156 

   157 \end{frame}

   158 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

   159 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

   160 \begin{frame}[c]

   161 \frametitle{Unix-Style Access Control}

   162 

   163 How to do control access? In Unix you have

   164 

   165 \begin{itemize}

   166 \item users and you have groups/roles:

   167 \item some special roles: root

   168 \end{itemize}

   169   

   170 \end{frame}

   171 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

   172 

   173 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

   174 \begin{frame}[c]

   175 \frametitle{Unix-Style Access Control}

   176 \small

   177 

   178 \begin{itemize}

   179 \item 

   180 Q: ``I am using Windows. Why should I care?'' \\ 

   181 A: In Windows you have similar AC:

   182 

   183 \begin{center}

   184 \begin{tabular}{l}

   185 administrators group\\ 

   186 \hspace{5mm}(has complete control over the machine)\\

   187 authenticated users\\

   188 server operators\\

   189 power users\\

   190 network configuration operators

   191 \end{tabular}

   192 \end{center}\medskip

   193 

   194 \item Modern versions of Windows have more fine-grained AC than Unix;

   195   they do not have a setuid bit, but have \texttt{runas} (asks for a

   196   password).\pause

   197 

   198 \item OS-provided access control can \alert{\bf add} to your security.

   199   (defence in depth)

   200 \end{itemize}

   201   

   202 \end{frame}

   203 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

   204 

   205 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

   206 \begin{frame}[c]

   207 \frametitle{\begin{tabular}{c}Network Applications:\\[-1mm] Privilege Separation\end{tabular}}

   208 

   209 

   210 \begin{center}

   211   \begin{tikzpicture}[scale=1]

   212   

   213   \draw[line width=1mm] (-.3, 0) rectangle (1.5,2);

   214   \draw (4.7,1) node {Internet};

   215   \draw (-2.7,1.7) node {\footnotesize Application};

   216   \draw (0.6,1.7) node {\footnotesize Interface};

   217   \draw (0.6,-0.4) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] process\end{tabular}};

   218   \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}};

   219   

   220   \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2);

   221 

   222   \draw[white] (1.7,1) node (X) {};

   223   \draw[white] (3.7,1) node (Y) {};

   224   \draw[red, <->, line width = 2mm] (X) -- (Y);

   225  

   226   \draw[red, <->, line width = 1mm] (-0.6,1) -- (-1.6,1);

   227   \end{tikzpicture}

   228 \end{center}

   229 

   230 \begin{itemize}

   231 \item the idea is make the attack surface smaller and mitigate the

   232   consequences of an attack

   233 \end{itemize}

   234 

   235 \end{frame}

   236 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     

   237 

   238 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

   239 \begin{frame}[c]

   240 \frametitle{Weaknesses of Unix AC}

   241 

   242 Not just restricted to Unix:

   243 

   244 \begin{itemize}

   245 \item if you have too many roles (i.e.~too finegrained AC), then

   246   hierarchy is too complex\\ \textcolor{gray}{you invite situations

   247     like\ldots let's be root}\bigskip

   248 

   249 \item you can still abuse the system\ldots

   250 \end{itemize}

   251 

   252 \end{frame}

   253 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

   254 

   255 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

   256 \begin{frame}[c]

   257 \frametitle{A ``Cron''-Attack}

   258 

   259 The idea is to trick a privileged person to do something on your

   260 behalf:

   261 

   262 \begin{itemize}

   263 \item root:\\\texttt{rm /tmp/*/*}\bigskip\bigskip\pause

   264 

   265 \footnotesize

   266 \begin{minipage}{1.1\textwidth}

   267 \textcolor{gray}{the shell behind the scenes:}\\

   268 \textcolor{gray}{\texttt{rm /tmp/dir$_1$/file$_1$ /tmp/dir$_1$/file$_2$ /tmp/dir$_2$/file$_1$ \ldots}}\bigskip\\

   269 

   270 \textcolor{gray}{this takes time}

   271 \end{minipage}

   272 \end{itemize}

   273 

   274 \end{frame}

   275 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

   276 

   277 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

   278 \begin{frame}[c]

   279 \frametitle{A ``Cron''-Attack}

   280 

   281 \begin{enumerate}

   282 \item attacker \textcolor{gray}{(creates a fake passwd file)}\\ 

   283 \texttt{mkdir /tmp/a; cat > /tmp/a/passwd}\medskip

   284 \item root \textcolor{gray}{(does the daily cleaning)}\\

   285 \texttt{rm /tmp/*/*}\medskip\\

   286 \hspace{2cm}\textcolor{gray}{\small records that \texttt{/tmp/a/passwd}}\\ 

   287 \hspace{2cm}\textcolor{gray}{\small should be deleted, but does not do it yet}\medskip\\

   288 

   289 \item attacker \textcolor{gray}{(meanwhile deletes the fake passwd file, and establishes a link to 

   290 the real passwd file)}\\

   291 \texttt{rm /tmp/a/passwd; rmdir /tmp/a;}\\\texttt{ln -s /etc /tmp/a}\\

   292 \item root now deletes  the real passwd file

   293 \end{enumerate}

   294 

   295 \only<2>{

   296 \begin{textblock}{11}(2,5)

   297 \begin{bubble}[8cm]

   298 \normalsize To prevent this kind of attack, you need additional

   299 policies (don't do such operations as root).

   300 \end{bubble}

   301 \end{textblock}}