204 \end{frame} |
204 \end{frame} |
205 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
205 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
206 |
206 |
207 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
207 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
208 \begin{frame}[c] |
208 \begin{frame}[c] |
209 \frametitle{``A Login Function'' (1)} |
209 \frametitle{Printing Out Zombies} |
|
210 \mbox{}\\[-10mm] |
|
211 |
|
212 \footnotesize |
|
213 \lstinputlisting[language=C,xleftmargin=4mm]{../progs/C1.c} |
|
214 |
|
215 \end{frame} |
|
216 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
217 |
|
218 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
219 \begin{frame}[c] |
|
220 \frametitle{A ``Login'' Function (1)} |
210 \mbox{}\\[-10mm] |
221 \mbox{}\\[-10mm] |
211 |
222 |
212 \footnotesize |
223 \footnotesize |
213 \lstinputlisting[language=C,xleftmargin=4mm]{../progs/C2a.c} |
224 \lstinputlisting[language=C,xleftmargin=4mm]{../progs/C2a.c} |
214 |
225 |
215 \end{frame} |
226 \end{frame} |
216 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
227 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
217 |
228 |
218 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
229 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
219 \begin{frame}[c] |
230 \begin{frame}[c] |
220 \frametitle{``A Login Function'' (2)} |
231 \frametitle{A ``Login'' Function (2)} |
221 \mbox{}\\[-10mm] |
232 \mbox{}\\[-10mm] |
222 |
233 |
223 \footnotesize |
234 \footnotesize |
224 \lstinputlisting[language=C,xleftmargin=-3mm]{../progs/C2b.c} |
235 \lstinputlisting[language=C,xleftmargin=-3mm]{../progs/C2b.c} |
225 |
236 |
328 \end{frame} |
339 \end{frame} |
329 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
340 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
330 |
341 |
331 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
342 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
332 \begin{frame}[c] |
343 \begin{frame}[c] |
|
344 \frametitle{Overwriting the Stack} |
|
345 |
|
346 \begin{textblock}{7}(1,2) |
|
347 \begin{tikzpicture}[scale=0.8] |
|
348 %\draw[step=1cm] (-3,-1) grid (3,8); |
|
349 \draw[gray!20,fill=gray!20] (-1, 0) rectangle (1,-1); |
|
350 \draw[line width=1mm] (-1,-1.2) -- (-1,6.4); |
|
351 \draw[line width=1mm] ( 1,-1.2) -- ( 1,6.4); |
|
352 \draw (0,-1) node[anchor=south] {\tt main}; |
|
353 \draw[line width=1mm] (-1,0) -- (1,0); |
|
354 \draw (0,0) node[anchor=south] {\tt arg$_3$=3}; |
|
355 \draw[line width=1mm] (-1,1) -- (1,1); |
|
356 \draw (0,1) node[anchor=south] {\tt arg$_2$=2}; |
|
357 \draw[line width=1mm] (-1,2) -- (1,2); |
|
358 \draw (0,2) node[anchor=south] {\tt arg$_1$=1}; |
|
359 \draw[line width=1mm] (-1,3) -- (1,3); |
|
360 \draw (0,3.1) node[anchor=south] {\tt ret}; |
|
361 \draw[line width=1mm] (-1,4) -- (1,4); |
|
362 \draw (0,4) node[anchor=south] {\small\tt last sp}; |
|
363 \draw[line width=1mm] (-1,5) -- (1,5); |
|
364 \draw (0,5) node[anchor=south] {\tt buf}; |
|
365 \draw[line width=1mm] (-1,6) -- (1,6); |
|
366 \draw (2,5.1) node[anchor=south] {\code{$esp}}; |
|
367 \draw[<-,line width=0.5mm] (1.1,6) -- (2.5,6); |
|
368 |
|
369 \draw[->,line width=0.5mm] (1,4.5) -- (1.8,4.5); |
|
370 \draw (2.5,4.1) node[anchor=south] {\code{??}}; |
|
371 |
|
372 \draw[->,line width=0.5mm] (1,3.5) -- (2.5,3.5); |
|
373 \draw (2.6,3.1) node[anchor=south west] {\tt jump to \code{\\x080483f4}}; |
|
374 \end{tikzpicture} |
|
375 \end{textblock} |
|
376 |
|
377 \begin{textblock}{7}(1,13.5) |
|
378 \code{char buf[8] = "AAAAAAAABBBB\\xf4\\x83\\x04\\x08\\x00"} |
|
