\documentclass[dvipsnames,14pt,t]{beamer}

\usepackage{beamerthemeplaincu}

%\usepackage[T1]{fontenc}

\usepackage[latin1]{inputenc}

\usepackage{mathpartir}

\usepackage[absolute,overlay]{textpos}

\usepackage{ifthen}

\usepackage{tikz}

\usepackage{pgf}

\usepackage{calc} 

\usepackage{ulem}

\usepackage{courier}

\usepackage{listings}

\renewcommand{\uline}[1]{#1}

\usetikzlibrary{arrows}

\usetikzlibrary{automata}

\usetikzlibrary{shapes}

\usetikzlibrary{shadows}

\usetikzlibrary{positioning}

\usetikzlibrary{calc}

\usepackage{graphicx} 

\definecolor{javared}{rgb}{0.6,0,0} % for strings

\definecolor{javagreen}{rgb}{0.25,0.5,0.35} % comments

\definecolor{javapurple}{rgb}{0.5,0,0.35} % keywords

\definecolor{javadocblue}{rgb}{0.25,0.35,0.75} % javadoc

\lstset{language=Java,

	basicstyle=\ttfamily,

	keywordstyle=\color{javapurple}\bfseries,

	stringstyle=\color{javagreen},

	commentstyle=\color{javagreen},

	morecomment=[s][\color{javadocblue}]{/**}{*/},

	numbers=left,

	numberstyle=\tiny\color{black},

	stepnumber=1,

	numbersep=10pt,

	tabsize=2,

	showspaces=false,

	showstringspaces=false}

\lstdefinelanguage{scala}{

  morekeywords={abstract,case,catch,class,def,%

    do,else,extends,false,final,finally,%

    for,if,implicit,import,match,mixin,%

    new,null,object,override,package,%

    private,protected,requires,return,sealed,%

    super,this,throw,trait,true,try,%

    type,val,var,while,with,yield},

  otherkeywords={=>,<-,<\%,<:,>:,\#,@},

  sensitive=true,

  morecomment=[l]{//},

  morecomment=[n]{/*}{*/},

  morestring=[b]",

  morestring=[b]',

  morestring=[b]"""

}

\lstset{language=Scala,

	basicstyle=\ttfamily,

	keywordstyle=\color{javapurple}\bfseries,

	stringstyle=\color{javagreen},

	commentstyle=\color{javagreen},

	morecomment=[s][\color{javadocblue}]{/**}{*/},

	numbers=left,

	numberstyle=\tiny\color{black},

	stepnumber=1,

	numbersep=10pt,

	tabsize=2,

	showspaces=false,

	showstringspaces=false}

% beamer stuff 

\begin{document}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

\mode<presentation>{

\begin{frame}<1>[t]

\frametitle{%

  \begin{tabular}{@ {}c@ {}}

  \\

  \LARGE Access Control and \\[-3mm] 

  \end{tabular}}\bigskip\bigskip\bigskip

\normalsize

  \begin{center}

  \begin{tabular}{ll}

  Email:  & christian.urban at kcl.ac.uk\\

  Slides: & KEATS (also home work is there)\\

  \end{tabular}

  \end{center}

\end{frame}}

 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

\mode<presentation>{

\begin{frame}[c]

\begin{center}

\includegraphics[scale=0.45]{pics/trainwreck.jpg}\\

\end{center}

\end{frame}}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

\mode<presentation>{

\begin{frame}[c]

\frametitle{Access Control in Unix}

\begin{itemize}

\item access control provided by the OS

\item authenticate principals (login)

\item mediate access to files, ports, processes according to \alert{roles} (user ids)\\

\item roles get attached with privileges\bigskip\\%

\hspace{8mm}

\begin{tikzpicture}

\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] 

{\begin{minipage}{8cm}

\alert{principle of least privilege:}\\

programs should only have as much privilege as they need 

\end{minipage}};

\end{tikzpicture}

\end{itemize}

\end{frame}}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

\mode<presentation>{

\begin{frame}[c]

\frametitle{Access Control in Unix (2)}

\begin{itemize}

\item the idea is to restrict access to files and therefore lower the consequences of an attack\\[1cm]\mbox{}

\end{itemize}

\begin{textblock}{1}(2.5,9.5)

  \begin{tikzpicture}[scale=1]

  \draw[line width=1mm] (-.3, 0) rectangle (1.5,2);

  \draw (4.7,1) node {Internet};

  \draw (0.6,1.7) node {\footnotesize Interface};

  \draw (0.6,-0.4) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] process\end{tabular}};

  \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}};

  \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2);

  \draw[white] (1.7,1) node (X) {};

  \draw[white] (3.7,1) node (Y) {};

  \draw[red, <->, line width = 2mm] (X) -- (Y);

  \draw[red, <->, line width = 1mm] (-0.6,1) -- (-1.6,1);

  \end{tikzpicture}

\end{textblock}

\end{frame}}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

\begin{itemize}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

\mode<presentation>{

\begin{frame}[c]

\begin{itemize}

\end{itemize}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

\mode<presentation>{

\begin{frame}[c]

\frametitle{Setuid and Setgid}

The solution is that unix file permissions are 9 + \underline{2 Bits}:

\alert{Setuid} and \alert{Setgid} Bits

\begin{itemize}

\item When a file with setuid is executed, the resulting process will assume the UID given to the owner of the file. 

\item This enables users to create processes as root (or another user).\bigskip

\item Essential for changing passwords, for example.

