1 \documentclass[dvipsnames,14pt,t]{beamer} |
1 \documentclass[dvipsnames,14pt,t]{beamer} |
2 \usepackage{beamerthemeplaincu} |
2 \usepackage{../slides} |
3 %%\usepackage[T1]{fontenc} |
3 \usepackage{../graphics} |
4 \usepackage[latin1]{inputenc} |
4 \usepackage{../langs} |
5 \usepackage{mathpartir} |
5 |
6 \usepackage[absolute,overlay]{textpos} |
6 \setmonofont[Scale=.88]{Consolas} |
7 \usepackage{ifthen} |
|
8 \usepackage{tikz} |
|
9 \usepackage{pgf} |
|
10 \usepackage{calc} |
|
11 \usepackage{ulem} |
|
12 \usepackage{courier} |
|
13 \usepackage{listings} |
|
14 \renewcommand{\uline}[1]{#1} |
|
15 \usetikzlibrary{arrows} |
|
16 \usetikzlibrary{automata} |
|
17 \usetikzlibrary{shapes} |
|
18 \usetikzlibrary{shadows} |
|
19 \usetikzlibrary{positioning} |
|
20 \usetikzlibrary{calc} |
|
21 \usepackage{graphicx} |
|
22 \setmonofont[Scale=MatchLowercase]{Consolas} |
|
23 \newfontfamily{\consolas}{Consolas} |
7 \newfontfamily{\consolas}{Consolas} |
24 |
8 |
25 \definecolor{javared}{rgb}{0.6,0,0} % for strings |
9 \hfuzz=220pt |
26 \definecolor{javagreen}{rgb}{0.25,0.5,0.35} % comments |
|
27 \definecolor{javapurple}{rgb}{0.5,0,0.35} % keywords |
|
28 \definecolor{javadocblue}{rgb}{0.25,0.35,0.75} % javadoc |
|
29 |
|
30 \makeatletter |
|
31 \lst@CCPutMacro\lst@ProcessOther {"2D}{\lst@ttfamily{-{}}{-{}}} |
|
32 \@empty\z@\@empty |
|
33 \makeatother |
|
34 |
|
35 \lstset{language=Java, |
|
36 basicstyle=\consolas, |
|
37 keywordstyle=\color{javapurple}\bfseries, |
|
38 stringstyle=\color{javagreen}, |
|
39 commentstyle=\color{javagreen}, |
|
40 morecomment=[s][\color{javadocblue}]{/**}{*/}, |
|
41 numbers=left, |
|
42 numberstyle=\tiny\color{black}, |
|
43 stepnumber=1, |
|
44 numbersep=10pt, |
|
45 tabsize=2, |
|
46 showspaces=false, |
|
47 showstringspaces=false} |
|
48 |
|
49 \lstdefinelanguage{scala}{ |
|
50 morekeywords={abstract,case,catch,class,def,% |
|
51 do,else,extends,false,final,finally,% |
|
52 for,if,implicit,import,match,mixin,% |
|
53 new,null,object,override,package,% |
|
54 private,protected,requires,return,sealed,% |
|
55 super,this,throw,trait,true,try,% |
|
56 type,val,var,while,with,yield}, |
|
57 otherkeywords={=>,<-,<\%,<:,>:,\#,@,->}, |
|
58 sensitive=true, |
|
59 morecomment=[l]{//}, |
|
60 morecomment=[n]{/*}{*/}, |
|
61 morestring=[b]", |
|
62 morestring=[b]', |
|
63 morestring=[b]""" |
|
64 } |
|
65 |
|
66 \lstset{language=Scala, |
|
67 basicstyle=\consolas, |
|
68 keywordstyle=\color{javapurple}\bfseries, |
|
69 stringstyle=\color{javagreen}, |
|
70 commentstyle=\color{javagreen}, |
|
71 morecomment=[s][\color{javadocblue}]{/**}{*/}, |
|
72 numbers=left, |
|
73 numberstyle=\tiny\color{black}, |
|
74 stepnumber=1, |
|
75 numbersep=10pt, |
|
76 tabsize=2, |
|
77 showspaces=false, |
|
78 showstringspaces=false} |
|
79 |
|
80 |
10 |
81 % beamer stuff |
11 % beamer stuff |
82 \renewcommand{\slidecaption}{APP 03, King's College London, 8 October 2013} |
12 \renewcommand{\slidecaption}{APP 03, King's College London} |
83 |
13 |
84 |
14 |
85 \begin{document} |
15 \begin{document} |
86 |
16 |
87 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
17 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
88 \mode<presentation>{ |
18 \begin{frame}[t] |
89 \begin{frame}<1>[t] |
|
90 \frametitle{% |
19 \frametitle{% |
91 \begin{tabular}{@ {}c@ {}} |
20 \begin{tabular}{@ {}c@ {}} |
92 \\ |
21 \\ |
93 \LARGE Access Control and \\[-3mm] |
22 \LARGE Access Control and \\[-3mm] |
94 \LARGE Privacy Policies (3)\\[-6mm] |
23 \LARGE Privacy Policies (3)\\[-6mm] |
95 \end{tabular}}\bigskip\bigskip\bigskip |
24 \end{tabular}}\bigskip\bigskip\bigskip |
96 |
25 |
97 %\begin{center} |
26 \normalsize |
98 %\includegraphics[scale=1.3]{pics/barrier.jpg} |
