture}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   159
\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] 
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   160
{\begin{minipage}{8cm}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   161
US Air Force's Strategic Air Command worried that in times of need the 
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   162
codes would not be available, so until 1977 quietly decided to set them 
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   163
to 00000000\ldots
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   164
\end{minipage}};
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   165
\end{tikzpicture}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   166
\end{textblock}}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   167
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   168
  
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   169
\end{frame}}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   170
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   171
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   172
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   173
\mode<presentation>{
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   174
\begin{frame}[c]
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   175
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   176
\begin{itemize}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   177
\item until 1998, Britain had nuclear weapons that could be launched from airplanes\bigskip\pause
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   178
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   179
\item these weapons were armed with a bicycle key
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   180
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   181
\begin{center}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   182
\begin{tabular}[b]{c}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   183
\includegraphics[scale=1.05]{pics/britkeys1.jpg}\\
29
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   184
\small nuclear weapon keys
28
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   185
\end{tabular}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   186
\hspace{3mm}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   187
\begin{tabular}[b]{c}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   188
\includegraphics[scale=0.35]{pics/britkeys2.jpg}\\
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   189
\small bicycle lock
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   190
\end{tabular}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   191
\end{center}\bigskip\pause
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   192
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   193
\item the current Trident nuclear weapons can be launched from a submarine without any code being transmitted
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   194
\end{itemize}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   195
  
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   196
\end{frame}}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   197
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   198
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   199
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   200
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   201
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   202
\mode<presentation>{
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   203
\begin{frame}[c]
29
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   204
\frametitle{Access Control in Unix}
28
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   205
29
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   206
\begin{itemize}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   207
\item access control provided by the OS
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   208
\item authenticate principals (login)
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   209
\item mediate access to files, ports, processes according to \alert{roles} (user ids)\\
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   210
\item roles get attached with privileges\bigskip\\%
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   211
\hspace{8mm}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   212
\begin{tikzpicture}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   213
\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] 
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   214
{\begin{minipage}{8cm}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   215
\alert{principle of least privilege:}\\
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   216
programs should only have as much privilege as they need 
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   217
\end{minipage}};
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   218
\end{tikzpicture}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   219
\end{itemize}
28
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   220
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   221
\end{frame}}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   222
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   223
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   224
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   225
\mode<presentation>{
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   226
\begin{frame}[c]
29
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   227
\frametitle{Access Control in Unix (2)}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   228
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   229
\begin{itemize}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   230
\item the idea is to restrict access to files and therefore lower the consequences of an attack\\[1cm]\mbox{}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   231
\end{itemize}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   232
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   233
\begin{textblock}{1}(2.5,9.5)
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   234
  \begin{tikzpicture}[scale=1]
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   235
  
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   236
  \draw[line width=1mm] (-.3, 0) rectangle (1.5,2);
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   237
  \draw (4.7,1) node {Internet};
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   238
  \draw (0.6,1.7) node {\footnotesize Interface};
40
Christian Urban <urbanc@in.tum.de>
parents: 39
diff changeset
   239
  \draw (0.6,-0.4) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] process\end{tabular}};
Christian Urban <urbanc@in.tum.de>
parents: 39
diff changeset
   240
  \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}};
29
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   241
  
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   242
  \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2);
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   243
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   244
  \draw[white] (1.7,1) node (X) {};
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   245
  \draw[white] (3.7,1) node (Y) {};
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   246
  \draw[red, <->, line width = 2mm] (X) -- (Y);
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   247
 
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   248
  \draw[red, <->, line width = 1mm] (-0.6,1) -- (-1.6,1);
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   249
  \end{tikzpicture}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   250
\end{textblock}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   251
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   252
\end{frame}}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   253
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   254
28
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   255
29
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   256
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   257
\mode<presentation>{
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   258
\begin{frame}[t]
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   259
\frametitle{Process Ownership}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   260
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   261
\begin{itemize}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   262
\item access control in Unix is very coarse
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   263
\end{itemize}\bigskip\bigskip\bigskip
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   264
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   265
