sen-material: comparison slides03.tex

equal deleted inserted replaced

-:5bf1f248407c
+:10da75d5db5d
+\documentclass[dvipsnames,14pt,t]{beamer}
+\usepackage{beamerthemeplainculight}
+\usepackage[T1]{fontenc}
+\usepackage[latin1]{inputenc}
+\usepackage{mathpartir}
+\usepackage[absolute,overlay]{textpos}
+\usepackage{ifthen}
+\usepackage{tikz}
+\usepackage{pgf}
+\usepackage{calc}
+\usepackage{ulem}
+\usepackage{courier}
+\usepackage{listings}
+\renewcommand{\uline}[1]{#1}
+\usetikzlibrary{arrows}
+\usetikzlibrary{automata}
+\usetikzlibrary{shapes}
+\usetikzlibrary{shadows}
+\usetikzlibrary{positioning}
+\usetikzlibrary{calc}
+\usepackage{graphicx}
+\definecolor{javared}{rgb}{0.6,0,0} % for strings
+\definecolor{javagreen}{rgb}{0.25,0.5,0.35} % comments
+\definecolor{javapurple}{rgb}{0.5,0,0.35} % keywords
+\definecolor{javadocblue}{rgb}{0.25,0.35,0.75} % javadoc
+\lstset{language=Java,
+	basicstyle=\ttfamily,
+	keywordstyle=\color{javapurple}\bfseries,
+	stringstyle=\color{javagreen},
+	commentstyle=\color{javagreen},
+	morecomment=[s][\color{javadocblue}]{/**}{*/},
+	numbers=left,
+	numberstyle=\tiny\color{black},
+	stepnumber=1,
+	numbersep=10pt,
+	tabsize=2,
+	showspaces=false,
+	showstringspaces=false}
+\lstdefinelanguage{scala}{
+morekeywords={abstract,case,catch,class,def,%
+do,else,extends,false,final,finally,%
+for,if,implicit,import,match,mixin,%
+new,null,object,override,package,%
+private,protected,requires,return,sealed,%
+super,this,throw,trait,true,try,%
+type,val,var,while,with,yield},
+otherkeywords={=>,<-,<\%,<:,>:,\#,@},
+sensitive=true,
+morecomment=[l]{//},
+morecomment=[n]{/*}{*/},
+morestring=[b]",
+morestring=[b]',
+morestring=[b]"""
+}
+\lstset{language=Scala,
+	basicstyle=\ttfamily,
+	keywordstyle=\color{javapurple}\bfseries,
+	stringstyle=\color{javagreen},
+	commentstyle=\color{javagreen},
+	morecomment=[s][\color{javadocblue}]{/**}{*/},
+	numbers=left,
+	numberstyle=\tiny\color{black},
+	stepnumber=1,
+	numbersep=10pt,
+	tabsize=2,
+	showspaces=false,
+	showstringspaces=false}
+% beamer stuff
+\renewcommand{\slidecaption}{APP 02, King's College London, 9 October 2012}
+\begin{document}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}<1>[t]
+\frametitle{%
+\begin{tabular}{@ {}c@ {}}
+\\
+\LARGE Access Control and \\[-3mm]
+\LARGE Privacy Policies (3)\\[-6mm]
+\end{tabular}}\bigskip\bigskip\bigskip
+%\begin{center}
+%\includegraphics[scale=1.3]{pics/barrier.jpg}
+%\end{center}
+\normalsize
+\begin{center}
+\begin{tabular}{ll}
+Email:  & christian.urban at kcl.ac.uk\\
+Of$\!$fice: & S1.27 (1st floor Strand Building)\\
+Slides: & KEATS (also home work is there)
+\end{tabular}
+\end{center}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\begin{center}
+\includegraphics[scale=0.45]{pics/trainwreck.jpg}\\
+one general defence mechanism is\\\alert{\bf defence in depth}
+\end{center}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}<1-2>[c]
+\frametitle{Defence in Depth}
+\begin{itemize}
+\item \alt<1>{overlapping}{{\LARGE\bf overlapping}} systems designed to provide\\ security even if one of them fails.
