sen-material: comparison slides03.tex

equal deleted inserted replaced

-:10da75d5db5d
+:5d0f7da375da
 \normalsize
 \begin{center}
 \begin{tabular}{ll}
 Email:  & christian.urban at kcl.ac.uk\\
 Of$\!$fice: & S1.27 (1st floor Strand Building)\\
-Slides: & KEATS (also home work is there)
+Slides: & KEATS (also home work is there)\\
+& \alert{\bf (I have put a temporary link in there.)}\\
 \end{tabular}
 \end{center}
 \end{frame}}
 \begin{itemize}
 \item \alt<1>{overlapping}{{\LARGE\bf overlapping}} systems designed to provide\\ security even if one of them fails.
 \end{itemize}
+\only<2->{
+\begin{textblock}{11}(2,12)
+\small otherwise your ``added security'' can become the point of failure
+\end{textblock}}
 \end{frame}}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \item these weapons were armed with a bicycle key
 \begin{center}
 \begin{tabular}[b]{c}
 \includegraphics[scale=1.05]{pics/britkeys1.jpg}\\
-\small nuclear weapon
+\small nuclear weapon keys
 \end{tabular}
 \hspace{3mm}
 \begin{tabular}[b]{c}
 \includegraphics[scale=0.35]{pics/britkeys2.jpg}\\
 \small bicycle lock
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \mode<presentation>{
 \begin{frame}[c]
-\frametitle{}
+\frametitle{Access Control in Unix}
+\begin{itemize}
+\item access control provided by the OS
+\item authenticate principals (login)
+\item mediate access to files, ports, processes according to \alert{roles} (user ids)\\
+\item roles get attached with privileges\bigskip\\%
+\hspace{8mm}
+\begin{tikzpicture}
+\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
+{\begin{minipage}{8cm}
+\alert{principle of least privilege:}\\
+programs should only have as much privilege as they need
+\end{minipage}};
+\end{tikzpicture}
+\end{itemize}
 \end{frame}}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \mode<presentation>{
 \begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Plain-text Passwords at IEEE\end{tabular}}
+\frametitle{Access Control in Unix (2)}
-\small\textcolor{gray}{On 25 September 2012, a report on a data breach at IEEE:}
+\begin{itemize}
+\item the idea is to restrict access to files and therefore lower the consequences of an attack\\[1cm]\mbox{}
+\end{itemize}
-\begin{itemize}
-\item IEEE is a standards organisation (not-for-profit)
+\begin{textblock}{1}(2.5,9.5)
-\item many standards in CS are by IEEE\medskip
+\begin{tikzpicture}[scale=1]
-\item 100k plain-text passwords were recorded in logs
-\item the logs were openly accessible on their FTP server
+\draw[line width=1mm] (-.3, 0) rectangle (1.5,2);
-\end{itemize}\bigskip
+\draw (4.7,1) node {Internet};
+\draw (0.6,1.7) node {\footnotesize Interface};
-\begin{flushright}\small
+\draw (0.6,-0.4) node {\footnotesize \begin{tabular}{c}unpriviledged\\[-1mm] process\end{tabular}};
-\textcolor{gray}{\url{http://ieeelog.com}}
+\draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}priviledged\\[-1mm] process\end{tabular}};
-\end{flushright}
+\draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2);
-\only<2>{
-\begin{textblock}{11}(3,2)
+\draw[white] (1.7,1) node (X) {};
+\draw[white] (3.7,1) node (Y) {};
+\draw[red, <->, line width = 2mm] (X) -- (Y);
+\draw[red, <->, line width = 1mm] (-0.6,1) -- (-1.6,1);
+\end{tikzpicture}
+\end{textblock}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{Process Ownership}
+\begin{itemize}
+\item access control in Unix is very coarse
+\end{itemize}\bigskip\bigskip\bigskip
+\begin{center}
+\begin{tabular}{c}
+root\\
+\hline
+user$_1$ user$_2$ \ldots www, mail, lp
+\end{tabular}
+\end{center}\bigskip\bigskip\bigskip
+\textcolor{gray}{\small root has UID $=$ 0}\\\pause
+\textcolor{gray}{\small you also have groups that can share access to a file}\\
+\textcolor{gray}{\small but it is difficult to exclude access selectively}\\
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Access Control in Unix (2)}
+\begin{itemize}
+\item privileges are specified by file access permissions (``everything is a file'')
