sen-material: comparison slides/slides03.tex

equal deleted inserted replaced

-:729b86eae005
+:40c51038c9e4
 \documentclass[dvipsnames,14pt,t]{beamer}
-\usepackage{beamerthemeplainculight}
+\usepackage{beamerthemeplaincu}
-\usepackage[T1]{fontenc}
+%%\usepackage[T1]{fontenc}
 \usepackage[latin1]{inputenc}
 \usepackage{mathpartir}
 \usepackage[absolute,overlay]{textpos}
 \usepackage{ifthen}
 \usepackage{tikz}
 	tabsize=2,
 	showspaces=false,
 	showstringspaces=false}
 % beamer stuff
-\renewcommand{\slidecaption}{APP 03, King's College London, 9 October 2012}
+\renewcommand{\slidecaption}{APP 02, King's College London, 2 October 2012}
 \begin{document}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \begin{frame}<1>[t]
 \frametitle{%
 \begin{tabular}{@ {}c@ {}}
 \\
 \LARGE Access Control and \\[-3mm]
-\LARGE Privacy Policies (3)\\[-6mm]
+\LARGE Privacy Policies (2)\\[-6mm]
 \end{tabular}}\bigskip\bigskip\bigskip
 %\begin{center}
 %\includegraphics[scale=1.3]{pics/barrier.jpg}
 %\end{center}
 \normalsize
 \begin{center}
 \begin{tabular}{ll}
 Email:  & christian.urban at kcl.ac.uk\\
 Of$\!$fice: & S1.27 (1st floor Strand Building)\\
-Slides: & KEATS (also home work is there)\\
+Slides: & KEATS (also home work is there)
-& \alert{\bf (I have put a temporary link in there.)}\\
 \end{tabular}
 \end{center}
 \end{frame}}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \mode<presentation>{
 \begin{frame}[c]
+\frametitle{\begin{tabular}{c}Homework\end{tabular}}
+\ldots{} I have a question about the homework.\\[3mm]
+Is it required to submit the homework before\\
+the next lecture?\\[5mm]
+Thank you!\\
+Anonymous
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
 \begin{center}
-\includegraphics[scale=0.45]{pics/trainwreck.jpg}\\
+\begin{tabular}[t]{c}
-one general defence mechanism is\\\alert{\bf defence in depth}
+\includegraphics[scale=1.2]{pics/barrier.jpg}\\
+future lectures
+\end{tabular}\;\;\;
+\onslide<2>{
+\begin{tabular}[t]{c}
+\includegraphics[scale=0.32]{pics/trainwreck.jpg}\\
+today
+\end{tabular}
+}
 \end{center}
 \end{frame}}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}<1-2>[c]
+\mode<presentation>{
-\frametitle{Defence in Depth}
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}SmartWater\end{tabular}}
-\begin{itemize}
-\item \alt<1>{overlapping}{{\LARGE\bf overlapping}} systems designed to provide\\ security even if one of them fails.
