sen-material: comparison slides/slides04.tex

equal deleted inserted replaced

-:4e3bc09748f7
+:6a54ee8b74c3
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \begin{frame}[c]
-\frametitle{\begin{tabular}{c}Network Applications:\\[-1mm] Privilege Separation\end{tabular}}
+\frametitle{\begin{tabular}{c}Network Applications:\\[-1mm]
+Privilege Separation\end{tabular}}
 \begin{center}
 \begin{tikzpicture}[scale=1]
 consequences of an attack
 \end{itemize}
 \end{frame}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
-\mode<presentation>{
+\frametitle{Access Control in Unix}
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Infamous Security Flaws\\[-1mm] in Unix\end{tabular}}
+\begin{itemize}
+\item access control provided by the OS
+\item authenticate principals
-\begin{itemize}
+\item mediate access to files, ports, processes etc according to
-\item \texttt{lpr} unfortunately runs with root privileges; you had the option to delete files after printing \ldots\pause\pause
+\alert{roles} (user ids)\\
+\item roles get attached with privileges (some special roles: root)\bigskip\\
+\hspace{8mm}
+\begin{bubble}[8cm]
+\alert{principle of least privilege:}\\
+users and programs should only have as much privilege as they need to
+accomplish a task
+\end{bubble}
+\end{itemize}
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{Access Control in Unix (2)}
+\begin{itemize}
+\item privileges are specified by file access permissions (``everything is a file'')\medskip
+\item there are 9 (plus 2) bits that specify the permissions of a file
+\end{itemize}
+\begin{center}
+${\underbrace{\LARGE\texttt{-}}_{\text{\makebox[0mm]{directory}}}}
+\;{\underbrace{\LARGE\texttt{r{}-{}-}}_{\text{user}}}\,
+{\underbrace{\LARGE\texttt{r{}w{}-}}_{\text{group}}}\,
+{\underbrace{\LARGE\texttt{r{}w{}x}}_{\text{other}}}\;\;\;
+\LARGE\texttt{bob}\;\;\texttt{staff}\;\;\texttt{file}$
+\end{center}
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{Unix-Style Access Control}
+\small
+\begin{itemize}
+\item
+Q: ``I am using Windows. Why should I care?'' \\
+A: In Windows you have similar AC:
+\begin{center}
+\begin{tabular}{l}
+administrators group\\
+\hspace{5mm}(has complete control over the machine)\\
+authenticated users\\
+server operators\\
+power users\\
+network configuration operators
+\end{tabular}
+\end{center}\medskip
+\item Modern versions of Windows have more fine-grained AC than Unix;
+they do not have a setuid bit, but have \texttt{runas} (asks for a
+password).\pause
+\item OS-provided access control can \alert{\bf add} to your security.
+(defence in depth)
+\end{itemize}
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{Weaknesses of Unix AC}
+Not just restricted to Unix:
+\begin{itemize}
+\item if you have too many roles (i.e.~too finegrained AC), then
+hierarchy is too complex\\ \textcolor{gray}{you invite situations
+like\ldots let's be root}\bigskip
+\item you can still abuse the system\ldots
+\end{itemize}
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{A ``Cron''-Attack}
+The idea is to trick a privileged person to do something on your
+behalf:
+\begin{itemize}
+\item root:\\\texttt{rm /tmp/*/*}\bigskip\bigskip\pause
+\footnotesize
+\begin{minipage}{1.1\textwidth}
+\textcolor{gray}{the shell behind the scenes:}\\
+\textcolor{gray}{\texttt{rm /tmp/dir$_1$/file$_1$ /tmp/dir$_1$/file$_2$ /tmp/dir$_2$/file$_1$ \ldots}}\bigskip\\
+\textcolor{gray}{this takes time}
+\end{minipage}
+\end{itemize}
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{A ``Cron''-Attack}
+\begin{enumerate}
+\item attacker \textcolor{gray}{(creates a fake passwd file)}\\
+\texttt{mkdir /tmp/a; cat > /tmp/a/passwd}\medskip
+\item root \textcolor{gray}{(does the daily cleaning)}\\
+\texttt{rm /tmp/*/*}\medskip\\
+\hspace{2cm}\textcolor{gray}{\small records that \texttt{/tmp/a/passwd}}\\
+\hspace{2cm}\textcolor{gray}{\small should be deleted, but does not do it yet}\medskip\\
+\item attacker \textcolor{gray}{(meanwhile deletes the fake passwd file, and establishes a link to
+the real passwd file)}\\
+\texttt{rm /tmp/a/passwd; rmdir /tmp/a;}\\\texttt{ln -s /etc /tmp/a}\\
+\item root now deletes  the real passwd file
+\end{enumerate}
+\only<2>{
+\begin{textblock}{11}(2,5)
+\begin{bubble}[8cm]
+\normalsize To prevent this kind of attack, you need additional
+policies (don't do such operations as root).