\begin{center}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   266
\begin{tabular}{c}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   267
root\\
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   268
\hline
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   269
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   270
user$_1$ user$_2$ \ldots www, mail, lp
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   271
\end{tabular}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   272
\end{center}\bigskip\bigskip\bigskip
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   273
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   274
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   275
\textcolor{gray}{\small root has UID $=$ 0}\\\pause
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   276
\textcolor{gray}{\small you also have groups that can share access to a file}\\
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   277
\textcolor{gray}{\small but it is difficult to exclude access selectively}\\
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   278
\end{frame}}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   279
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   280
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   281
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   282
\mode<presentation>{
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   283
\begin{frame}[c]
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   284
\frametitle{Access Control in Unix (2)}
28
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   285
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   286
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   287
\begin{itemize}
29
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   288
\item privileges are specified by file access permissions (``everything is a file'') 
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   289
\item there are 9 (plus 2) bits that specify the permissions of a file
28
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   290
29
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   291
\begin{center}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   292
\begin{tabular}{l}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   293
\texttt{\$ ls - la}\\
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   294
\texttt{-rwxrw-r-{}- \hspace{3mm} foo\_file.txt}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   295
\end{tabular}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   296
\end{center}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   297
\end{itemize}
28
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   298
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   299
\end{frame}}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   300
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   301
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   302
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   303
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   304
\mode<presentation>{
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   305
\begin{frame}[c]
29
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   306
\frametitle{Login Process}
28
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   307
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   308
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   309
\begin{itemize}
29
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   310
\item login processes run under UID $=$ 0\medskip 
28
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   311
\begin{center}
29
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   312
\texttt{ps -axl | grep login}
28
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   313
\end{center}\medskip
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   314
29
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   315
\item after login, shells run under UID $=$ user (e.g.~501)\medskip
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   316
\begin{center}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   317
\texttt{id cu}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   318
\end{center}\medskip\pause
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   319
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   320
\item non-root users are not allowed to change the UID --- would break 
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   321
access control
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   322
\item but needed for example for \texttt{passwd}
28
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   323
\end{itemize}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   324
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   325
\end{frame}}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   326
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   327
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   328
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   329
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   330
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   331
\mode<presentation>{
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   332
\begin{frame}[c]
29
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   333
\frametitle{Setuid and Setgid}
28
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   334
29
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   335
The solution is that unix file permissions are 9 + \underline{2 Bits}:
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   336
\alert{Setuid} and \alert{Setgid} Bits
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   337
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   338
\begin{itemize}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   339
\item When a file with setuid is executed, the resulting process will assume the UID given to the owner of the file. 
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   340
\item This enables users to create processes as root (or another user).\bigskip
28
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   341
29
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   342
\item Essential for changing passwords, for example.
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   343
\end{itemize}
28
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   344
29
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   345
\begin{center}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   346
\texttt{chmod 4755 fobar\_file}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   347
\end{center}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   348
28
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   349
\end{frame}}
29
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   350
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   351
28
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   352
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   353
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   354
\mode<presentation>{
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   355
\begin{frame}[c]
29
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   356
\frametitle{\begin{tabular}{c}Privilege Separation in\\ OpenSSH\end{tabular}}
28
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   357
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   358
\begin{center}
29
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   359
\begin{tikzpicture}[scale=1]
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   360
  
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   361
  \draw[line width=1mm] (0, 1.1) rectangle (1.2,2);
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   362
  \draw (4.7,1) node {Internet};
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   363
  \draw (0.6,1.7) node {\footnotesize Slave};
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   364
  \draw[line width=1mm] (0, 0) rectangle (1.2,0.9);
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   365
  \draw (0.6,1.7) node {\footnotesize Slave};
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   366
  \draw (0.6,0.6) node {\footnotesize Slave};
40
Christian Urban <urbanc@in.tum.de>
parents: 39
diff changeset
   367
  \draw (0.6,-0.5) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] processes\end{tabular}};
Christian Urban <urbanc@in.tum.de>
parents: 39
diff changeset
   368
  \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}};
29
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   369
  
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   370
  \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2);
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   371
  \draw (-2.9,1.7) node {\footnotesize Monitor};
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   372