+\begin{textblock}{1}(1,3)
-\end{itemize}
+\begin{tabular}{c}
+\includegraphics[scale=0.15]{pics/SmartWater}
-\only<2->{
+\end{tabular}
-\begin{textblock}{11}(2,12)
+\end{textblock}
-\small otherwise your ``added security'' can become the point of failure
-\end{textblock}}
+\begin{textblock}{8.5}(7,3)
-\end{frame}}
+\begin{itemize}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\item seems helpful for preventing cable theft\medskip
+\item wouldn't be helpful to make your property safe, because of possible abuse\medskip
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
+\item security is always a tradeoff
-\begin{frame}[c]
+\end{itemize}
-\frametitle{PALs}
+\end{textblock}
-\begin{itemize}
+\end{frame}}
-\item \alert{Permissive Action Links} prevent unauthorised use of nuclear weapons (so the theory)
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\end{itemize}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{center}
+\mode<presentation>{
-\includegraphics[scale=0.25]{pics/nuclear1.jpg}\hspace{3mm}
+\begin{frame}[c]
-\includegraphics[scale=0.25]{pics/nuclear2.jpg}
+\frametitle{\begin{tabular}{@ {}c@ {}}Plain-text Passwords at IEEE\end{tabular}}
-\end{center}
+\small\textcolor{gray}{On 25 September 2012, a report on a data breach at IEEE:}
-\onslide<3->{
-modern PALs also include a 2-person rule
+\begin{itemize}
-}
+\item IEEE is a standards organisation (not-for-profit)
+\item many standards in CS are by IEEE\medskip
-\only<2->{
+\item 100k plain-text passwords were recorded in logs
+\item the logs were openly accessible on their FTP server
+\end{itemize}\bigskip
+\begin{flushright}\small
+\textcolor{gray}{\url{http://ieeelog.com}}
+\end{flushright}
+\only<2>{
 \begin{textblock}{11}(3,2)
 \begin{tikzpicture}
-\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
+\draw (0,0) node[inner sep=2mm,fill=white, ultra thick, draw=red, rounded corners=2mm]
-{\begin{minipage}{8cm}
+{\normalsize\color{darkgray}
-US Air Force's Strategic Air Command worried that in times of need the
+\begin{minipage}{7.5cm}\raggedright\small
-codes would not be available, so until 1977 quietly decided to set them
+\includegraphics[scale=0.6]{pics/IEEElog.jpg}
-to 00000000\ldots
 \end{minipage}};
 \end{tikzpicture}
 \end{textblock}}
+\end{frame}}
-\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \mode<presentation>{
 \begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}Virgin Mobile (USA)\end{tabular}}
-\begin{itemize}
-\item until 1998, Britain had nuclear weapons that could be launched from airplanes\bigskip\pause
+\begin{flushright}\small
+\textcolor{gray}{\url{http://arstechnica.com/security/2012/09/virgin-mobile-password-crack-risk/}}
-\item these weapons were armed with a bicycle key
+\end{flushright}
+\begin{itemize}
+\item for online accounts passwords must be 6 digits
+\item you must cycle through 1M combinations (online)\pause\bigskip
+\item he limited the attack on his own account to 1 guess per second, \alert{\bf and}
+\item wrote a script that cleared the cookie set after each guess\pause
+\item has been fixed now
+\end{itemize}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}Smash the Stack for Fun \ldots\end{tabular}}
+\begin{itemize}
+\item ``smashing the stack attacks'' or ``buffer overflow attacks''
+\item one of the most popular attacks;\\ attack of the (last) decade\\ ($>$ 50\% of security incidents reported at CERT are related to buffer overflows)
+\begin{flushright}\small
+\textcolor{gray}{\url{http://www.kb.cert.org/vuls}}
+\end{flushright}
+\medskip
+\item made popular in an article by Elias Levy\\ (also known as Aleph One):\\
 \begin{center}
-\begin{tabular}[b]{c}
+{\bf ``Smashing The Stack For Fun and Profit''}
-\includegraphics[scale=1.05]{pics/britkeys1.jpg}\\
+\end{center}\medskip
-\small nuclear weapon keys
-\end{tabular}
+\begin{flushright}
-\hspace{3mm}
+\small\textcolor{gray}{\url{http://www.phrack.org}, Issue 49, Article 14}
-\begin{tabular}[b]{c}
+\end{flushright}
-\includegraphics[scale=0.35]{pics/britkeys2.jpg}\\
-\small bicycle lock
-\end{tabular}
-\end{center}\bigskip\pause
-\item the current Trident nuclear weapons can be launched from a submarine without any code being transmitted
-\end{itemize}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Access Control in Unix}
-\begin{itemize}
-\item access control provided by the OS
-\item authenticate principals (login)
-\item mediate access to files, ports, processes according to \alert{roles} (user ids)\\
-\item roles get attached with privileges\bigskip\\%
-\hspace{8mm}
-\begin{tikzpicture}
-\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
-{\begin{minipage}{8cm}
-\alert{principle of least privilege:}\\
-programs should only have as much privilege as they need
-\end{minipage}};
-\end{tikzpicture}
-\end{itemize}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Access Control in Unix (2)}
-\begin{itemize}
