16
+ − 1
\documentclass[dvipsnames,14pt,t]{beamer}
+ − 2
\usepackage{beamerthemeplainculight}
+ − 3
\usepackage[T1]{fontenc}
+ − 4
\usepackage[latin1]{inputenc}
+ − 5
\usepackage{mathpartir}
+ − 6
\usepackage[absolute,overlay]{textpos}
+ − 7
\usepackage{ifthen}
+ − 8
\usepackage{tikz}
+ − 9
\usepackage{pgf}
+ − 10
\usepackage{calc}
+ − 11
\usepackage{ulem}
+ − 12
\usepackage{courier}
+ − 13
\usepackage{listings}
+ − 14
\renewcommand{\uline}[1]{#1}
+ − 15
\usetikzlibrary{arrows}
+ − 16
\usetikzlibrary{automata}
+ − 17
\usetikzlibrary{shapes}
+ − 18
\usetikzlibrary{shadows}
+ − 19
\usetikzlibrary{positioning}
+ − 20
\usetikzlibrary{calc}
+ − 21
\usepackage{graphicx}
+ − 22
+ − 23
\definecolor{javared}{rgb}{0.6,0,0} % for strings
+ − 24
\definecolor{javagreen}{rgb}{0.25,0.5,0.35} % comments
+ − 25
\definecolor{javapurple}{rgb}{0.5,0,0.35} % keywords
+ − 26
\definecolor{javadocblue}{rgb}{0.25,0.35,0.75} % javadoc
+ − 27
+ − 28
\lstset{language=Java,
+ − 29
basicstyle=\ttfamily,
+ − 30
keywordstyle=\color{javapurple}\bfseries,
+ − 31
stringstyle=\color{javagreen},
+ − 32
commentstyle=\color{javagreen},
+ − 33
morecomment=[s][\color{javadocblue}]{/**}{*/},
+ − 34
numbers=left,
+ − 35
numberstyle=\tiny\color{black},
+ − 36
stepnumber=1,
+ − 37
numbersep=10pt,
+ − 38
tabsize=2,
+ − 39
showspaces=false,
+ − 40
showstringspaces=false}
+ − 41
+ − 42
\lstdefinelanguage{scala}{
+ − 43
morekeywords={abstract,case,catch,class,def,%
+ − 44
do,else,extends,false,final,finally,%
+ − 45
for,if,implicit,import,match,mixin,%
+ − 46
new,null,object,override,package,%
+ − 47
private,protected,requires,return,sealed,%
+ − 48
super,this,throw,trait,true,try,%
+ − 49
type,val,var,while,with,yield},
+ − 50
otherkeywords={=>,<-,<\%,<:,>:,\#,@},
+ − 51
sensitive=true,
+ − 52
morecomment=[l]{//},
+ − 53
morecomment=[n]{/*}{*/},
+ − 54
morestring=[b]",
+ − 55
morestring=[b]',
+ − 56
morestring=[b]"""
+ − 57
}
+ − 58
+ − 59
\lstset{language=Scala,
+ − 60
basicstyle=\ttfamily,
+ − 61
keywordstyle=\color{javapurple}\bfseries,
+ − 62
stringstyle=\color{javagreen},
+ − 63
commentstyle=\color{javagreen},
+ − 64
morecomment=[s][\color{javadocblue}]{/**}{*/},
+ − 65
numbers=left,
+ − 66
numberstyle=\tiny\color{black},
+ − 67
stepnumber=1,
+ − 68
numbersep=10pt,
+ − 69
tabsize=2,
+ − 70
showspaces=false,
+ − 71
showstringspaces=false}
+ − 72
+ − 73
% beamer stuff
+ − 74
\renewcommand{\slidecaption}{APP 02, King's College London, 2 October 2012}
+ − 75
+ − 76
+ − 77
\begin{document}
+ − 78
+ − 79
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ − 80
\mode<presentation>{
+ − 81
\begin{frame}<1>[t]
+ − 82
\frametitle{%
+ − 83
\begin{tabular}{@ {}c@ {}}
+ − 84
\\
+ − 85
\LARGE Access Control and \\[-3mm]
+ − 86
\LARGE Privacy Policies (2)\\[-6mm]
+ − 87
\end{tabular}}\bigskip\bigskip\bigskip
+ − 88
+ − 89
%\begin{center}
+ − 90
%\includegraphics[scale=1.3]{pics/barrier.jpg}
+ − 91
%\end{center}
+ − 92
+ − 93
\normalsize
+ − 94
\begin{center}
+ − 95
\begin{tabular}{ll}
+ − 96
Email: & christian.urban at kcl.ac.uk\\
+ − 97
Of$\!$fice: & S1.27 (1st floor Strand Building)\\