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   373
  \draw[white] (1.7,1) node (X) {};
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   374
  \draw[white] (3.7,1) node (Y) {};
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   375
  \draw[red, <->, line width = 2mm] (X) -- (Y);
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   376
 
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   377
  \draw[red, <->, line width = 1mm] (-0.4,1.4) -- (-1.4,1.1);
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   378
  \draw[red, <->, line width = 1mm] (-0.4,0.6) -- (-1.4,0.9);
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   379
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   380
  \end{tikzpicture}
28
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   381
\end{center}
29
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   382
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   383
\begin{itemize}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   384
\item pre-authorisation slave 
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   385
\item post-authorisation\bigskip
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   386
\item 25\% codebase is privileged, 75\% is unprivileged
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   387
\end{itemize}
28
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   388
\end{frame}}
29
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   389
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     
28
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   390
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   391
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   392
\mode<presentation>{
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   393
\begin{frame}[c]
29
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   394
\frametitle{Network Applications}
28
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   395
29
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   396
ideally network application in Unix should be designed as follows:
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   397
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   398
\begin{itemize}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   399
\item need two distinct processes
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   400
\begin{itemize}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   401
\item one that listens to the network; has no privilege
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   402
\item one that is privileged and listens to the latter only (but does not trust it)
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   403
 
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   404
\end{itemize}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   405
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   406
\item to implement this you need a parent process, which forks a child process
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   407
\item this child process drops privileges and listens to hostile data\medskip
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   408
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   409
\item after authentication the parent forks again and the new child becomes the user
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   410
\end{itemize}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   411
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   412
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   413
\end{frame}}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   414
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   415
28
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   416
29
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   417
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   418
\mode<presentation>{
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   419
\begin{frame}[c]
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   420
\frametitle{\begin{tabular}{@ {}c@ {}}Famous Security Flaws in Unix\end{tabular}}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   421
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   422
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   423
\begin{itemize}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   424
\item \texttt{lpr} unfortunately runs with root privileges; you had the option to delete files after printing \ldots\pause\pause
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   425
\item for debugging purposes (FreeBSD) Unix provides a ``core dump'', but allowed to follow links \ldots\pause
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   426
\item \texttt{mkdir foo} is owned by root\medskip
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   427
\begin{center}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   428
\texttt{-rwxr-xr-x  1 root  wheel /bin/mkdir}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   429
\end{center}\medskip
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   430
it first creates an i-node as root and then changes to ownership to the user's id\\ \textcolor{gray}{\small (automated with a shell script)}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   431
\end{itemize}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   432
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   433
\only<1>{
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   434
\begin{textblock}{1}(3,3)
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   435
\begin{tikzpicture}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   436
\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] 
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   437
{\begin{minipage}{8cm}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   438
Only failure makes us experts.
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   439
	-- Theo de Raadt (OpenBSD, OpenSSH)
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   440
\end{minipage}};
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   441
\end{tikzpicture}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   442
\end{textblock}}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   443
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   444
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   445
28
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   446
\end{frame}}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   447
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   448
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   449
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   450
\mode<presentation>{
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   451
\begin{frame}[c]
29
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   452
\frametitle{\begin{tabular}{@ {}c@ {}}Other Problems\end{tabular}}
28
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   453
29
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   454
There are thing's you just cannot solve on the programming side:\bigskip
28
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   455
29
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   456
\begin{itemize}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   457
\item for system maintenance you often have \texttt{cron}-jobs cleaning \texttt{/tmp}\medskip
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   458
\begin{itemize}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   459
\item attacker:\\ 
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   460
\texttt{mkdir /tmp/a; cat > /tmp/a/passwd}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   461
\item root:\\\texttt{rm /tmp/*/*}:
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   462
\item attacker:\\
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   463
\texttt{rm /tmp/a/passwd; rmdir /tmp/a;}\\\texttt{ln -s /etc /tmp/a}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   464
\end{itemize}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   465
\end{itemize}
28
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   466
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   467
\end{frame}}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   468
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   469
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   470
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   471
\mode<presentation>{
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   472
\begin{frame}[c]
29
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   473
\frametitle{\begin{tabular}{@ {}c@ {}}Security Levels\end{tabular}}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   474
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   475
Unix essentially can only distinguish between two security levels (root and non-root).