-\item the idea is to restrict access to files and therefore lower the consequences of an attack\\[1cm]\mbox{}
-\end{itemize}
-\begin{textblock}{1}(2.5,9.5)
-\begin{tikzpicture}[scale=1]
-\draw[line width=1mm] (-.3, 0) rectangle (1.5,2);
-\draw (4.7,1) node {Internet};
-\draw (0.6,1.7) node {\footnotesize Interface};
-\draw (0.6,-0.4) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] process\end{tabular}};
-\draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}};
-\draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2);
-\draw[white] (1.7,1) node (X) {};
-\draw[white] (3.7,1) node (Y) {};
-\draw[red, <->, line width = 2mm] (X) -- (Y);
-\draw[red, <->, line width = 1mm] (-0.6,1) -- (-1.6,1);
+\end{itemize}
-\end{tikzpicture}
-\end{textblock}
+\end{frame}}
-\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
-\mode<presentation>{
+\frametitle{\begin{tabular}{c}The Problem\end{tabular}}
-\begin{frame}[t]
-\frametitle{Process Ownership}
+\begin{itemize}
+\item The basic problem is that library routines in C look as follows:
-\begin{itemize}
-\item access control in Unix is very coarse
-\end{itemize}\bigskip\bigskip\bigskip
 \begin{center}
-\begin{tabular}{c}
+{\lstset{language=Java}\fontsize{8}{10}\selectfont%
-root\\
+\texttt{\lstinputlisting{../progs/app5.c}}}
-\hline
+\end{center}
+\item the resulting problems are often remotely exploitable
-user$_1$ user$_2$ \ldots www, mail, lp
+\item can be used to circumvents all access control
-\end{tabular}
+(botnets for further attacks)
-\end{center}\bigskip\bigskip\bigskip
+\end{itemize}
+\end{frame}}
-\textcolor{gray}{\small root has UID $=$ 0}\\\pause
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\textcolor{gray}{\small you also have groups that can share access to a file}\\
-\textcolor{gray}{\small but it is difficult to exclude access selectively}\\
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\end{frame}}
+\mode<presentation>{
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Variants\end{tabular}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
+There are many variants:
-\begin{frame}[c]
-\frametitle{Access Control in Unix (2)}
+\begin{itemize}
+\item return-to-lib-C attacks
+\item heap-smashing attacks\\
-\begin{itemize}
+\textcolor{gray}{\small(Slammer Worm in 2003 infected 90\% of vulnerable systems within 10 minutes)}\bigskip
-\item privileges are specified by file access permissions (``everything is a file'')
-\item there are 9 (plus 2) bits that specify the permissions of a file
+\item ``zero-days-attacks'' (new unknown vulnerability)
+\end{itemize}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\small
+\texttt{my\_float} is printed twice:\bigskip
+{\lstset{language=Java}\fontsize{8}{10}\selectfont%
+\texttt{\lstinputlisting{../progs/C1.c}}}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
 \begin{center}
-\begin{tabular}{l}
+\only<1>{\includegraphics[scale=0.9]{pics/stack1}\;\;}
-\texttt{\$ ls - la}\\
+\only<2>{\includegraphics[scale=0.9]{pics/stack2}\;\;}
-\texttt{-rwxrw-r-{}- \hspace{3mm} foo\_file.txt}
+\only<3>{\includegraphics[scale=0.9]{pics/stack3}\;\;}
-\end{tabular}
 \end{center}
-\end{itemize}
 \end{frame}}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
-\mode<presentation>{
+\begin{frame}[c]
-\begin{frame}[c]
-\frametitle{Login Process}
+{\lstset{language=Java}\fontsize{8}{10}\selectfont%
+\texttt{\lstinputlisting{../progs/C2.c}}}
-\begin{itemize}
-\item login processes run under UID $=$ 0\medskip
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\small
+A programmer might be careful, but still introduce vulnerabilities:\bigskip
+{\lstset{language=Java}\fontsize{8}{10}\selectfont%
+\texttt{\lstinputlisting{../progs/C2a.c}}}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Payloads\end{tabular}}
+\begin{itemize}
+\item the idea is you store some code as part to the buffer
+\item you then override the return address to execute this payload\medskip
+\item normally you start a root-shell\pause
+\item difficulty is to guess the right place where to ``jump''
+\end{itemize}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Payloads (2)\end{tabular}}
+\begin{itemize}
+\item another difficulty is that the code is not allowed to contain \texttt{$\backslash$x00}:
 \begin{center}
-\texttt{ps -axl | grep login}
+\texttt{xorl   \%eax, \%eax}
-\end{center}\medskip
-\item after login, shells run under UID $=$ user (e.g.~501)\medskip
-\begin{center}
-\texttt{id cu}
-\end{center}\medskip\pause
-\item non-root users are not allowed to change the UID --- would break
-access control
-\item but needed for example for \texttt{passwd}
-\end{itemize}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Setuid and Setgid}
-The solution is that unix file permissions are 9 + \underline{2 Bits}:
-\alert{Setuid} and \alert{Setgid} Bits
-\begin{itemize}
-\item When a file with setuid is executed, the resulting process will assume the UID given to the owner of the file.