379 \end{textblock} |
|
380 |
|
381 \end{frame} |
|
382 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
383 |
|
384 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
385 \begin{frame}[c] |
|
386 \frametitle{Payloads} |
|
387 |
|
388 \begin{itemize} |
|
389 \item the idea is that you store some code in the buffer (the payload) |
|
390 \item you then override the return address to execute this payload\medskip |
|
391 \item normally you start a root-shell\pause |
|
392 \item difficulty is to guess the right place where to ``jump'' |
|
393 \end{itemize} |
|
394 |
|
395 \end{frame} |
|
396 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
397 |
|
398 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
399 \begin{frame}[c] |
|
400 \frametitle{Payloads (2)} |
|
401 |
|
402 \begin{itemize} |
|
403 \item another difficulty is that the code is not allowed to contain \texttt{$\backslash$x00}: |
|
404 |
|
405 \begin{center} |
|
406 \texttt{xorl \%eax, \%eax} |
|
407 \end{center} |
|
408 \end{itemize}\bigskip\bigskip |
|
409 |
|
410 {\small |
|
411 \lstinputlisting[language=C,numbers=none]{../progs/app5.c}} |
|
412 |
|
413 \end{frame} |
|
414 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
415 |
|
416 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
417 \begin{frame}[c] |
|
418 \frametitle{Variants} |
|
419 |
|
420 There are many variants: |
|
421 |
|
422 \begin{itemize} |
|
423 \item return-to-lib-C attacks |
|
424 \item heap-smashing attacks\\ |
|
425 \textcolor{gray}{\small(Slammer Worm in 2003 infected 90\% of vulnerable systems within 10 minutes)}\bigskip |
|
426 |
|
427 \item ``zero-days-attacks'' (new unknown vulnerability) |
|
428 \end{itemize} |
|
429 |
|
430 \end{frame} |
|
431 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
432 |
|
433 |
|
434 |
|
435 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
436 \begin{frame}[c] |
|
437 \frametitle{Format String Vulnerability} |
|
438 |
|
439 \small |
|
440 \texttt{string} is nowhere used:\bigskip |
|
441 |
|
442 {\footnotesize\lstinputlisting[language=C]{../progs/C4.c}}\bigskip |
|
443 |
|
444 this vulnerability can be used to read out the stack |
|
445 |
|
446 \end{frame} |
|
447 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
448 |
|
449 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
450 \begin{frame}[c] |
|
451 \frametitle{\begin{tabular}{c}Protections against\\ Buffer Overflow Attacks\end{tabular}} |
|
452 |
|
453 \begin{itemize} |
|
454 \item use safe library functions |
|
455 \item stack caneries |
|
456 \item ensure stack data is not executable (can be defeated) |
|
457 \item address space randomisation (makes one-size-fits-all more difficult) |
|
458 \item choice of programming language (one of the selling points of Java) |
|
459 |
|
460 \end{itemize} |
|
461 |
|
462 \end{frame} |
|
463 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
464 |
|
465 |
|
466 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
467 \begin{frame}[c] |
333 \frametitle{\begin{tabular}{c}Network Applications:\\[-1mm] Privilege Separation\end{tabular}} |
468 \frametitle{\begin{tabular}{c}Network Applications:\\[-1mm] Privilege Separation\end{tabular}} |
334 |
469 |
335 |
470 |
336 \begin{center} |
471 \begin{center} |
337 \begin{tikzpicture}[scale=1] |
472 \begin{tikzpicture}[scale=1] |
424 |
559 |
425 |
560 |
426 \end{frame} |
561 \end{frame} |
427 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
562 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
428 |
563 |
429 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
430 \begin{frame}[c] |
|