28
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   476
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   477
\begin{itemize}
29
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   478
\item In military applications you often have many security levels (top-secret, secret, confidential, unclassified)\bigskip\pause 
28
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   479
33
Christian Urban <urbanc@in.tum.de>
parents: 31
diff changeset
   480
\item Information flow: Bell --- La Padula model
28
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   481
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   482
\begin{itemize}
29
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   483
\item read: your own level and below
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   484
\item write: your own level and above
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   485
\end{itemize}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   486
\end{itemize}
28
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   487
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   488
\end{frame}}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   489
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   490
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   491
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   492
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   493
\mode<presentation>{
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   494
\begin{frame}[c]
29
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   495
\frametitle{\begin{tabular}{@ {}c@ {}}Security Levels (2)\end{tabular}}
28
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   496
29
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   497
\begin{itemize}
35
Christian Urban <urbanc@in.tum.de>
parents: 33
diff changeset
   498
\item Bell --- La Padula preserves data secrecy, but not data integrity\bigskip\pause
29
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   499
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   500
\item Biba model is for data integrity  
28
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   501
29
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   502
\begin{itemize}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   503
\item read: your own level and above
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   504
\item write: your own level and below
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   505
\end{itemize}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   506
\end{itemize}
28
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   507
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   508
\end{frame}}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   509
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   510
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   511
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   512
\mode<presentation>{
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   513
\begin{frame}[c]
29
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   514
\frametitle{\begin{tabular}{@ {}c@ {}}Access Control in 2000\end{tabular}}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   515
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   516
According to Ross Anderson (1st edition of his book), some senior Microsoft people held the
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   517
following view:
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   518
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   519
\begin{center}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   520
\begin{tikzpicture}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   521
\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] 
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   522
{\begin{minipage}{10.5cm}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   523
\small Access control does not matter. Computers are becoming single-purpose
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   524
or single-user devices. Single-purpose devices, such as Web servers that deliver a single service, don't 
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   525
need much in the way of access control as there's nothing for operating system access controls
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   526
to do; the job of separating users from each other is best left to application code. As for the PC
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   527
on your desk, if all the software on it comes from a single source, then again there's no need 
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   528
for the operating system to provide separation. \hfill{}\textcolor{gray}{(in 2000)} 
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   529
\end{minipage}};
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   530
\end{tikzpicture}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   531
\end{center}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   532
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   533
\end{frame}}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   534
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   535
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   536
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   537
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   538
\mode<presentation>{
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   539
\begin{frame}[t]
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   540
\frametitle{\begin{tabular}{@ {}c@ {}}Research Problems\end{tabular}}
28
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   541
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   542
\begin{itemize}
29
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   543
\item with access control we are back to 1970s\bigskip
28
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   544
29
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   545
\only<1>{
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   546
\begin{tikzpicture}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   547
\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] 
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   548
{\begin{minipage}{10cm}
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   549
\small Going all the way back to early time-sharing systems we systems people regarded the users, and any code they wrote, as the mortal enemies of us and each other. We were like the police force in a violent slum.\\
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   550
\mbox{}\hfill--- Roger Needham
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   551
\end{minipage}};
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   552
\end{tikzpicture}}\pause
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   553
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   554
\item the largest research area in access control in 2000-07 has been ``Trusted Computing'', but thankfully it
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   555
is dead now\bigskip
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   556
\item a useful research area is to not just have robust access control, but also usable access control --- by programmers and users\\ 
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   557
(one possible answer is operating system virtualisation, e.g.~Xen, VMWare)\medskip\pause
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   558
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   559
\item electronic voting
28
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   560
\end{itemize}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   561
\end{frame}}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   562
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   563
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   564
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   565
\mode<presentation>{
29
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   566
\begin{frame}[t]
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   567
\frametitle{\begin{tabular}{@ {}c@ {}}Mobile OS\end{tabular}}
28