-\item This enables users to create processes as root (or another user).\bigskip
-\item Essential for changing passwords, for example.
-\end{itemize}
-\begin{center}
-\texttt{chmod 4755 fobar\_file}
 \end{center}
+\end{itemize}\bigskip\bigskip
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+{\lstset{language=Java}\fontsize{8}{10}\selectfont%
+\texttt{\lstinputlisting{../progs/app5.c}}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\end{frame}}
-\mode<presentation>{
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Privilege Separation in\\ OpenSSH\end{tabular}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{center}
+\mode<presentation>{
-\begin{tikzpicture}[scale=1]
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Format String Vulnerability\end{tabular}}
-\draw[line width=1mm] (0, 1.1) rectangle (1.2,2);
-\draw (4.7,1) node {Internet};
+\small
-\draw (0.6,1.7) node {\footnotesize Slave};
+\texttt{string} is nowhere used:\bigskip
-\draw[line width=1mm] (0, 0) rectangle (1.2,0.9);
-\draw (0.6,1.7) node {\footnotesize Slave};
+{\lstset{language=Java}\fontsize{8}{10}\selectfont%
-\draw (0.6,0.6) node {\footnotesize Slave};
+\texttt{\lstinputlisting{../progs/C4.c}}}\bigskip
-\draw (0.6,-0.5) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] processes\end{tabular}};
-\draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}};
+this vulnerability can be used to read out the stack
-\draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2);
+\end{frame}}
-\draw (-2.9,1.7) node {\footnotesize Monitor};
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\draw[white] (1.7,1) node (X) {};
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\draw[white] (3.7,1) node (Y) {};
+\mode<presentation>{
-\draw[red, <->, line width = 2mm] (X) -- (Y);
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Protections against BO Attacks\end{tabular}}
-\draw[red, <->, line width = 1mm] (-0.4,1.4) -- (-1.4,1.1);
-\draw[red, <->, line width = 1mm] (-0.4,0.6) -- (-1.4,0.9);
+\begin{itemize}
+\item use safe library functions
-\end{tikzpicture}
+\item ensure stack data is not executable (can be defeated)
-\end{center}
+\item address space randomisation (makes one-size-fits-all more difficult)
+\item choice of programming language (one of the selling points of Java)
-\begin{itemize}
-\item pre-authorisation slave
+\end{itemize}
-\item post-authorisation\bigskip
-\item 25\% codebase is privileged, 75\% is unprivileged
+\end{frame}}
-\end{itemize}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\end{frame}}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
-\mode<presentation>{
+\frametitle{\begin{tabular}{c}Security Goals\end{tabular}}
-\begin{frame}[c]
-\frametitle{Network Applications}
+\begin{itemize}
+\item Prevent common vulnerabilities from occurring (e.g. buffer overflows)\pause
-ideally network application in Unix should be designed as follows:
+\item Recover from attacks (traceability and auditing of security-relevant actions)\pause
+\item Monitoring (detect attacks)\pause
-\begin{itemize}
+\item Privacy, confidentiality, anonymity (to protect secrets)\pause
-\item need two distinct processes
+\item Authenticity (needed for access control)\pause
-\begin{itemize}
+\item Integrity (prevent unwanted modification or tampering)\pause
-\item one that listens to the network; has no privilege
+\item Availability and reliability (reduce the risk of DoS attacks)
-\item one that is privileged and listens to the latter only (but does not trust it)
+\end{itemize}
-\end{itemize}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\item to implement this you need a parent process, which forks a child process
-\item this child process drops privileges and listens to hostile data\medskip
-\item after authentication the parent forks again and the new child becomes the user
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\end{itemize}
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Homework\end{tabular}}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{itemize}
+\item Assume format string attacks allow you to read out the stack. What can you do
+	with this information?\bigskip
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
+\item Assume you can crash a program remotely. Why is this a problem?