431 \frametitle{Variants} |
|
432 |
|
433 There are many variants: |
|
434 |
|
435 \begin{itemize} |
|
436 \item return-to-lib-C attacks |
|
437 \item heap-smashing attacks\\ |
|
438 \textcolor{gray}{\small(Slammer Worm in 2003 infected 90\% of vulnerable systems within 10 minutes)}\bigskip |
|
439 |
|
440 \item ``zero-days-attacks'' (new unknown vulnerability) |
|
441 \end{itemize} |
|
442 |
|
443 \end{frame} |
|
444 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
445 |
|
446 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
447 \begin{frame}[c] |
|
448 |
|
449 {\small\lstinputlisting[language=C]{../progs/C2.c}} |
|
450 |
|
451 \end{frame} |
|
452 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
453 |
|
454 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
455 %\mode<presentation>{ |
|
456 %\begin{frame}[c] |
|
457 % |
|
458 %\small |
|
459 %A programmer might be careful, but still introduce vulnerabilities:\bigskip |
|
460 % |
|
461 %{\lstset{language=Java}\footnotesize |
|
462 %\texttt{\lstinputlisting{../progs/C2a.c}}} |
|
463 % |
|
464 % |
|
465 %\end{frame}} |
|
466 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
467 |
|
468 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
469 \begin{frame}[c] |
|
470 \frametitle{Payloads} |
|
471 |
|
472 \begin{itemize} |
|
473 \item the idea is you store some code to the buffer |
|
474 \item you then override the return address to execute this payload\medskip |
|
475 \item normally you start a root-shell\pause |
|
476 \item difficulty is to guess the right place where to ``jump'' |
|
477 \end{itemize} |
|
478 |
|
479 \end{frame} |
|
480 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
481 |
|
482 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
483 \begin{frame}[c] |
|
484 \frametitle{Payloads (2)} |
|
485 |
|
486 \begin{itemize} |
|
487 \item another difficulty is that the code is not allowed to contain \texttt{$\backslash$x00}: |
|
488 |
|
489 \begin{center} |
|
490 \texttt{xorl \%eax, \%eax} |
|
491 \end{center} |
|
492 \end{itemize}\bigskip\bigskip |
|
493 |
|
494 {\small |
|
495 \lstinputlisting[language=C]{../progs/app5.c}} |
|
496 |
|
497 \end{frame} |
|
498 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
499 |
|
500 |
|
501 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
502 \begin{frame}[c] |
|
503 \frametitle{Format String Vulnerability} |
|
504 |
|
505 \small |
|
506 \texttt{string} is nowhere used:\bigskip |
|
507 |
|
508 {\footnotesize\lstinputlisting[language=C]{../progs/C4.c}}\bigskip |
|
509 |
|
510 this vulnerability can be used to read out the stack |
|
511 |
|
512 \end{frame} |
|
513 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
514 |
|
515 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
516 \begin{frame}[c] |
|
517 \frametitle{\begin{tabular}{c}Protections against\\ Buffer Overflow Attacks\end{tabular}} |
|
518 |
|
519 \begin{itemize} |
|
520 \item use safe library functions |
|
521 \item stack caneries |
|
522 \item ensure stack data is not executable (can be defeated) |
|
523 \item address space randomisation (makes one-size-fits-all more difficult) |
|
524 \item choice of programming language (one of the selling points of Java) |
|
525 |
|
526 \end{itemize} |
|
527 |
|
528 \end{frame} |
|
529 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
530 |
564 |
531 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
565 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
532 \begin{frame}[c] |
566 \begin{frame}[c] |
533 \frametitle{Security Goals} |
567 \frametitle{Security Goals} |
534 |
568 |