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   568
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   569
\begin{itemize}
29
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   570
\item iOS and Android solve the defence-in-depth problem by \alert{sandboxing} applications\bigskip
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   571
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   572
\item you as developer have to specify the resources an application needs
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   573
\item the OS provides a sandbox where access is restricted to only these resources
28
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   574
\end{itemize}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   575
\end{frame}}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   576
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   577
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   578
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   579
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   580
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   581
\mode<presentation>{
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   582
\begin{frame}[c]
31
Christian Urban <urbanc@in.tum.de>
parents: 30
diff changeset
   583
\frametitle{\begin{tabular}{@ {}c@ {}}Security Theatre\end{tabular}}
29
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   584
28
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   585
31
Christian Urban <urbanc@in.tum.de>
parents: 30
diff changeset
   586
Security theatre is the practice of investing in countermeasures intended to provide the 
29
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   587
\underline{feeling} of improved security while doing little or nothing to actually achieve it.\hfill{}\textcolor{gray}{Bruce Schneier}
28
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   588
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   589
\end{frame}}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   590
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   591
29
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   592
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   593
\mode<presentation>{
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   594
\begin{frame}[c]
31
Christian Urban <urbanc@in.tum.de>
parents: 30
diff changeset
   595
\frametitle{\begin{tabular}{@ {}c@ {}}Security Theatre\end{tabular}}
Christian Urban <urbanc@in.tum.de>
parents: 30
diff changeset
   596
Christian Urban <urbanc@in.tum.de>
parents: 30
diff changeset
   597
\begin{itemize}
Christian Urban <urbanc@in.tum.de>
parents: 30
diff changeset
   598
\item for example, usual locks and strap seals are security theatre
Christian Urban <urbanc@in.tum.de>
parents: 30
diff changeset
   599
\end{itemize}
Christian Urban <urbanc@in.tum.de>
parents: 30
diff changeset
   600
Christian Urban <urbanc@in.tum.de>
parents: 30
diff changeset
   601
\begin{center}
Christian Urban <urbanc@in.tum.de>
parents: 30
diff changeset
   602
\includegraphics[scale=0.45]{pics/seal.jpg}
Christian Urban <urbanc@in.tum.de>
parents: 30
diff changeset
   603
\end{center}
Christian Urban <urbanc@in.tum.de>
parents: 30
diff changeset
   604
Christian Urban <urbanc@in.tum.de>
parents: 30
diff changeset
   605
Christian Urban <urbanc@in.tum.de>
parents: 30
diff changeset
   606
\end{frame}}
Christian Urban <urbanc@in.tum.de>
parents: 30
diff changeset
   607
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
Christian Urban <urbanc@in.tum.de>
parents: 30
diff changeset
   608
Christian Urban <urbanc@in.tum.de>
parents: 30
diff changeset
   609
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <urbanc@in.tum.de>
parents: 30
diff changeset
   610
\mode<presentation>{
Christian Urban <urbanc@in.tum.de>
parents: 30
diff changeset
   611
\begin{frame}[c]
29
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   612
30
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   613
\begin{minipage}{11cm}
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   614
From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk>\\
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   615
To: cl-security-research@lists.cam.ac.uk\\
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   616
Subject: Tip off\\
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   617
Date: Tue, 02 Oct 2012 13:12:50 +0100\\
29
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   618
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   619
I received the following tip off, and have removed the sender's
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   620
coordinates. I suspect it is one of many security vendors who
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   621
don't even get the basics right; if you ever go to the RSA 
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   622
conference, there are a thousand such firms in the hall, each
30
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   623
with several eager but ignorant salesmen. A trying experience.\\
29
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   624
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   625
Ross
30
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   626
\end{minipage}
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   627
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   628
\end{frame}}
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   629
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   630
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   631
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   632
\mode<presentation>{
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   633
\begin{frame}[c]
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   634
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   635
\begin{minipage}{11cm}
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   636
I'd like to anonymously tip you off about this\\
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   637
product:\\
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   638
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   639
{\small http://www.strongauth.com/products/key-appliance.html}\\
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   640
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   641
It sounds really clever, doesn't it?\\
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   642
\ldots\\
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   643
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   644
Anyway, it occurred to me that you and your colleagues might have a
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   645
field day discovering weaknesses in the appliance and their
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   646
implementation of security.  However, whilst I'd be willing to help
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   647
and/or comment privately, it'd have to be off the record ;-)
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   648
\end{minipage}
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   649
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   650
\end{frame}}
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   651
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   652
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   653
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   654
\mode<presentation>{
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   655
\begin{frame}[c]
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   656
\frametitle{\begin{tabular}{@ {}c@ {}}Schneier: Step 1\end{tabular}}
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   657
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   658
{\bf What assets are you trying to protect?}\bigskip
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   659
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   660
This question might seem basic, but a surprising number of people never ask it. The question involves understanding the scope of the problem. For example, securing an airplane, an airport, commercial aviation, the transportation system, and a nation against terrorism are all different security problems, and require different solutions.
