equal
deleted
inserted
replaced
160 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
160 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
161 |
161 |
162 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
162 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
163 \mode<presentation>{ |
163 \mode<presentation>{ |
164 \begin{frame}[c] |
164 \begin{frame}[c] |
|
165 \frametitle{A Float Printed ``Twice''} |
|
166 |
|
167 {\lstset{language=Java} |
|
168 \footnotesize |
|
169 \lstinputlisting{../progs/C1.c}} |
|
170 |
|
171 \end{frame}} |
|
172 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
173 |
|
174 |
|
175 |
|
176 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
177 \mode<presentation>{ |
|
178 \begin{frame}[c] |
165 \frametitle{\begin{tabular}{c}The Problem\end{tabular}} |
179 \frametitle{\begin{tabular}{c}The Problem\end{tabular}} |
166 |
180 |
167 \begin{itemize} |
181 \begin{itemize} |
168 \item The basic problem is that library routines in C look as follows: |
182 \item The basic problem is that library routines in C look as follows: |
169 \begin{center} |
183 |
170 {\lstset{language=Java}\fontsize{8}{10}\selectfont% |
184 \begin{center} |
171 \texttt{\lstinputlisting{../progs/app5.c}}} |
185 {\lstset{language=Java} |
|
186 \footnotesize |
|
187 \lstinputlisting{../progs/app5.c}} |
172 \end{center} |
188 \end{center} |
|
189 |
173 \item the resulting problems are often remotely exploitable |
190 \item the resulting problems are often remotely exploitable |
174 \item can be used to circumvents all access control |
191 \item can be used to circumvents all access control\\ |
175 (botnets for further attacks) |
192 (for grooming botnets for further attacks) |
176 \end{itemize} |
193 \end{itemize} |
177 |
194 |
178 \end{frame}} |
195 \end{frame}} |
179 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
196 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
180 |
197 |
190 \item heap-smashing attacks\\ |
207 \item heap-smashing attacks\\ |
191 \textcolor{gray}{\small(Slammer Worm in 2003 infected 90\% of vulnerable systems within 10 minutes)}\bigskip |
208 \textcolor{gray}{\small(Slammer Worm in 2003 infected 90\% of vulnerable systems within 10 minutes)}\bigskip |
192 |
209 |
193 \item ``zero-days-attacks'' (new unknown vulnerability) |
210 \item ``zero-days-attacks'' (new unknown vulnerability) |
194 \end{itemize} |
211 \end{itemize} |
195 |
|
196 \end{frame}} |
|
197 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
198 |
|
199 |
|
200 |
|
201 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
202 \mode<presentation>{ |
|
203 \begin{frame}[c] |
|
204 |
|
205 \small |
|
206 \texttt{my\_float} is printed twice:\bigskip |
|
207 |
|
208 {\lstset{language=Java}\fontsize{8}{10}\selectfont% |
|
209 \texttt{\lstinputlisting{../progs/C1.c}}} |
|
210 |
|
211 |
212 |
212 \end{frame}} |
213 \end{frame}} |
213 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
214 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
214 |
215 |
215 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
216 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
255 \mode<presentation>{ |
256 \mode<presentation>{ |
256 \begin{frame}[c] |
257 \begin{frame}[c] |
257 \frametitle{\begin{tabular}{c}Payloads\end{tabular}} |
258 \frametitle{\begin{tabular}{c}Payloads\end{tabular}} |
258 |
259 |
259 \begin{itemize} |
260 \begin{itemize} |
260 \item the idea is you store some code as part to the buffer |
261 \item the idea is you store some code to the buffer |
261 \item you then override the return address to execute this payload\medskip |
262 \item you then override the return address to execute this payload\medskip |
262 \item normally you start a root-shell\pause |
263 \item normally you start a root-shell\pause |
263 \item difficulty is to guess the right place where to ``jump'' |
264 \item difficulty is to guess the right place where to ``jump'' |
264 \end{itemize} |
265 \end{itemize} |
265 |
266 |
277 \begin{center} |
278 \begin{center} |
278 \texttt{xorl \%eax, \%eax} |
279 \texttt{xorl \%eax, \%eax} |
279 \end{center} |
280 \end{center} |
280 \end{itemize}\bigskip\bigskip |
281 \end{itemize}\bigskip\bigskip |
281 |
282 |
282 {\lstset{language=Java}\fontsize{8}{10}\selectfont% |
283 {\lstset{language=Java}\small |
283 \texttt{\lstinputlisting{../progs/app5.c}}} |
284 \texttt{\lstinputlisting{../progs/app5.c}}} |
284 |
285 |
285 \end{frame}} |
286 \end{frame}} |
286 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
287 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
287 |
288 |
303 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
304 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
304 |
305 |
305 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
306 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
306 \mode<presentation>{ |
307 \mode<presentation>{ |
307 \begin{frame}[c] |
308 \begin{frame}[c] |
308 \frametitle{\begin{tabular}{c}Protections against BO Attacks\end{tabular}} |
309 \frametitle{\begin{tabular}{c}Protections against\\ BO Attacks\end{tabular}} |
309 |
310 |
310 \begin{itemize} |
311 \begin{itemize} |
311 \item use safe library functions |
312 \item use safe library functions |
312 \item ensure stack data is not executable (can be defeated) |
313 \item ensure stack data is not executable (can be defeated) |
313 \item address space randomisation (makes one-size-fits-all more difficult) |
314 \item address space randomisation (makes one-size-fits-all more difficult) |