+\end{itemize}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{PALs}
+\begin{itemize}
+\item \alert{Permissive Action Links} prevent unauthorised use of nuclear weapons (so the theory)
+\end{itemize}
+\begin{center}
+\includegraphics[scale=0.25]{pics/nuclear1.jpg}\hspace{3mm}
+\includegraphics[scale=0.25]{pics/nuclear2.jpg}
+\end{center}
+\onslide<3->{
+modern PALs also include a 2-person rule
+}
+\only<2->{
+\begin{textblock}{11}(3,2)
+\begin{tikzpicture}
+\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
+{\begin{minipage}{8cm}
+US Air Force's Strategic Air Command worried that in times of need the
+codes would not be available, so until 1977 quietly decided to set them
+to 00000000\ldots
+\end{minipage}};
+\end{tikzpicture}
+\end{textblock}}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\begin{itemize}
+\item until 1998, Britain had nuclear weapons that could be launched from airplanes\bigskip\pause
+\item these weapons were armed with a bicycle key
+\begin{center}
+\begin{tabular}[b]{c}
+\includegraphics[scale=1.05]{pics/britkeys1.jpg}\\
+\small nuclear weapon
+\end{tabular}
+\hspace{3mm}
+\begin{tabular}[b]{c}
+\includegraphics[scale=0.35]{pics/britkeys2.jpg}\\
+\small bicycle lock
+\end{tabular}
+\end{center}\bigskip\pause
+\item the current Trident nuclear weapons can be launched from a submarine without any code being transmitted
+\end{itemize}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}Plain-text Passwords at IEEE\end{tabular}}
+\small\textcolor{gray}{On 25 September 2012, a report on a data breach at IEEE:}
+\begin{itemize}
+\item IEEE is a standards organisation (not-for-profit)
+\item many standards in CS are by IEEE\medskip
+\item 100k plain-text passwords were recorded in logs
+\item the logs were openly accessible on their FTP server
+\end{itemize}\bigskip
+\begin{flushright}\small
+\textcolor{gray}{\url{http://ieeelog.com}}
+\end{flushright}
+\only<2>{
+\begin{textblock}{11}(3,2)
+\begin{tikzpicture}
+\draw (0,0) node[inner sep=2mm,fill=white, ultra thick, draw=red, rounded corners=2mm]
+{\normalsize\color{darkgray}
+\begin{minipage}{7.5cm}\raggedright\small
+\includegraphics[scale=0.6]{pics/IEEElog.jpg}
+\end{minipage}};
+\end{tikzpicture}
+\end{textblock}}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}Virgin Mobile (USA)\end{tabular}}
+\begin{flushright}\small
+\textcolor{gray}{\url{http://arstechnica.com/security/2012/09/virgin-mobile-password-crack-risk/}}
+\end{flushright}
+\begin{itemize}
+\item for online accounts passwords must be 6 digits
+\item you must cycle through 1M combinations (online)\pause\bigskip
+\item he limited the attack on his own account to 1 guess per second, \alert{\bf and}
+\item wrote a script that cleared the cookie set after each guess\pause
+\item has been fixed now
+\end{itemize}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}Smash the Stack for Fun \ldots\end{tabular}}
+\begin{itemize}
+\item ``smashing the stack attacks'' or ``buffer overflow attacks''
+\item one of the most popular attacks;\\ attack of the (last) decade\\ ($>$ 50\% of security incidents reported at CERT are related to buffer overflows)
+\begin{flushright}\small
+\textcolor{gray}{\url{http://www.kb.cert.org/vuls}}
+\end{flushright}
+\medskip
+\item made popular in an article by Elias Levy\\ (also known as Aleph One):\\
+\begin{center}
+{\bf ``Smashing The Stack For Fun and Profit''}
+\end{center}\medskip
+\begin{flushright}
+\small\textcolor{gray}{\url{http://www.phrack.org}, Issue 49, Article 14}
+\end{flushright}
+\end{itemize}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}The Problem\end{tabular}}
+\begin{itemize}
+\item The basic problem is that library routines in C look as follows:
+\begin{center}
+{\lstset{language=Java}\fontsize{8}{10}\selectfont%
+\texttt{\lstinputlisting{app5.c}}}
