sen-material: comparison slides/slides04.tex

equal deleted inserted replaced

-:be57673022d3
+:59d3bf386a6d
 	tabsize=2,
 	showspaces=false,
 	showstringspaces=false}
 % beamer stuff
-\renewcommand{\slidecaption}{APP 03, King's College London, 1 October 2013}
+\renewcommand{\slidecaption}{APP 03, King's College London, 22 October 2014}
+\makeatletter
+\def\verbatim@font{\consolas\footnotesize}
+\makeatother
 \begin{document}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \mode<presentation>{
 \begin{frame}<1>[t]
 \frametitle{%
 \begin{tabular}{@ {}c@ {}}
 \\
 \LARGE Access Control and \\[-3mm]
-\LARGE Privacy Policies (2)\\[-6mm]
+\LARGE Privacy Policies (4)\\[-6mm]
 \end{tabular}}\bigskip\bigskip\bigskip
 \normalsize
 \begin{center}
 \begin{tabular}{ll}
 Email:  & christian.urban at kcl.ac.uk\\
-Of$\!$fice: & S1.27 (1st floor Strand Building)\\
+Office: & S1.27 (1st floor Strand Building)\\
 Slides: & KEATS (also home work is there)\\
 \end{tabular}
 \end{center}
 \mode<presentation>{
 \begin{frame}[c]
 \begin{center}
 \includegraphics[scale=0.45]{pics/trainwreck.jpg}\\
-one general defence mechanism is\\\alert{\bf defence in depth}
+two weeks ago: buffer overflow attacks
 \end{center}
 \end{frame}}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
+\begin{frame}[fragile]
-\begin{frame}<1-2>[c]
+\frametitle{Buffer Overflows}
-\frametitle{Defence in Depth}
+\begin{verbatim}
-\begin{itemize}
+As a proof-of-concept, the following URL allows
-\item \alt<1>{overlapping}{{\LARGE\bf overlapping}} systems designed to provide\\ security even if one of them fails.
+attackers to control the return value saved on
-\end{itemize}
+the stack (the vulnerability is triggered when
+executing "/usr/sbin/widget"):
-\only<2->{
-\begin{textblock}{11}(2,12)
+curl http://<target ip>/post_login.xml?hash=AAA...AAABBBB
-\small otherwise your ``added security'' can become the point of failure
-\end{textblock}}
+The value of the "hash" HTTP GET parameter consists in
+292 occurrences of the 'A' character, followed by four
+occurrences of character 'B'. In our lab setup, characters
+'B' overwrite the saved program counter (%ra).
+Discovery date: 06/03/2013
+Release date:   02/08/2013
+\end{verbatim}
+\mbox{}\footnotesize\hfill\url{http://pastebin.com/vbiG42VD}
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[fragile]
+\frametitle{Backdoors}
+D-Link router flaw lets anyone login through "Joel's Backdoor":\medskip
+If you tell your browser to identify itself as Joel's backdoor, instead of (say)
+as Mozilla/5.0 AppleWebKit/536.30.1 Version/6.0.5, you're in without authentication.\medskip
-\end{frame}}
+"What is this string," I hear you ask?
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+You will laugh: it is
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
+\begin{verbatim}
-\begin{frame}[c]
+xmlset_roodkcableoj28840ybtide
-\frametitle{PALs}
+\end{verbatim}
-\begin{itemize}
-\item \alert{Permissive Action Links} prevent unauthorised use of nuclear weapons (so the theory)
+\hfill\footnotesize October 15, 2013\\
-\end{itemize}
+\hfill\tiny\url{http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/}
-\begin{center}
-\includegraphics[scale=0.25]{pics/nuclear1.jpg}\hspace{3mm}
-\includegraphics[scale=0.25]{pics/nuclear2.jpg}
-\end{center}
+\end{frame}
-\onslide<3->{
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-modern PALs also include a 2-person rule
-}
-\only<2->{
-\begin{textblock}{11}(3,2)
-\begin{tikzpicture}
-\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
-{\begin{minipage}{8cm}
-US Air Force's Strategic Air Command worried that in times of need the
-codes would not be available, so until 1977 quietly decided to set them
-to 00000000\ldots
-\end{minipage}};
-\end{tikzpicture}
-\end{textblock}}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\begin{itemize}
-\item until 1998, Britain had nuclear weapons that could be launched from airplanes\bigskip\pause
-\item these weapons were armed with a bicycle key
-\begin{center}
-\begin{tabular}[b]{c}
-\includegraphics[scale=1.05]{pics/britkeys1.jpg}\\
-\small nuclear weapon keys
-\end{tabular}
-\hspace{3mm}
-\begin{tabular}[b]{c}
-\includegraphics[scale=0.35]{pics/britkeys2.jpg}\\
-\small bicycle lock
-\end{tabular}
-\end{center}\bigskip\pause
-\item the current Trident nuclear weapons can be launched from a submarine without any code being transmitted
-\end{itemize}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \mode<presentation>{
 \begin{frame}[c]
 \frametitle{Access Control in Unix}
 \end{tikzpicture}
 \end{textblock}
 \end{frame}}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\newcommand{\bl}[1]{\textcolor{blue}{#1}}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
+\begin{frame}[c]
-\begin{frame}[t]
+\frametitle{Access Control}
-\frametitle{Process Ownership}
+\begin{itemize}
-\begin{itemize}