+\end{bubble}
+\end{textblock}}
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Infamous Security Flaws\\[-1mm]
+in Unix\end{tabular}}
+\begin{itemize}
+\item \texttt{lpr} unfortunately runs with root privileges; you had the option to delete files after printing \ldots\pause
 \item for debugging purposes (FreeBSD) Unix provides a ``core dump'', but allowed to follow links \ldots\pause
 \item \texttt{mkdir foo} is owned by root\medskip
 \begin{center}
 \texttt{-rwxr-xr-x  1 root  wheel /bin/mkdir}
 \end{center}\medskip
 it first creates an i-node as root and then changes to ownership to the user's id\\ \textcolor{gray}{\small (race condition -- can be automated with a shell script)}
 \end{itemize}
-\only<5->{
+\only<4->{
 \begin{textblock}{1}(3,7)
 \begin{tikzpicture}
 \draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
 {\begin{minipage}{8cm}
 Only failure makes us experts.
 	-- Theo de Raadt (OpenBSD, OpenSSH)
 \end{minipage}};
 \end{tikzpicture}
 \end{textblock}}
-\end{frame}}
+\end{frame}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{Unix-Style Access Control}
-How to do control access? In Unix you have
-\begin{itemize}
-\item users and you have groups/roles:
-\item some special roles: root
-\end{itemize}
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{Unix-Style Access Control}
-\small
-\begin{itemize}
-\item
-Q: ``I am using Windows. Why should I care?'' \\
-A: In Windows you have similar AC:
-\begin{center}
-\begin{tabular}{l}
-administrators group\\
-\hspace{5mm}(has complete control over the machine)\\
-authenticated users\\
-server operators\\
-power users\\
-network configuration operators
-\end{tabular}
-\end{center}\medskip
-\item Modern versions of Windows have more fine-grained AC than Unix;
-they do not have a setuid bit, but have \texttt{runas} (asks for a
-password).\pause
-\item OS-provided access control can \alert{\bf add} to your security.
-(defence in depth)
-\end{itemize}
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Network Applications:\\[-1mm] Privilege Separation\end{tabular}}
-\begin{center}
-\begin{tikzpicture}[scale=1]
-\draw[line width=1mm] (-.3, 0) rectangle (1.5,2);
-\draw (4.7,1) node {Internet};
-\draw (-2.7,1.7) node {\footnotesize Application};
-\draw (0.6,1.7) node {\footnotesize Interface};
-\draw (0.6,-0.4) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] process\end{tabular}};
-\draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}};
-\draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2);
-\draw[white] (1.7,1) node (X) {};
-\draw[white] (3.7,1) node (Y) {};
-\draw[red, <->, line width = 2mm] (X) -- (Y);
-\draw[red, <->, line width = 1mm] (-0.6,1) -- (-1.6,1);
-\end{tikzpicture}
-\end{center}
-\begin{itemize}
-\item the idea is make the attack surface smaller and mitigate the
-consequences of an attack
-\end{itemize}
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{Weaknesses of Unix AC}
-Not just restricted to Unix:
-\begin{itemize}
-\item if you have too many roles (i.e.~too finegrained AC), then
-hierarchy is too complex\\ \textcolor{gray}{you invite situations
-like\ldots let's be root}\bigskip
-\item you can still abuse the system\ldots
-\end{itemize}
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{A ``Cron''-Attack}
-The idea is to trick a privileged person to do something on your
-behalf:
-\begin{itemize}
-\item root:\\\texttt{rm /tmp/*/*}\bigskip\bigskip\pause
-\footnotesize
-\begin{minipage}{1.1\textwidth}
-\textcolor{gray}{the shell behind the scenes:}\\
-\textcolor{gray}{\texttt{rm /tmp/dir$_1$/file$_1$ /tmp/dir$_1$/file$_2$ /tmp/dir$_2$/file$_1$ \ldots}}\bigskip\\
-\textcolor{gray}{this takes time}
-\end{minipage}
-\end{itemize}
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{A ``Cron''-Attack}
-\begin{enumerate}
-\item attacker \textcolor{gray}{(creates a fake passwd file)}\\
-\texttt{mkdir /tmp/a; cat > /tmp/a/passwd}\medskip
-\item root \textcolor{gray}{(does the daily cleaning)}\\
-\texttt{rm /tmp/*/*}\medskip\\
-\hspace{2cm}\textcolor{gray}{\small records that \texttt{/tmp/a/passwd}}\\
-\hspace{2cm}\textcolor{gray}{\small should be deleted, but does not do it yet}\medskip\\
-\item attacker \textcolor{gray}{(meanwhile deletes the fake passwd file, and establishes a link to
-the real passwd file)}\\
-\texttt{rm /tmp/a/passwd; rmdir /tmp/a;}\\\texttt{ln -s /etc /tmp/a}\\
-\item root now deletes  the real passwd file
-\end{enumerate}
-\only<2>{
-\begin{textblock}{11}(2,5)
-\begin{bubble}[8cm]
-\normalsize To prevent this kind of attack, you need additional
-policies (don't do such operations as root).