|
99 %\end{center} |
|
100 |
|
101 \normalsize |
|
102 \begin{center} |
27 \begin{center} |
103 \begin{tabular}{ll} |
28 \begin{tabular}{ll} |
104 Email: & christian.urban at kcl.ac.uk\\ |
29 Email: & christian.urban at kcl.ac.uk\\ |
105 Office: & S1.27 (1st floor Strand Building)\\ |
30 Office: & S1.27 (1st floor Strand Building)\\ |
106 Slides: & KEATS (also home work is there) |
31 Slides: & KEATS (also home work is there) |
107 \end{tabular} |
32 \end{tabular} |
108 \end{center} |
33 \end{center} |
109 |
34 |
110 |
35 \end{frame} |
111 \end{frame}} |
36 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
112 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
37 |
113 |
38 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
114 |
39 \begin{frame}[c] |
115 |
40 \frametitle{A ``Cron''-Attack} |
116 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
41 |
117 \mode<presentation>{ |
42 The idea is to trick a privileged person to do something on your |
118 \begin{frame}[c] |
43 behalf: |
119 |
44 |
120 \begin{center} |
45 \begin{itemize} |
121 \begin{tabular}[t]{c} |
46 \item root:\\\texttt{rm /tmp/*/*}\bigskip\bigskip\pause |
|
47 |
|
48 \footnotesize |
|
49 \begin{minipage}{1.1\textwidth} |
|
50 \textcolor{gray}{the shell behind the scenes:}\\ |
|
51 \textcolor{gray}{\texttt{rm /tmp/dir$_1$/file$_1$ /tmp/dir$_1$/file$_2$ /tmp/dir$_2$/file$_1$ \ldots}}\bigskip\\ |
|
52 |
|
53 \textcolor{gray}{this takes time} |
|
54 \end{minipage} |
|
55 \end{itemize} |
|
56 |
|
57 \end{frame} |
|
58 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
59 |
|
60 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
61 \begin{frame}[c] |
|
62 \frametitle{A ``Cron''-Attack} |
|
63 |
|
64 \begin{enumerate} |
|
65 \item attacker \textcolor{gray}{(creates a fake passwd file)}\\ |
|
66 \texttt{mkdir /tmp/a; cat > /tmp/a/passwd}\medskip |
|
67 \item root \textcolor{gray}{(does the daily cleaning)}\\ |
|
68 \texttt{rm /tmp/*/*}\medskip\\ |
|
69 \hspace{2cm}\textcolor{gray}{\small records that \texttt{/tmp/a/passwd}}\\ |
|
70 \hspace{2cm}\textcolor{gray}{\small should be deleted, but does not do it yet}\medskip\\ |
|
71 |
|
72 \item attacker \textcolor{gray}{(meanwhile deletes the fake passwd file, and establishes a link to |
|
73 the real passwd file)}\\ |
|
74 \texttt{rm /tmp/a/passwd; rmdir /tmp/a;}\\\texttt{ln -s /etc /tmp/a}\\ |
|
75 \item root now deletes the real passwd file |
|
76 \end{enumerate} |
|
77 |
|
78 \only<2>{ |
|
79 \begin{textblock}{11}(2,5) |
|
80 \begin{bubble}[8cm] |
|
81 \normalsize To prevent this kind of attack, you need additional |
|
82 policies (don't do such operations as root). |
|
83 \end{bubble} |
|
84 \end{textblock}} |
|
85 |
|
86 \end{frame} |
|
87 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
88 |
|
89 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
90 \begin{frame}[c] |
|
91 \frametitle{\Large Buffer Overflow Attacks} |
|
92 |
|
93 \begin{center} |
|
94 \begin{columns}[b] |
|
95 \begin{column}{.4\textwidth} |
|
96 \centering |
122 \includegraphics[scale=1.2]{pics/barrier.jpg}\\ |
97 \includegraphics[scale=1.2]{pics/barrier.jpg}\\ |
123 first lecture |
98 lectures so far |
124 \end{tabular}\;\;\; |
99 \end{column} |
125 \onslide<2>{ |
100 \begin{column}<2>{.4\textwidth} |
126 \begin{tabular}[t]{c} |
101 \centering |
127 \includegraphics[scale=0.32]{pics/trainwreck.jpg}\\ |
102 \includegraphics[scale=0.32]{pics/trainwreck.jpg}\\ |
128 today |
103 today |
129 \end{tabular} |
104 \end{column} |
130 } |
105 \end{columns} |
131 \end{center} |
106 \end{center} |
132 |
107 |
133 |
108 \end{frame} |
134 \end{frame}} |
109 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