-\begin{frame}[c]
+\end{itemize}
-\frametitle{\begin{tabular}{@ {}c@ {}}Famous Security Flaws in Unix\end{tabular}}
-\begin{itemize}
-\item \texttt{lpr} unfortunately runs with root privileges; you had the option to delete files after printing \ldots\pause\pause
-\item for debugging purposes (FreeBSD) Unix provides a ``core dump'', but allowed to follow links \ldots\pause
-\item \texttt{mkdir foo} is owned by root\medskip
-\begin{center}
-\texttt{-rwxr-xr-x  1 root  wheel /bin/mkdir}
-\end{center}\medskip
-it first creates an i-node as root and then changes to ownership to the user's id\\ \textcolor{gray}{\small (automated with a shell script)}
-\end{itemize}
-\only<1>{
-\begin{textblock}{1}(3,3)
-\begin{tikzpicture}
-\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
-{\begin{minipage}{8cm}
-Only failure makes us experts.
-	-- Theo de Raadt (OpenBSD, OpenSSH)
-\end{minipage}};
-\end{tikzpicture}
-\end{textblock}}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Other Problems\end{tabular}}
-There are thing's you just cannot solve on the programming side:\bigskip
-\begin{itemize}
-\item for system maintenance you often have \texttt{cron}-jobs cleaning \texttt{/tmp}\medskip
-\begin{itemize}
-\item attacker:\\
-\texttt{mkdir /tmp/a; cat > /tmp/a/passwd}
-\item root:\\\texttt{rm /tmp/*/*}:
-\item attacker:\\
-\texttt{rm /tmp/a/passwd; rmdir /tmp/a;}\\\texttt{ln -s /etc /tmp/a}
-\end{itemize}
-\end{itemize}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Security Levels\end{tabular}}
-Unix essentially can only distinguish between two security levels (root and non-root).
-\begin{itemize}
-\item In military applications you often have many security levels (top-secret, secret, confidential, unclassified)\bigskip\pause
-\item Information flow: Bell --- La Padula model
-\begin{itemize}
-\item read: your own level and below
-\item write: your own level and above
-\end{itemize}
-\end{itemize}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Security Levels (2)\end{tabular}}
-\begin{itemize}
-\item Bell --- La Padula preserves data secrecy, but not data integrity\bigskip\pause
-\item Biba model is for data integrity
-\begin{itemize}
-\item read: your own level and above
-\item write: your own level and below
-\end{itemize}
-\end{itemize}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Access Control in 2000\end{tabular}}
-According to Ross Anderson (1st edition of his book), some senior Microsoft people held the
-following view:
-\begin{center}
-\begin{tikzpicture}
-\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
-{\begin{minipage}{10.5cm}
-\small Access control does not matter. Computers are becoming single-purpose
-or single-user devices. Single-purpose devices, such as Web servers that deliver a single service, don't
-need much in the way of access control as there's nothing for operating system access controls
-to do; the job of separating users from each other is best left to application code. As for the PC
-on your desk, if all the software on it comes from a single source, then again there's no need
-for the operating system to provide separation. \hfill{}\textcolor{gray}{(in 2000)}
-\end{minipage}};
-\end{tikzpicture}
-\end{center}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-\frametitle{\begin{tabular}{@ {}c@ {}}Research Problems\end{tabular}}
-\begin{itemize}
-\item with access control we are back to 1970s\bigskip
-\only<1>{
-\begin{tikzpicture}
-\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
-{\begin{minipage}{10cm}
-\small Going all the way back to early time-sharing systems we systems people regarded the users, and any code they wrote, as the mortal enemies of us and each other. We were like the police force in a violent slum.\\
-\mbox{}\hfill--- Roger Needham
-\end{minipage}};
-\end{tikzpicture}}\pause
-\item the largest research area in access control in 2000-07 has been ``Trusted Computing'', but thankfully it
-is dead now\bigskip
-\item a useful research area is to not just have robust access control, but also usable access control --- by programmers and users\\
-(one possible answer is operating system virtualisation, e.g.~Xen, VMWare)\medskip\pause
-\item electronic voting
-\end{itemize}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-\frametitle{\begin{tabular}{@ {}c@ {}}Mobile OS\end{tabular}}
-\begin{itemize}
-\item iOS and Android solve the defence-in-depth problem by \alert{sandboxing} applications\bigskip