+\item there are 9 (plus 2) bits that specify the permissions of a file
+\begin{center}
+\begin{tabular}{l}
+\texttt{\$ ls - la}\\
+\texttt{-rwxrw-r-{}- \hspace{3mm} foo\_file.txt}
+\end{tabular}
+\end{center}
+\end{itemize}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Login Process}
+\begin{itemize}
+\item login processes run under UID $=$ 0\medskip
+\begin{center}
+\texttt{ps -axl | grep login}
+\end{center}\medskip
+\item after login, shells run under UID $=$ user (e.g.~501)\medskip
+\begin{center}
+\texttt{id cu}
+\end{center}\medskip\pause
+\item non-root users are not allowed to change the UID --- would break
+access control
+\item but needed for example for \texttt{passwd}
+\end{itemize}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Setuid and Setgid}
+The solution is that unix file permissions are 9 + \underline{2 Bits}:
+\alert{Setuid} and \alert{Setgid} Bits
+\begin{itemize}
+\item When a file with setuid is executed, the resulting process will assume the UID given to the owner of the file.
+\item This enables users to create processes as root (or another user).\bigskip
+\item Essential for changing passwords, for example.
+\end{itemize}
+\begin{center}
+\texttt{chmod 4755 fobar\_file}
+\end{center}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Privilege Separation in\\ OpenSSH\end{tabular}}
+\begin{center}
+\begin{tikzpicture}[scale=1]
+\draw[line width=1mm] (0, 1.1) rectangle (1.2,2);
+\draw (4.7,1) node {Internet};
+\draw (0.6,1.7) node {\footnotesize Slave};
+\draw[line width=1mm] (0, 0) rectangle (1.2,0.9);
+\draw (0.6,1.7) node {\footnotesize Slave};
+\draw (0.6,0.6) node {\footnotesize Slave};
+\draw (0.6,-0.5) node {\footnotesize \begin{tabular}{c}unpriviledged\\[-1mm] processes\end{tabular}};
+\draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}priviledged\\[-1mm] process\end{tabular}};
+\draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2);
+\draw (-2.9,1.7) node {\footnotesize Monitor};
+\draw[white] (1.7,1) node (X) {};
+\draw[white] (3.7,1) node (Y) {};
+\draw[red, <->, line width = 2mm] (X) -- (Y);
+\draw[red, <->, line width = 1mm] (-0.4,1.4) -- (-1.4,1.1);
+\draw[red, <->, line width = 1mm] (-0.4,0.6) -- (-1.4,0.9);
+\end{tikzpicture}
+\end{center}
+\begin{itemize}
+\item pre-authorisation slave
+\item post-authorisation\bigskip
+\item 25\% codebase is privileged, 75\% is unprivileged
+\end{itemize}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Network Applications}
+ideally network application in Unix should be designed as follows:
+\begin{itemize}
+\item need two distinct processes
+\begin{itemize}
+\item one that listens to the network; has no privilege
+\item one that is privileged and listens to the latter only (but does not trust it)
+\end{itemize}
+\item to implement this you need a parent process, which forks a child process
+\item this child process drops privileges and listens to hostile data\medskip
+\item after authentication the parent forks again and the new child becomes the user
+\end{itemize}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}Famous Security Flaws in Unix\end{tabular}}
+\begin{itemize}
+\item \texttt{lpr} unfortunately runs with root privileges; you had the option to delete files after printing \ldots\pause\pause
+\item for debugging purposes (FreeBSD) Unix provides a ``core dump'', but allowed to follow links \ldots\pause
+\item \texttt{mkdir foo} is owned by root\medskip
+\begin{center}
+\texttt{-rwxr-xr-x  1 root  wheel /bin/mkdir}
+\end{center}\medskip
+it first creates an i-node as root and then changes to ownership to the user's id\\ \textcolor{gray}{\small (automated with a shell script)}
+\end{itemize}
+\only<1>{
+\begin{textblock}{1}(3,3)
 \begin{tikzpicture}
-\draw (0,0) node[inner sep=2mm,fill=white, ultra thick, draw=red, rounded corners=2mm]
+\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
-{\normalsize\color{darkgray}
+{\begin{minipage}{8cm}
-\begin{minipage}{7.5cm}\raggedright\small
+Only failure makes us experts.