\end{itemize}

\begin{center}

\texttt{chmod 4755 fobar\_file}

\end{center}

\end{frame}}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

\mode<presentation>{

\begin{frame}[c]

\frametitle{\begin{tabular}{c}Privilege Separation in\\ OpenSSH\end{tabular}}

\begin{center}

\begin{tikzpicture}[scale=1]

  \draw[line width=1mm] (0, 1.1) rectangle (1.2,2);

  \draw (4.7,1) node {Internet};

  \draw (0.6,1.7) node {\footnotesize Slave};

  \draw[line width=1mm] (0, 0) rectangle (1.2,0.9);

  \draw (0.6,1.7) node {\footnotesize Slave};

  \draw (0.6,0.6) node {\footnotesize Slave};

  \draw (0.6,-0.5) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] processes\end{tabular}};

  \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}};

  \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2);

  \draw (-2.9,1.7) node {\footnotesize Monitor};

  \draw[white] (1.7,1) node (X) {};

  \draw[white] (3.7,1) node (Y) {};

  \draw[red, <->, line width = 2mm] (X) -- (Y);

  \draw[red, <->, line width = 1mm] (-0.4,1.4) -- (-1.4,1.1);

  \draw[red, <->, line width = 1mm] (-0.4,0.6) -- (-1.4,0.9);

  \end{tikzpicture}

\end{center}

\begin{itemize}

\item pre-authorisation slave 

\item post-authorisation\bigskip

\item 25\% codebase is privileged, 75\% is unprivileged

\end{itemize}

\end{frame}}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

\mode<presentation>{

\begin{frame}[c]

\frametitle{Network Applications}

ideally network application in Unix should be designed as follows:

\begin{itemize}

\item need two distinct processes

\begin{itemize}

\item one that listens to the network; has no privilege

\item one that is privileged and listens to the latter only (but does not trust it)

\end{itemize}

\item to implement this you need a parent process, which forks a child process

\item this child process drops privileges and listens to hostile data\medskip

\item after authentication the parent forks again and the new child becomes the user

\end{itemize}

\end{frame}}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

\mode<presentation>{

\begin{frame}[c]

\frametitle{\begin{tabular}{@ {}c@ {}}Other Problems\end{tabular}}

There are thing's you just cannot solve on the programming side:\bigskip

\begin{itemize}

\item for system maintenance you often have \texttt{cron}-jobs cleaning \texttt{/tmp}\medskip

\begin{itemize}

\item attacker:\\ 

\texttt{mkdir /tmp/a; cat > /tmp/a/passwd}

\item root:\\\texttt{rm /tmp/*/*}:

\item attacker:\\

\texttt{rm /tmp/a/passwd; rmdir /tmp/a;}\\\texttt{ln -s /etc /tmp/a}

\end{itemize}

\end{itemize}

\end{frame}}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

\mode<presentation>{

\begin{frame}[c]

\frametitle{\begin{tabular}{@ {}c@ {}}Security Levels\end{tabular}}

Unix essentially can only distinguish between two security levels (root and non-root).

\begin{itemize}

\item In military applications you often have many security levels (top-secret, secret, confidential, unclassified)\bigskip\pause 

\item Information flow: Bell --- La Padula model

\begin{itemize}

\item read: your own level and below

\item write: your own level and above

\end{itemize}

\end{itemize}

\end{frame}}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

\mode<presentation>{

\begin{frame}[c]

\frametitle{\begin{tabular}{@ {}c@ {}}Security Levels (2)\end{tabular}}

\begin{itemize}

\item Bell --- La Padula preserves data secrecy, but not data integrity\bigskip\pause

\item Biba model is for data integrity  

\begin{itemize}

\item read: your own level and above

\item write: your own level and below

\end{itemize}

\end{itemize}

\end{frame}}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

\mode<presentation>{

\begin{frame}[c]

\frametitle{\begin{tabular}{@ {}c@ {}}Access Control in 2000\end{tabular}}

According to Ross Anderson (1st edition of his book), some senior Microsoft people held the

following view:

\begin{center}

\begin{tikzpicture}

\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] 

{\begin{minipage}{10.5cm}

\small Access control does not matter. Computers are becoming single-purpose

or single-user devices. Single-purpose devices, such as Web servers that deliver a single service, don't 

need much in the way of access control as there's nothing for operating system access controls

to do; the job of separating users from each other is best left to application code. As for the PC

on your desk, if all the software on it comes from a single source, then again there's no need 

for the operating system to provide separation. \hfill{}\textcolor{gray}{(in 2000)} 

\end{minipage}};

\end{tikzpicture}

\end{center}

\end{frame}}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

\mode<presentation>{

\begin{frame}[t]

\frametitle{\begin{tabular}{@ {}c@ {}}Research Problems\end{tabular}}

\begin{itemize}

\item with access control we are back to 1970s\bigskip

\only<1>{

\begin{tikzpicture}

\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] 

{\begin{minipage}{10cm}

\small Going all the way back to early time-sharing systems we systems people regarded the users, and any code they wrote, as the mortal enemies of us and each other. We were like the police force in a violent slum.\\

\mbox{}\hfill--- Roger Needham

\end{minipage}};

\end{tikzpicture}}\pause

\item the largest research area in access control in 2000-07 has been ``Trusted Computing'', but thankfully it

is dead now\bigskip

\item a useful research area is to not just have robust access control, but also usable access control --- by programmers and users\\ 

(one possible answer is operating system virtualisation, e.g.~Xen, VMWare)\medskip\pause