+ − 98
Slides: & KEATS (also home work is there)
+ − 99
\end{tabular}
+ − 100
\end{center}
+ − 101
+ − 102
+ − 103
\end{frame}}
+ − 104
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ − 105
+ − 106
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ − 107
\mode<presentation>{
+ − 108
\begin{frame}[c]
+ − 109
\frametitle{\begin{tabular}{c}Homework\end{tabular}}
+ − 110
+ − 111
+ − 112
\ldots{} I have a question about the homework.\\[3mm]
+ − 113
Is it required to submit the homework before\\
+ − 114
the next lecture?\\[5mm]
+ − 115
+ − 116
Thank you!\\
+ − 117
Anonymous
+ − 118
+ − 119
\end{frame}}
+ − 120
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ − 121
20
+ − 122
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ − 123
\mode<presentation>{
+ − 124
\begin{frame}[c]
+ − 125
+ − 126
\begin{center}
+ − 127
\begin{tabular}[t]{c}
+ − 128
\includegraphics[scale=1.2]{pics/barrier.jpg}\\
+ − 129
future lectures
+ − 130
\end{tabular}\;\;\;
+ − 131
\onslide<2>{
+ − 132
\begin{tabular}[t]{c}
+ − 133
\includegraphics[scale=0.32]{pics/trainwreck.jpg}\\
+ − 134
today
+ − 135
\end{tabular}
+ − 136
}
+ − 137
\end{center}
+ − 138
+ − 139
+ − 140
\end{frame}}
+ − 141
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ − 142
16
+ − 143
+ − 144
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ − 145
\mode<presentation>{
+ − 146
\begin{frame}[c]
+ − 147
\frametitle{\begin{tabular}{@ {}c@ {}}SmartWater\end{tabular}}
+ − 148
+ − 149
\begin{textblock}{1}(1,3)
+ − 150
\begin{tabular}{c}
+ − 151
\includegraphics[scale=0.15]{pics/SmartWater}
+ − 152
\end{tabular}
+ − 153
\end{textblock}
+ − 154
+ − 155
+ − 156
\begin{textblock}{8.5}(7,3)
+ − 157
\begin{itemize}
+ − 158
\item seems helpful for preventing cable theft\medskip
+ − 159
\item wouldn't be helpful to make your property safe, because of possible abuse\medskip
+ − 160
+ − 161
\item security is always a tradeoff
+ − 162
\end{itemize}
+ − 163
\end{textblock}
+ − 164
+ − 165
\end{frame}}
+ − 166
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ − 167
+ − 168
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ − 169
\mode<presentation>{
+ − 170
\begin{frame}[c]
21
+ − 171
\frametitle{\begin{tabular}{@ {}c@ {}}Plain-text Passwords at IEEE\end{tabular}}
16
+ − 172
+ − 173
\small\textcolor{gray}{On 25 September 2012, a report on a data breach at IEEE:}
+ − 174
+ − 175
+ − 176
\begin{itemize}
22
+ − 177
\item IEEE is a standards organisation (not-for-profit)
16
+ − 178
\item many standards in CS are by IEEE\medskip
+ − 179
\item 100k plain-text passwords were recorded in logs
+ − 180
\item the logs were openly accessible on their FTP server
+ − 181
\end{itemize}\bigskip
+ − 182
+ − 183
\begin{flushright}\small
+ − 184
\textcolor{gray}{\url{http://ieeelog.com}}
+ − 185
\end{flushright}
+ − 186
+ − 187
\only<2>{
+ − 188
\begin{textblock}{11}(3,2)
+ − 189
\begin{tikzpicture}
+ − 190
\draw (0,0) node[inner sep=2mm,fill=white, ultra thick, draw=red, rounded corners=2mm]
+ − 191
{\normalsize\color{darkgray}
+ − 192
\begin{minipage}{7.5cm}\raggedright\small
+ − 193