135 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
110 |
136 |
111 |
137 |
112 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
138 |
|
139 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
140 \mode<presentation>{ |
|
141 \begin{frame}[c] |
113 \begin{frame}[c] |
142 \frametitle{\begin{tabular}{c}Network Applications:\\[-1mm] Privilege Separation\end{tabular}} |
114 \frametitle{\begin{tabular}{c}Network Applications:\\[-1mm] Privilege Separation\end{tabular}} |
143 |
|
144 |
115 |
145 \begin{center} |
116 \begin{center} |
146 \begin{tikzpicture}[scale=1] |
117 \begin{tikzpicture}[scale=1] |
147 |
118 |
148 \draw[line width=1mm] (-.3, 0) rectangle (1.5,2); |
119 \draw[line width=1mm] (-.3, 0) rectangle (1.5,2); |
454 \small\textcolor{gray}{Issue 49, Article 14} |
423 \small\textcolor{gray}{Issue 49, Article 14} |
455 \end{flushright} |
424 \end{flushright} |
456 |
425 |
457 \end{itemize} |
426 \end{itemize} |
458 |
427 |
459 |
428 \end{frame} |
460 \end{frame}} |
429 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
461 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
430 |
462 |
431 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
463 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
464 \mode<presentation>{ |
|
465 \begin{frame}[c] |
432 \begin{frame}[c] |
466 \frametitle{A Float Printed ``Twice''} |
433 \frametitle{A Float Printed ``Twice''} |
467 |
434 |
468 {\lstset{language=Java} |
|
469 \footnotesize |
435 \footnotesize |
470 \lstinputlisting{../progs/C1.c}} |
436 \lstinputlisting[language=C]{../progs/C1.c} |
471 |
437 |
472 \end{frame}} |
438 \end{frame} |
473 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
439 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
474 |
440 |
475 |
441 |
476 |
442 |
477 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
443 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
478 \mode<presentation>{ |
444 \begin{frame}[c] |
479 \begin{frame}[c] |
445 \frametitle{The Problem} |
480 \frametitle{\begin{tabular}{c}The Problem\end{tabular}} |
|
481 |
446 |
482 \begin{itemize} |
447 \begin{itemize} |
483 \item The basic problem is that library routines in C look as follows: |
448 \item The basic problem is that library routines in C look as follows: |
484 |
449 |
485 \begin{center} |
450 \begin{center} |
486 {\lstset{language=Java} |
451 \footnotesize\lstinputlisting[language=C]{../progs/app5.c} |
487 \footnotesize |
|
488 \lstinputlisting{../progs/app5.c}} |
|
489 \end{center} |
452 \end{center} |
490 |
453 |
491 \item the resulting problems are often remotely exploitable |
454 \item the resulting problems are often remotely exploitable |
492 \item can be used to circumvents all access control\\ |
455 \item can be used to circumvents all access control\\ |
493 (for grooming botnets for further attacks) |
456 (for grooming botnets for further attacks) |
494 \end{itemize} |
457 \end{itemize} |
495 |
458 |
496 \end{frame}} |
459 \end{frame} |
497 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
460 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
498 |
461 |
499 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
462 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
500 \mode<presentation>{ |
463 \begin{frame}[c] |
501 \begin{frame}[c] |
464 \frametitle{Variants} |
502 \frametitle{\begin{tabular}{c}Variants\end{tabular}} |
|
503 |
465 |
504 There are many variants: |
466 There are many variants: |
505 |
467 |
506 \begin{itemize} |
468 \begin{itemize} |
507 \item return-to-lib-C attacks |
469 \item return-to-lib-C attacks |
552 % |
509 % |
553 %\end{frame}} |
510 %\end{frame}} |
554 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
