855 |
855 |
856 |
856 |
857 \end{frame}} |
857 \end{frame}} |
858 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
858 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
859 |
859 |
860 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
861 \begin{frame}[c] |
|
862 \frametitle{Unix-Style Access Control} |
|
863 |
|
864 How to do control access? In Unix you have |
|
865 |
|
866 \begin{itemize} |
|
867 \item users and you have groups/roles: |
|
868 \item some special roles: root |
|
869 \end{itemize} |
|
870 |
|
871 \end{frame} |
|
872 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
873 |
|
874 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
875 \begin{frame}[c] |
|
876 \frametitle{Unix-Style Access Control} |
|
877 \small |
|
878 |
|
879 \begin{itemize} |
|
880 \item |
|
881 Q: ``I am using Windows. Why should I care?'' \\ |
|
882 A: In Windows you have similar AC: |
|
883 |
|
884 \begin{center} |
|
885 \begin{tabular}{l} |
|
886 administrators group\\ |
|
887 \hspace{5mm}(has complete control over the machine)\\ |
|
888 authenticated users\\ |
|
889 server operators\\ |
|
890 power users\\ |
|
891 network configuration operators |
|
892 \end{tabular} |
|
893 \end{center}\medskip |
|
894 |
|
895 \item Modern versions of Windows have more fine-grained AC than Unix; |
|
896 they do not have a setuid bit, but have \texttt{runas} (asks for a |
|
897 password).\pause |
|
898 |
|
899 \item OS-provided access control can \alert{\bf add} to your security. |
|
900 (defence in depth) |
|
901 \end{itemize} |
|
902 |
|
903 \end{frame} |
|
904 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
905 |
|
906 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
907 \begin{frame}[c] |
|
908 \frametitle{\begin{tabular}{c}Network Applications:\\[-1mm] Privilege Separation\end{tabular}} |
|
909 |
|
910 |
|
911 \begin{center} |
|
912 \begin{tikzpicture}[scale=1] |
|
913 |
|
914 \draw[line width=1mm] (-.3, 0) rectangle (1.5,2); |
|
915 \draw (4.7,1) node {Internet}; |
|
916 \draw (-2.7,1.7) node {\footnotesize Application}; |
|
917 \draw (0.6,1.7) node {\footnotesize Interface}; |
|
918 \draw (0.6,-0.4) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] process\end{tabular}}; |
|
919 \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}}; |
|
920 |
|
921 \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2); |
|
922 |
|
923 \draw[white] (1.7,1) node (X) {}; |
|
924 \draw[white] (3.7,1) node (Y) {}; |
|
925 \draw[red, <->, line width = 2mm] (X) -- (Y); |
|
926 |
|
927 \draw[red, <->, line width = 1mm] (-0.6,1) -- (-1.6,1); |
|
928 \end{tikzpicture} |
|
929 \end{center} |
|
930 |
|
931 \begin{itemize} |
|
932 \item the idea is make the attack surface smaller and mitigate the |
|
933 consequences of an attack |
|
934 \end{itemize} |
|
935 |
|
936 \end{frame} |
|
937 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
938 |
|
939 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
940 \begin{frame}[c] |
|
941 \frametitle{Weaknesses of Unix AC} |
|
942 |
|
943 Not just restricted to Unix: |
|
944 |
|
945 \begin{itemize} |
|
946 \item if you have too many roles (i.e.~too finegrained AC), then |
|
947 hierarchy is too complex\\ \textcolor{gray}{you invite situations |
|
948 like\ldots let's be root}\bigskip |
|
949 |
|
950 \item you can still abuse the system\ldots |
|
951 \end{itemize} |
|
952 |
|
953 \end{frame} |
|
954 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
955 |
|
956 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
957 \begin{frame}[c] |
|
958 \frametitle{A ``Cron''-Attack} |
|
959 |
|
960 The idea is to trick a privileged person to do something on your |
|
961 behalf: |
|
962 |
|
963 \begin{itemize} |
|
964 \item root:\\\texttt{rm /tmp/*/*}\bigskip\bigskip\pause |
|
965 |
|
966 \footnotesize |
|
967 \begin{minipage}{1.1\textwidth} |
|
968 \textcolor{gray}{the shell behind the scenes:}\\ |
|
969 \textcolor{gray}{\texttt{rm /tmp/dir$_1$/file$_1$ /tmp/dir$_1$/file$_2$ /tmp/dir$_2$/file$_1$ \ldots}}\bigskip\\ |
|
970 |
|
971 \textcolor{gray}{this takes time} |
|
972 \end{minipage} |
|
973 \end{itemize} |
|
974 |
|
975 \end{frame} |
|
976 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
977 |
|
978 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
979 \begin{frame}[c] |
|
980 \frametitle{A ``Cron''-Attack} |
|
981 |
|
982 \begin{enumerate} |
|
983 \item attacker \textcolor{gray}{(creates a fake passwd file)}\\ |
|
984 \texttt{mkdir /tmp/a; cat > /tmp/a/passwd}\medskip |
|
985 \item root \textcolor{gray}{(does the daily cleaning)}\\ |
|
986 \texttt{rm /tmp/*/*}\medskip\\ |
|
987 \hspace{2cm}\textcolor{gray}{\small records that \texttt{/tmp/a/passwd}}\\ |
|
988 \hspace{2cm}\textcolor{gray}{\small should be deleted, but does not do it yet}\medskip\\ |
|
989 |
|
990 \item attacker \textcolor{gray}{(meanwhile deletes the fake passwd file, and establishes a link to |
|
991 the real passwd file)}\\ |
|
992 \texttt{rm /tmp/a/passwd; rmdir /tmp/a;}\\\texttt{ln -s /etc /tmp/a}\\ |
|
993 \item root now deletes the real passwd file |
|
994 \end{enumerate} |
|
995 |
|
996 \only<2>{ |
|
997 \begin{textblock}{11}(2,5) |
|
998 \begin{bubble}[8cm] |
|
999 \normalsize To prevent this kind of attack, you need additional |
|
1000 policies (don't do such operations as root). |
|
1001 \end{bubble} |
|
1002 \end{textblock}} |
|
1003 |
|
1004 \end{frame} |
|
1005 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
1006 |
860 |
1007 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
861 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
1008 \begin{frame}[c] |
862 \begin{frame}[c] |
1009 \frametitle{\Large Buffer Overflow Attacks} |
863 \frametitle{\Large Buffer Overflow Attacks} |
1010 |
864 |