\includegraphics[scale=0.6]{pics/IEEElog.jpg}
+ − 194
\end{minipage}};
+ − 195
\end{tikzpicture}
+ − 196
\end{textblock}}
+ − 197
+ − 198
\end{frame}}
+ − 199
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ − 200
+ − 201
+ − 202
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ − 203
\mode<presentation>{
+ − 204
\begin{frame}[c]
+ − 205
\frametitle{\begin{tabular}{@ {}c@ {}}Virgin Mobile (USA)\end{tabular}}
+ − 206
+ − 207
\begin{flushright}\small
+ − 208
\textcolor{gray}{\url{http://arstechnica.com/security/2012/09/virgin-mobile-password-crack-risk/}}
+ − 209
\end{flushright}
+ − 210
+ − 211
\begin{itemize}
+ − 212
\item for online accounts passwords must be 6 digits
+ − 213
\item you must cycle through 1M combinations (online)\pause\bigskip
+ − 214
+ − 215
\item he limited the attack on his own account to 1 guess per second, \alert{\bf and}
18
+ − 216
\item wrote a script that cleared the cookie set after each guess\pause
+ − 217
\item has been fixed now
16
+ − 218
\end{itemize}
+ − 219
+ − 220
+ − 221
+ − 222
\end{frame}}
+ − 223
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ − 224
+ − 225
+ − 226
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ − 227
\mode<presentation>{
+ − 228
\begin{frame}[c]
18
+ − 229
\frametitle{\begin{tabular}{@ {}c@ {}}Smash the Stack for Fun \ldots\end{tabular}}
16
+ − 230
+ − 231
\begin{itemize}
+ − 232
\item ``smashing the stack attacks'' or ``buffer overflow attacks''
18
+ − 233
\item one of the most popular attacks;\\ attack of the (last) decade\\ ($>$ 50\% of security incidents reported at CERT are related to buffer overflows)
+ − 234
\begin{flushright}\small
+ − 235
\textcolor{gray}{\url{http://www.kb.cert.org/vuls}}
+ − 236
\end{flushright}
+ − 237
\medskip
16
+ − 238
\item made popular in an article by Elias Levy\\ (also known as Aleph One):\\
+ − 239
\begin{center}
+ − 240
{\bf ``Smashing The Stack For Fun and Profit''}
18
+ − 241
\end{center}\medskip
16
+ − 242
+ − 243
\begin{flushright}
18
+ − 244
\small\textcolor{gray}{\url{http://www.phrack.org}, Issue 49, Article 14}
16
+ − 245
\end{flushright}
+ − 246
+ − 247
\end{itemize}
+ − 248
+ − 249
+ − 250
\end{frame}}
+ − 251
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ − 252
+ − 253
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ − 254
\mode<presentation>{
+ − 255
\begin{frame}[c]
+ − 256
\frametitle{\begin{tabular}{c}The Problem\end{tabular}}
+ − 257
+ − 258
\begin{itemize}
18
+ − 259
\item The basic problem is that library routines in C look as follows:
16
+ − 260
\begin{center}
+ − 261
{\lstset{language=Java}\fontsize{8}{10}\selectfont%
+ − 262
\texttt{\lstinputlisting{app5.c}}}
+ − 263
\end{center}
+ − 264
\item the resulting problems are often remotely exploitable
+ − 265
\item can be used to circumvents all access control
18
+ − 266
(botnets for further attacks)
16
+ − 267
\end{itemize}
+ − 268
+ − 269
\end{frame}}
+ − 270
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ − 271
+ − 272
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ − 273
\mode<presentation>{
+ − 274
\begin{frame}[c]
18
+ − 275