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   661
37
Christian Urban <urbanc@in.tum.de>
parents: 35
diff changeset
   662
\only<2>{
30
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   663
\begin{tikzpicture}
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   664
\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] 
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   665
{\begin{minipage}{10cm}
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   666
\small You like to prevent: ``It would be terrible if this sort of attack ever happens; we need to do everything in our power to prevent it.''
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   667
\end{minipage}};
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   668
\end{tikzpicture}}
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   669
\end{frame}}
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   670
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   671
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   672
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   673
\mode<presentation>{
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   674
\begin{frame}[c]
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   675
\frametitle{\begin{tabular}{@ {}c@ {}}Schneier: Step 2\end{tabular}}
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   676
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   677
{\bf What are the risks to these assets?}\bigskip
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   678
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   679
Here we consider the need for security. Answering it involves understanding what is being defended, what the consequences are if it is successfully attacked, who wants to attack it, how they might attack it, and why.
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   680
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   681
\end{frame}}
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   682
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   683
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   684
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   685
\mode<presentation>{
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   686
\begin{frame}[c]
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   687
\frametitle{\begin{tabular}{@ {}c@ {}}Schneier: Step 3\end{tabular}}
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   688
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   689
{\bf How well does the security solution mitigate those risks?}\bigskip
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   690
35
Christian Urban <urbanc@in.tum.de>
parents: 33
diff changeset
   691
Another seemingly obvious question, but one that is frequently ignored. If the security solution doesnŐt solve the problem, it's no good. This is not as simple as looking at the security solution and seeing how well it works. It involves looking at how the security solution interacts with everything around it, evaluating both its operation and its failures.
30
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   692
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   693
\end{frame}}
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   694
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   695
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   696
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   697
\mode<presentation>{
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   698
\begin{frame}[c]
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   699
\frametitle{\begin{tabular}{@ {}c@ {}}Schneier: Step 4\end{tabular}}
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   700
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   701
{\bf What other risks does the security solution cause?}\bigskip
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   702
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   703
This question addresses what might be called the problem of unintended consequences. Security solutions have ripple effects, and most cause new security problems. The trick is to understand the new problems and make sure they are smaller than the old ones.
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   704
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   705
\end{frame}}
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   706
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   707
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   708
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   709
\mode<presentation>{
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   710
\begin{frame}[c]
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   711
\frametitle{\begin{tabular}{@ {}c@ {}}Schneier: Step 5\end{tabular}}
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   712
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   713
{\bf What costs and trade-offs does the security solution impose?}\bigskip
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   714
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   715
Every security system has costs and requires trade-offs. Most security costs money, sometimes substantial amounts; but other trade-offs may be more important, ranging from matters of convenience and comfort to issues involving basic freedoms like privacy. Understanding these trade-offs is essential.
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   716
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   717
\end{frame}}
Christian Urban <urbanc@in.tum.de>
parents: 29
diff changeset
   718
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
29
Christian Urban <urbanc@in.tum.de>
parents: 28
diff changeset
   719
28
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   720
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   721
\end{document}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   722
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   723
%%% Local Variables:  
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   724
%%% mode: latex
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   725
%%% TeX-master: t
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   726
%%% End: 
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   727