-\includegraphics[scale=0.6]{pics/IEEElog.jpg}
+	-- Theo de Raadt (OpenBSD, OpenSSH)
 \end{minipage}};
 \end{tikzpicture}
 \end{textblock}}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
+\mode<presentation>{
-\frametitle{\begin{tabular}{@ {}c@ {}}Virgin Mobile (USA)\end{tabular}}
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}Other Problems\end{tabular}}
-\begin{flushright}\small
-\textcolor{gray}{\url{http://arstechnica.com/security/2012/09/virgin-mobile-password-crack-risk/}}
+There are thing's you just cannot solve on the programming side:\bigskip
-\end{flushright}
+\begin{itemize}
-\begin{itemize}
+\item for system maintenance you often have \texttt{cron}-jobs cleaning \texttt{/tmp}\medskip
-\item for online accounts passwords must be 6 digits
+\begin{itemize}
-\item you must cycle through 1M combinations (online)\pause\bigskip
+\item attacker:\\
+\texttt{mkdir /tmp/a; cat > /tmp/a/passwd}
-\item he limited the attack on his own account to 1 guess per second, \alert{\bf and}
+\item root:\\\texttt{rm /tmp/*/*}:
-\item wrote a script that cleared the cookie set after each guess\pause
+\item attacker:\\
-\item has been fixed now
+\texttt{rm /tmp/a/passwd; rmdir /tmp/a;}\\\texttt{ln -s /etc /tmp/a}
 \end{itemize}
+\end{itemize}
+\end{frame}}
-\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
-\mode<presentation>{
+\frametitle{\begin{tabular}{@ {}c@ {}}Security Levels\end{tabular}}
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Smash the Stack for Fun \ldots\end{tabular}}
+Unix essentially can only distinguish between two security levels (root and non-root).
 \begin{itemize}
-\item ``smashing the stack attacks'' or ``buffer overflow attacks''
+\item In military applications you often have many security levels (top-secret, secret, confidential, unclassified)\bigskip\pause
-\item one of the most popular attacks;\\ attack of the (last) decade\\ ($>$ 50\% of security incidents reported at CERT are related to buffer overflows)
-\begin{flushright}\small
+\item Information flow: Bell --- La Pudela model
-\textcolor{gray}{\url{http://www.kb.cert.org/vuls}}
-\end{flushright}
+\begin{itemize}
-\medskip
+\item read: your own level and below
-\item made popular in an article by Elias Levy\\ (also known as Aleph One):\\
+\item write: your own level and above
-\begin{center}
+\end{itemize}
-{\bf ``Smashing The Stack For Fun and Profit''}
+\end{itemize}
-\end{center}\medskip
+\end{frame}}
-\begin{flushright}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\small\textcolor{gray}{\url{http://www.phrack.org}, Issue 49, Article 14}
-\end{flushright}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\end{itemize}
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}Security Levels (2)\end{tabular}}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{itemize}
+\item Bell --- La Pudela preserves data secrecy, but not data integrity\bigskip\pause
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
+\item Biba model is for data integrity
-\begin{frame}[c]
-\frametitle{\begin{tabular}{c}The Problem\end{tabular}}
+\begin{itemize}
+\item read: your own level and above
-\begin{itemize}
+\item write: your own level and below
-\item The basic problem is that library routines in C look as follows:
+\end{itemize}
-\begin{center}
+\end{itemize}
-{\lstset{language=Java}\fontsize{8}{10}\selectfont%
-\texttt{\lstinputlisting{app5.c}}}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}Access Control in 2000\end{tabular}}
+According to Ross Anderson (1st edition of his book), some senior Microsoft people held the
+following view:
+\begin{center}
+\begin{tikzpicture}
+\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
+{\begin{minipage}{10.5cm}
+\small Access control does not matter. Computers are becoming single-purpose
+or single-user devices. Single-purpose devices, such as Web servers that deliver a single service, don't