\frametitle{\begin{tabular}{c}Variants\end{tabular}}
+ − 276
+ − 277
There are many variants:
+ − 278
+ − 279
\begin{itemize}
+ − 280
\item return-to-lib-C attacks
+ − 281
\item heap-smashing attacks\\
+ − 282
\textcolor{gray}{\small(Slammer Worm in 2003 infected 90\% of vulnerable systems within 10 minutes)}\bigskip
+ − 283
+ − 284
\item ``zero-days-attacks'' (new unknown vulnerability)
+ − 285
\end{itemize}
+ − 286
+ − 287
\end{frame}}
+ − 288
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ − 289
+ − 290
+ − 291
+ − 292
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ − 293
\mode<presentation>{
+ − 294
\begin{frame}[c]
16
+ − 295
+ − 296
\small
+ − 297
\texttt{my\_float} is printed twice:\bigskip
+ − 298
+ − 299
{\lstset{language=Java}\fontsize{8}{10}\selectfont%
+ − 300
\texttt{\lstinputlisting{C1.c}}}
+ − 301
+ − 302
+ − 303
\end{frame}}
+ − 304
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ − 305
+ − 306
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ − 307
\mode<presentation>{
+ − 308
\begin{frame}[c]
+ − 309
+ − 310
\begin{center}
23
+ − 311
\only<1>{\includegraphics[scale=0.9]{pics/stack1}\;\;}
+ − 312
\only<2>{\includegraphics[scale=0.9]{pics/stack2}\;\;}
+ − 313
\only<3>{\includegraphics[scale=0.9]{pics/stack3}\;\;}
16
+ − 314
\end{center}
+ − 315
+ − 316
+ − 317
\end{frame}}
+ − 318
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ − 319
+ − 320
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ − 321
\mode<presentation>{
+ − 322
\begin{frame}[c]
+ − 323
+ − 324
{\lstset{language=Java}\fontsize{8}{10}\selectfont%
+ − 325
\texttt{\lstinputlisting{C2.c}}}
+ − 326
+ − 327
+ − 328
\end{frame}}
+ − 329
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ − 330
+ − 331
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ − 332
\mode<presentation>{
+ − 333
\begin{frame}[c]
+ − 334
+ − 335
\small
20
+ − 336
A programmer might be careful, but still introduce vulnerabilities:\bigskip
16
+ − 337
+ − 338
{\lstset{language=Java}\fontsize{8}{10}\selectfont%
+ − 339
\texttt{\lstinputlisting{C2a.c}}}
+ − 340
+ − 341
+ − 342
\end{frame}}
+ − 343
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ − 344
+ − 345
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ − 346
\mode<presentation>{
+ − 347
\begin{frame}[c]
+ − 348
\frametitle{\begin{tabular}{c}Payloads\end{tabular}}
+ − 349
+ − 350
\begin{itemize}
+ − 351
\item the idea is you store some code as part to the buffer
+ − 352
\item you then override the return address to execute this payload\medskip
+ − 353
\item normally you start a root-shell\pause
20
+ − 354
\item difficulty is to guess the right place where to ``jump''
16
+ − 355
\end{itemize}
+ − 356
+ − 357
\end{frame}}
+ − 358
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ − 359
+ − 360
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ − 361
\mode<presentation>{
+ − 362
\begin{frame}[c]
+ − 363
\frametitle{\begin{tabular}{c}Payloads (2)\end{tabular}}
+ − 364
+ − 365
\begin{itemize}
+ − 366
\item another difficulty is that the code is not allowed to contain \texttt{$\backslash$x00}:
+ − 367
+ − 368
\begin{center}