+\end{center}
+\item the resulting problems are often remotely exploitable
+\item can be used to circumvents all access control
+(botnets for further attacks)
+\end{itemize}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Variants\end{tabular}}
+There are many variants:
+\begin{itemize}
+\item return-to-lib-C attacks
+\item heap-smashing attacks\\
+\textcolor{gray}{\small(Slammer Worm in 2003 infected 90\% of vulnerable systems within 10 minutes)}\bigskip
+\item ``zero-days-attacks'' (new unknown vulnerability)
+\end{itemize}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\small
+\texttt{my\_float} is printed twice:\bigskip
+{\lstset{language=Java}\fontsize{8}{10}\selectfont%
+\texttt{\lstinputlisting{C1.c}}}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\begin{center}
+\only<1>{\includegraphics[scale=0.9]{pics/stack1}\;\;}
+\only<2>{\includegraphics[scale=0.9]{pics/stack2}\;\;}
+\only<3>{\includegraphics[scale=0.9]{pics/stack3}\;\;}
+\end{center}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+{\lstset{language=Java}\fontsize{8}{10}\selectfont%
+\texttt{\lstinputlisting{C2.c}}}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\small
+A programmer might be careful, but still introduce vulnerabilities:\bigskip
+{\lstset{language=Java}\fontsize{8}{10}\selectfont%
+\texttt{\lstinputlisting{C2a.c}}}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Payloads\end{tabular}}
+\begin{itemize}
+\item the idea is you store some code as part to the buffer
+\item you then override the return address to execute this payload\medskip
+\item normally you start a root-shell\pause
+\item difficulty is to guess the right place where to ``jump''
+\end{itemize}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Payloads (2)\end{tabular}}
+\begin{itemize}
+\item another difficulty is that the code is not allowed to contain \texttt{$\backslash$x00}:
+\begin{center}
+\texttt{xorl   \%eax, \%eax}
+\end{center}
+\end{itemize}\bigskip\bigskip
+{\lstset{language=Java}\fontsize{8}{10}\selectfont%
+\texttt{\lstinputlisting{app5.c}}}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Format String Vulnerability\end{tabular}}
+\small
+\texttt{string} is nowhere used:\bigskip
+{\lstset{language=Java}\fontsize{8}{10}\selectfont%
+\texttt{\lstinputlisting{C6.c}}}\bigskip
+this vulnerability can be used to read out the stack
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Protections against BO Attacks\end{tabular}}
+\begin{itemize}
+\item use safe library functions
+\item ensure stack data is not executable (can be defeated)
+\item address space randomisation (makes one-size-fits-all more difficult)
+\item choice of programming language (one of the selling points of Java)
+\end{itemize}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Security Goals\end{tabular}}
+\begin{itemize}
+\item Prevent common vulnerabilities from occurring (e.g. buffer overflows)\pause
+\item Recover from attacks (traceability and auditing of security-relevant actions)\pause
+\item Monitoring (detect attacks)\pause
+\item Privacy, confidentiality, anonymity (to protect secrets)\pause
+\item Authenticity (eeded for access control)\pause
+\item Integrity (prevent unwanted modification or tampering)\pause
+\item Availability and reliability (reduce the risk of DoS attacks)
+\end{itemize}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Homework\end{tabular}}
+\begin{itemize}
+\item Assume format string attacks allow you to read out the stack. What can you do
+	with this information?\bigskip
+\item Assume you can crash a program remotely. Why is this a problem?
+\end{itemize}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\end{document}
+%%% Local Variables:
+%%% mode: latex
+%%% TeX-master: t
+%%% End:

changeset 28	10da75d5db5d
child 29	5d0f7da375da