+need much in the way of access control as there's nothing for operating system access controls
+to do; the job of separating users from each other is best left to application code. As for the PC
+on your desk, if all the software on it comes from a single source, then again there's no need
+for the operating system to provide separation. \hfill{}\textcolor{gray}{(in 2000)}
+\end{minipage}};
+\end{tikzpicture}
 \end{center}
-\item the resulting problems are often remotely exploitable
-\item can be used to circumvents all access control
+\end{frame}}
-(botnets for further attacks)
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\end{itemize}
-\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\frametitle{\begin{tabular}{@ {}c@ {}}Research Problems\end{tabular}}
-\mode<presentation>{
-\begin{frame}[c]
+\begin{itemize}
-\frametitle{\begin{tabular}{c}Variants\end{tabular}}
+\item with access control we are back to 1970s\bigskip
-There are many variants:
+\only<1>{
+\begin{tikzpicture}
-\begin{itemize}
+\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
-\item return-to-lib-C attacks
+{\begin{minipage}{10cm}
-\item heap-smashing attacks\\
+\small Going all the way back to early time-sharing systems we systems people regarded the users, and any code they wrote, as the mortal enemies of us and each other. We were like the police force in a violent slum.\\
-\textcolor{gray}{\small(Slammer Worm in 2003 infected 90\% of vulnerable systems within 10 minutes)}\bigskip
+\mbox{}\hfill--- Roger Needham
+\end{minipage}};
-\item ``zero-days-attacks'' (new unknown vulnerability)
+\end{tikzpicture}}\pause
-\end{itemize}
+\item the largest research area in access control in 2000-07 has been ``Trusted Computing'', but thankfully it
-\end{frame}}
+is dead now\bigskip
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\item a useful research area is to not just have robust access control, but also usable access control --- by programmers and users\\
+(one possible answer is operating system virtualisation, e.g.~Xen, VMWare)\medskip\pause
+\item electronic voting
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\end{itemize}
-\mode<presentation>{
+\end{frame}}
-\begin{frame}[c]
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\small
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\texttt{my\_float} is printed twice:\bigskip
+\mode<presentation>{
+\begin{frame}[t]
-{\lstset{language=Java}\fontsize{8}{10}\selectfont%
+\frametitle{\begin{tabular}{@ {}c@ {}}Mobile OS\end{tabular}}
-\texttt{\lstinputlisting{C1.c}}}
+\begin{itemize}
+\item iOS and Android solve the defence-in-depth problem by \alert{sandboxing} applications\bigskip
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\item you as developer have to specify the resources an application needs
+\item the OS provides a sandbox where access is restricted to only these resources
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\end{itemize}
-\mode<presentation>{
+\end{frame}}
-\begin{frame}[c]
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{center}
-\only<1>{\includegraphics[scale=0.9]{pics/stack1}\;\;}
-\only<2>{\includegraphics[scale=0.9]{pics/stack2}\;\;}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\only<3>{\includegraphics[scale=0.9]{pics/stack3}\;\;}
+\mode<presentation>{
-\end{center}
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}Security Theater\end{tabular}}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+Security theater is the practice of investing in countermeasures intended to provide the
+\underline{feeling} of improved security while doing little or nothing to actually achieve it.\hfill{}\textcolor{gray}{Bruce Schneier}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
+\end{frame}}
-\begin{frame}[c]