-\end{bubble}
-\end{textblock}}
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[fragile]
-\frametitle{D-Link Backdoors}
-D-Link router flaw lets anyone login through "Joel's Backdoor":\medskip
-\begin{quote}\rm\small
-If you tell your browser to identify itself as Joel's backdoor, instead of (say)
-as Mozilla/5.0 AppleWebKit/536.30.1 Version/6.0.5, you're in without authentication.\medskip
-"What is this string," I hear you ask?
-You will laugh: it is\pause
-\begin{center}\large
-\pcode{xmlset_roodkcableoj28840ybtide}
-\end{center}
-\end{quote}\bigskip\bigskip
-\hfill\footnotesize October 15, 2013\\
-\hfill\footnotesize\url{http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/}
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[fragile]
-CVE-2014-0476 \pcode{chkrootkit} vulnerability 4 Jun'14\medskip
-\begin{quote}\rm\small
-Hi,
-we just found a serious vulnerability in the chkrootkit package, which
-may allow local attackers to gain root access to a box in certain
-configurations (\pcode{/tmp} not mounted noexec). Steps to reproduce:
-\begin{itemize}
-\item Put an executable file named \pcode{update} with non-root owner in
-\pcode{/tmp} (not mounted noexec, obviously)
-\item Run chkrootkit (as uid \pcode{0})
-\end{itemize}
-Result: The file \pcode{/tmp/update} will be executed as root, thus effectively
-rooting your box, if malicious content is placed inside the file.
-If an attacker knows you are periodically running chkrootkit (like in
-\pcode{cron.daily}) and has write access to \pcode{/tmp} (not mounted noexec), he may
-easily take advantage of this.
-\end{quote}
-\mbox{}\\[-10mm]
-\hfill\footnotesize\url{http://seclists.org/oss-sec/2014/q2/430}
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{Access Control in Unix}
-\begin{itemize}
-\item access control provided by the OS
-\item authenticate principals
-\item mediate access to files, ports, processes etc according to
-\alert{roles} (user ids)\\
-\item roles get attached with privileges\bigskip\\
-\hspace{8mm}
-\begin{bubble}[8cm]
-\alert{principle of least privilege:}\\
-users and programs should only have as much privilege as they need to
-accomplish a task
-\end{bubble}
-\end{itemize}
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Access Control in Unix (2)}
-\begin{itemize}
-\item privileges are specified by file access permissions (``everything is a file'')\medskip
-\item there are 9 (plus 2) bits that specify the permissions of a file
-\begin{center}
-\begin{tabular}{l}
-\texttt{\$ ls -la}\\
-\texttt{-rwxrw-r-{}- \hspace{3mm} foo\_file.txt}
-\end{tabular}
-\end{center}
-\end{itemize}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \begin{frame}[c]
 \frametitle{Login Process}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \begin{frame}[c]
 \frametitle{Setuid and Setgid}
 The solution is that Unix file permissions are 9 + \underline{2 Bits}:
-\alert{Setuid} and \alert{Setgid} bits
+\alert{\bf Setuid} and \alert{\bf Setgid} bits
 \begin{itemize}
 \item When a file with setuid is executed, the resulting process will
 assume the UID given to the \underline{owner} of the file.
 \item This enables users to create processes as root (or another

changeset 405	6a54ee8b74c3
parent 404	4e3bc09748f7
child 406	0516bffd3f5f