-\item you as developer have to specify the resources an application needs
-\item the OS provides a sandbox where access is restricted to only these resources
-\end{itemize}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Security Theatre\end{tabular}}
-Security theatre is the practice of investing in countermeasures intended to provide the
-\underline{feeling} of improved security while doing little or nothing to actually achieve it.\hfill{}\textcolor{gray}{Bruce Schneier}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Security Theatre\end{tabular}}
-\begin{itemize}
-\item for example, usual locks and strap seals are security theatre
-\end{itemize}
-\begin{center}
-\includegraphics[scale=0.45]{pics/seal.jpg}
-\end{center}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\begin{minipage}{11cm}
-From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk>\\
-To: cl-security-research@lists.cam.ac.uk\\
-Subject: Tip off\\
-Date: Tue, 02 Oct 2012 13:12:50 +0100\\
-I received the following tip off, and have removed the sender's
-coordinates. I suspect it is one of many security vendors who
-don't even get the basics right; if you ever go to the RSA
-conference, there are a thousand such firms in the hall, each
-with several eager but ignorant salesmen. A trying experience.\\
-Ross
-\end{minipage}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\begin{minipage}{11cm}
-I'd like to anonymously tip you off about this\\
-product:\\
-{\small http://www.strongauth.com/products/key-appliance.html}\\
-It sounds really clever, doesn't it?\\
-\ldots\\
-Anyway, it occurred to me that you and your colleagues might have a
-field day discovering weaknesses in the appliance and their
-implementation of security.  However, whilst I'd be willing to help
-and/or comment privately, it'd have to be off the record ;-)
-\end{minipage}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Schneier: Step 1\end{tabular}}
-{\bf What assets are you trying to protect?}\bigskip
-This question might seem basic, but a surprising number of people never ask it. The question involves understanding the scope of the problem. For example, securing an airplane, an airport, commercial aviation, the transportation system, and a nation against terrorism are all different security problems, and require different solutions.
-\only<2>{
-\begin{tikzpicture}
-\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
-{\begin{minipage}{10cm}
-\small You like to prevent: ``It would be terrible if this sort of attack ever happens; we need to do everything in our power to prevent it.''
-\end{minipage}};
-\end{tikzpicture}}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Schneier: Step 2\end{tabular}}
-{\bf What are the risks to these assets?}\bigskip
-Here we consider the need for security. Answering it involves understanding what is being defended, what the consequences are if it is successfully attacked, who wants to attack it, how they might attack it, and why.
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Schneier: Step 3\end{tabular}}
-{\bf How well does the security solution mitigate those risks?}\bigskip
-Another seemingly obvious question, but one that is frequently ignored. If the security solution doesnÕt solve the problem, it's no good. This is not as simple as looking at the security solution and seeing how well it works. It involves looking at how the security solution interacts with everything around it, evaluating both its operation and its failures.
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Schneier: Step 4\end{tabular}}
-{\bf What other risks does the security solution cause?}\bigskip
-This question addresses what might be called the problem of unintended consequences. Security solutions have ripple effects, and most cause new security problems. The trick is to understand the new problems and make sure they are smaller than the old ones.
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Schneier: Step 5\end{tabular}}
-{\bf What costs and trade-offs does the security solution impose?}\bigskip
-Every security system has costs and requires trade-offs. Most security costs money, sometimes substantial amounts; but other trade-offs may be more important, ranging from matters of convenience and comfort to issues involving basic freedoms like privacy. Understanding these trade-offs is essential.
 \end{frame}}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \end{document}

changeset 105	40c51038c9e4
parent 90	d1d07f05325a
child 111	677179c76e35