+ − 369
\texttt{xorl \%eax, \%eax}
+ − 370
\end{center}
+ − 371
\end{itemize}\bigskip\bigskip
+ − 372
+ − 373
{\lstset{language=Java}\fontsize{8}{10}\selectfont%
+ − 374
\texttt{\lstinputlisting{app5.c}}}
+ − 375
+ − 376
\end{frame}}
+ − 377
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ − 378
+ − 379
+ − 380
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ − 381
\mode<presentation>{
+ − 382
\begin{frame}[c]
+ − 383
\frametitle{\begin{tabular}{c}Format String Vulnerability\end{tabular}}
+ − 384
+ − 385
\small
+ − 386
\texttt{string} is nowhere used:\bigskip
+ − 387
+ − 388
{\lstset{language=Java}\fontsize{8}{10}\selectfont%
58
+ − 389
\texttt{\lstinputlisting{programs/C4.c}}}\bigskip
16
+ − 390
+ − 391
this vulnerability can be used to read out the stack
+ − 392
+ − 393
\end{frame}}
+ − 394
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ − 395
+ − 396
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ − 397
\mode<presentation>{
+ − 398
\begin{frame}[c]
+ − 399
\frametitle{\begin{tabular}{c}Protections against BO Attacks\end{tabular}}
+ − 400
+ − 401
\begin{itemize}
+ − 402
\item use safe library functions
+ − 403
\item ensure stack data is not executable (can be defeated)
+ − 404
\item address space randomisation (makes one-size-fits-all more difficult)
+ − 405
\item choice of programming language (one of the selling points of Java)
+ − 406
+ − 407
\end{itemize}
+ − 408
+ − 409
\end{frame}}
+ − 410
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ − 411
17
+ − 412
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ − 413
\mode<presentation>{
+ − 414
\begin{frame}[c]
18
+ − 415
\frametitle{\begin{tabular}{c}Security Goals\end{tabular}}
+ − 416
+ − 417
\begin{itemize}
+ − 418
\item Prevent common vulnerabilities from occurring (e.g. buffer overflows)\pause
+ − 419
\item Recover from attacks (traceability and auditing of security-relevant actions)\pause
+ − 420
\item Monitoring (detect attacks)\pause
+ − 421
\item Privacy, confidentiality, anonymity (to protect secrets)\pause
58
+ − 422
\item Authenticity (needed for access control)\pause
18
+ − 423
\item Integrity (prevent unwanted modification or tampering)\pause
+ − 424
\item Availability and reliability (reduce the risk of DoS attacks)
+ − 425
\end{itemize}
+ − 426
+ − 427
\end{frame}}
+ − 428
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ − 429
+ − 430
+ − 431
+ − 432
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ − 433
\mode<presentation>{
+ − 434
\begin{frame}[c]
17
+ − 435
\frametitle{\begin{tabular}{c}Homework\end{tabular}}
+ − 436
+ − 437
\begin{itemize}
+ − 438
\item Assume format string attacks allow you to read out the stack. What can you do
19
+ − 439
with this information?\bigskip
17
+ − 440
+ − 441
\item Assume you can crash a program remotely. Why is this a problem?
+ − 442
\end{itemize}
+ − 443
+ − 444
\end{frame}}
+ − 445
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ − 446
16
+ − 447
+ − 448
\end{document}
+ − 449
+ − 450
%%% Local Variables:
+ − 451
%%% mode: latex
+ − 452
%%% TeX-master: t
+ − 453
%%% End:
+ − 454