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-{\lstset{language=Java}\fontsize{8}{10}\selectfont%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\texttt{\lstinputlisting{C2.c}}}
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}\end{tabular}}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+Security theater is the practice of investing in countermeasures intended to provide the
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\underline{feeling} of improved security while doing little or nothing to actually achieve it.\hfill{}\textcolor{gray}{Bruce Schneier}
-\mode<presentation>{
-\begin{frame}[c]
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\small
-A programmer might be careful, but still introduce vulnerabilities:\bigskip
+From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk>
-{\lstset{language=Java}\fontsize{8}{10}\selectfont%
+Sender: cl-security-research-bounces@lists.cam.ac.uk
-\texttt{\lstinputlisting{C2a.c}}}
+To: cl-security-research@lists.cam.ac.uk
+Subject: Tip off
+Date: Tue, 02 Oct 2012 13:12:50 +0100
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+I received the following tip off, and have removed the sender's
+coordinates. I suspect it is one of many security vendors who
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+don't even get the basics right; if you ever go to the RSA
-\mode<presentation>{
+conference, there are a thousand such firms in the hall, each
-\begin{frame}[c]
+with several eager but ignorant salesmen. A trying experience
-\frametitle{\begin{tabular}{c}Payloads\end{tabular}}
+Ross
-\begin{itemize}
-\item the idea is you store some code as part to the buffer
-\item you then override the return address to execute this payload\medskip
-\item normally you start a root-shell\pause
-\item difficulty is to guess the right place where to ``jump''
-\end{itemize}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Payloads (2)\end{tabular}}
-\begin{itemize}
-\item another difficulty is that the code is not allowed to contain \texttt{$\backslash$x00}:
-\begin{center}
-\texttt{xorl   \%eax, \%eax}
-\end{center}
-\end{itemize}\bigskip\bigskip
-{\lstset{language=Java}\fontsize{8}{10}\selectfont%
-\texttt{\lstinputlisting{app5.c}}}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Format String Vulnerability\end{tabular}}
-\small
-\texttt{string} is nowhere used:\bigskip
-{\lstset{language=Java}\fontsize{8}{10}\selectfont%
-\texttt{\lstinputlisting{C6.c}}}\bigskip
-this vulnerability can be used to read out the stack
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Protections against BO Attacks\end{tabular}}
-\begin{itemize}
-\item use safe library functions
-\item ensure stack data is not executable (can be defeated)
-\item address space randomisation (makes one-size-fits-all more difficult)
-\item choice of programming language (one of the selling points of Java)
-\end{itemize}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Security Goals\end{tabular}}
-\begin{itemize}
-\item Prevent common vulnerabilities from occurring (e.g. buffer overflows)\pause
-\item Recover from attacks (traceability and auditing of security-relevant actions)\pause
-\item Monitoring (detect attacks)\pause
-\item Privacy, confidentiality, anonymity (to protect secrets)\pause
-\item Authenticity (eeded for access control)\pause
-\item Integrity (prevent unwanted modification or tampering)\pause
-\item Availability and reliability (reduce the risk of DoS attacks)
-\end{itemize}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Homework\end{tabular}}
-\begin{itemize}
-\item Assume format string attacks allow you to read out the stack. What can you do
-	with this information?\bigskip
-\item Assume you can crash a program remotely. Why is this a problem?
-\end{itemize}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \end{document}
 %%% Local Variables:

changeset 29	5d0f7da375da
parent 28	10da75d5db5d
child 30	9dc8159c9af7