511 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
555 |
512 |
556 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
513 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
557 \mode<presentation>{ |
514 \begin{frame}[c] |
558 \begin{frame}[c] |
515 \frametitle{Payloads} |
559 \frametitle{\begin{tabular}{c}Payloads\end{tabular}} |
|
560 |
516 |
561 \begin{itemize} |
517 \begin{itemize} |
562 \item the idea is you store some code to the buffer |
518 \item the idea is you store some code to the buffer |
563 \item you then override the return address to execute this payload\medskip |
519 \item you then override the return address to execute this payload\medskip |
564 \item normally you start a root-shell\pause |
520 \item normally you start a root-shell\pause |
565 \item difficulty is to guess the right place where to ``jump'' |
521 \item difficulty is to guess the right place where to ``jump'' |
566 \end{itemize} |
522 \end{itemize} |
567 |
523 |
568 \end{frame}} |
524 \end{frame} |
569 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
525 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
570 |
526 |
571 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
527 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
572 \mode<presentation>{ |
528 \begin{frame}[c] |
573 \begin{frame}[c] |
529 \frametitle{Payloads (2)} |
574 \frametitle{\begin{tabular}{c}Payloads (2)\end{tabular}} |
|
575 |
530 |
576 \begin{itemize} |
531 \begin{itemize} |
577 \item another difficulty is that the code is not allowed to contain \texttt{$\backslash$x00}: |
532 \item another difficulty is that the code is not allowed to contain \texttt{$\backslash$x00}: |
578 |
533 |
579 \begin{center} |
534 \begin{center} |
580 \texttt{xorl \%eax, \%eax} |
535 \texttt{xorl \%eax, \%eax} |
581 \end{center} |
536 \end{center} |
582 \end{itemize}\bigskip\bigskip |
537 \end{itemize}\bigskip\bigskip |
583 |
538 |
584 {\lstset{language=Java}\small |
539 {\small |
585 \texttt{\lstinputlisting{../progs/app5.c}}} |
540 \lstinputlisting[language=C]{../progs/app5.c}} |
586 |
541 |
587 \end{frame}} |
542 \end{frame} |
588 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
543 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
589 |
544 |
590 |
545 |
591 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
546 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
592 \mode<presentation>{ |
547 \begin{frame}[c] |
593 \begin{frame}[c] |
548 \frametitle{Format String Vulnerability} |
594 \frametitle{\begin{tabular}{c}Format String Vulnerability\end{tabular}} |
|
595 |
549 |
596 \small |
550 \small |
597 \texttt{string} is nowhere used:\bigskip |
551 \texttt{string} is nowhere used:\bigskip |
598 |
552 |
599 {\lstset{language=Java}\footnotesize |
553 {\footnotesize\lstinputlisting[language=C]{../progs/C4.c}}\bigskip |
600 \texttt{\lstinputlisting{../progs/C4.c}}}\bigskip |
|
601 |
554 |
602 this vulnerability can be used to read out the stack |
555 this vulnerability can be used to read out the stack |
603 |
556 |
604 \end{frame}} |
557 \end{frame} |
605 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
558 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
606 |
559 |
607 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
560 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
608 \mode<presentation>{ |
|
609 \begin{frame}[c] |
561 \begin{frame}[c] |
610 \frametitle{\begin{tabular}{c}Protections against\\ Buffer Overflow Attacks\end{tabular}} |
562 \frametitle{\begin{tabular}{c}Protections against\\ Buffer Overflow Attacks\end{tabular}} |
611 |
563 |
612 \begin{itemize} |
564 \begin{itemize} |
613 \item use safe library functions |
565 \item use safe library functions |