+\item \bl{Discretionary Access Control:}\mbox{}\medskip\\
-\item access control in Unix is very coarse
+\small Access to objects (files, directories, devices, etc.) is permitted
-\end{itemize}\bigskip\bigskip\bigskip
+based on user identity. Each object is owned by a user. Owners can
+specify freely (at their discretion) how they want to share their objects
+with other users, by specifying which other users can have which
+form of access to their objects.\medskip
+Discretionary access control is implemented on any multi-user OS
+(Unix, Windows NT, etc.).
+\end{itemize}
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{Access Control}
+\begin{itemize}
+\item \bl{Mandatory Access Control:}\mbox{}\medskip\\
+\small Access to objects is controlled by a system-wide policy, for example
+to prevent certain flows of information. In some forms, the system maintains
+security labels for both objects and subjects (processes, users), based on
+which access is granted or denied. Labels can change as the result of an
+access. Security policies are enforced without the cooperation of users or
+application programs.\medskip
+This is implemented today in special military operating system versions
+(SELinux).
+\end{itemize}
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Discretionary Access Control}
+In its most generic form usually given by an Access Control Matrix
+of the form
 \begin{center}
-\begin{tabular}{c}
+\begin{tabular}{r|c|c|c}
-root\\
+& /mail/jane & edit.exe & sendmail \\\hline
-\hline
+jane          & r, w & r, x & r, x\\\hline
+john          & $\varnothing$ & r, w, x&  r, x\\\hline
-user$_1$ user$_2$ \ldots www, mail, lp
+sendmail  & a & $\varnothing$ &  r, x\\
-\end{tabular}
-\end{center}\bigskip\bigskip\bigskip
-\textcolor{gray}{\small root has UID $=$ 0}\\\pause
-\textcolor{gray}{\small you also have groups that can share access to a file}\\
-\textcolor{gray}{\small but it is difficult to exclude access selectively}\\
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Access Control in Unix (2)}
-\begin{itemize}
-\item privileges are specified by file access permissions (``everything is a file'')
-\item there are 9 (plus 2) bits that specify the permissions of a file
-\begin{center}
-\begin{tabular}{l}
-\texttt{\$ ls - la}\\
-\texttt{-rwxrw-r-{}- \hspace{3mm} foo\_file.txt}
 \end{tabular}
 \end{center}
-\end{itemize}
-\end{frame}}
+access privileges: {\bf r}ead, {\bf w}rite, e{\bf x}ecute, {\bf a}ppend
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
+\begin{frame}[c]
-\begin{frame}[c]
+\frametitle{Mandatory Access Control}
-\frametitle{Login Process}
+\begin{itemize}
+\item Restrictions to allowed information flows are not decided at the user’s
-\begin{itemize}
+discretion (as with Unix chmod), but instead enforced by system policies.
-\item login processes run under UID $=$ 0\medskip
-\begin{center}
+\item Mandatory access control mechanisms are aimed in particular at
-\texttt{ps -axl | grep login}
+preventing policy violations by untrusted application software, which
-\end{center}\medskip
+typically have at least the same access privileges as the invoking user.\medskip
-\item after login, shells run under UID $=$ user (e.g.~501)\medskip
+Simple example: Air Gap Security.
-\begin{center}
+Uses completely separate network and computer hardware for different application classes.
-\texttt{id cu}
+\end{itemize}
-\end{center}\medskip\pause
+\end{frame}
-\item non-root users are not allowed to change the UID --- would break
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-access control
-\item but needed for example for \texttt{passwd}
-\end{itemize}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \mode<presentation>{
 \end{frame}}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Famous Security Flaws in Unix\end{tabular}}
-\begin{itemize}
-\item \texttt{lpr} unfortunately runs with root privileges; you had the option to delete files after printing \ldots\pause\pause
-\item for debugging purposes (FreeBSD) Unix provides a ``core dump'', but allowed to follow links \ldots\pause
-\item \texttt{mkdir foo} is owned by root\medskip
-\begin{center}
-\texttt{-rwxr-xr-x  1 root  wheel /bin/mkdir}
-\end{center}\medskip
-it first creates an i-node as root and then changes to ownership to the user's id\\ \textcolor{gray}{\small (automated with a shell script)}
-\end{itemize}
-\only<1>{
-\begin{textblock}{1}(3,3)
-\begin{tikzpicture}
-\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
-{\begin{minipage}{8cm}
-Only failure makes us experts.
-	-- Theo de Raadt (OpenBSD, OpenSSH)
-\end{minipage}};
-\end{tikzpicture}
-\end{textblock}}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \mode<presentation>{
 \begin{frame}[c]
 \frametitle{\begin{tabular}{@ {}c@ {}}Other Problems\end{tabular}}

changeset 117	59d3bf386a6d
parent 105	40c51038c9e4
child 118	a42bbdfe5dd9