sen-material: comparison slides/slides03.tex

equal deleted inserted replaced

-:92a8dad2cc86
+:a612dd3ddc81
 \end{center}
 \end{frame}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Network Applications:\\[-1mm] Privilege Separation\end{tabular}}
-\begin{center}
-\begin{tikzpicture}[scale=1]
-\draw[line width=1mm] (-.3, 0) rectangle (1.5,2);
-\draw (4.7,1) node {Internet};
-\draw (-2.7,1.7) node {\footnotesize Application};
-\draw (0.6,1.7) node {\footnotesize Interface};
-\draw (0.6,-0.4) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] process\end{tabular}};
-\draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}};
-\draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2);
-\draw[white] (1.7,1) node (X) {};
-\draw[white] (3.7,1) node (Y) {};
-\draw[red, <->, line width = 2mm] (X) -- (Y);
-\draw[red, <->, line width = 1mm] (-0.6,1) -- (-1.6,1);
-\end{tikzpicture}
-\end{center}
-\begin{itemize}
-\item the idea is make the attack surface smaller and
-mitigate the consequences of an attack
-\item you need an OS that supports different roles (root vs.~users)
-\end{itemize}
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{Weaknesses of Unix AC}
-\begin{itemize}
-\item if you have too many roles (for example too finegrained AC), then
-hierarchy is too complex\medskip\\ \textcolor{gray}{you invite situations
-like\ldots let's be root}\bigskip
-\item you can still abuse the system\ldots
-\end{itemize}
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{A ``Cron''-Attack}
-The idea is to trick a privileged person to do something on your
-behalf:
-\begin{itemize}
-\item root:\\\texttt{rm /tmp/*/*}\bigskip\bigskip\pause
-\small
-\begin{minipage}{1.1\textwidth}
-\textcolor{gray}{the shell behind the scenes:}\\
-\textcolor{gray}{\texttt{rm /tmp/dir$_1$/file$_1$ /tmp/dir$_1$/file$_2$ /tmp/dir$_2$/file$_1$ \ldots}}\bigskip\\
-\textcolor{gray}{this takes time}
-\end{minipage}
-\end{itemize}
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{A ``Cron''-Attack}
-\begin{enumerate}
-\item attacker \textcolor{gray}{(creates a fake passwd file)}\\
-\texttt{mkdir /tmp/a; cat > /tmp/a/passwd}\medskip
-\item root \textcolor{gray}{(does the daily cleaning)}\\
-\texttt{rm /tmp/*/*}\medskip\\
-\hspace{2cm}\textcolor{gray}{records that \texttt{/tmp/a/passwd}}\\
-\hspace{2cm}\textcolor{gray}{should be deleted, but does not do it yet}\medskip\\
-\item attacker \textcolor{gray}{(meanwhile deletes the fake passwd file, and establishes a link to
-the real passwd file)}\\
-\texttt{rm /tmp/a/passwd; rmdir /tmp/a;}\\\texttt{ln -s /etc /tmp/a}\\
-\item root now deletes  the real passwd file
-\end{enumerate}
-\only<2>{
-\begin{textblock}{11}(2,5)
-\begin{tikzpicture}
-\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
-{\normalsize\color{darkgray}
-\begin{minipage}{9.5cm}\raggedright
-To prevent this kind of attack, you need additional
-policies (don't do such operations as root).
-\end{minipage}};
-\end{tikzpicture}
-\end{textblock}}
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \begin{frame}[c]
 \frametitle{\Large Buffer Overflow Attacks}
 \begin{center}
 \begin{columns}[b]
 \begin{column}{.4\textwidth}
 \centering
-\includegraphics[scale=1.2]{../pics/barrier.jpg}\\
+\includegraphics[scale=0.3]{../pics/barrier.jpg}\\
 lectures so far
 \end{column}
-\begin{column}<2>{.4\textwidth}
+\begin{column}{.4\textwidth}
 \centering
 \includegraphics[scale=0.32]{../pics/trainwreck.jpg}\\
 today
 \end{column}
 \end{columns}
 \end{center}
 \end{frame}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \begin{frame}[c]
 \frametitle{Smash the Stack for Fun\ldots}
 \begin{itemize}
-\item {\bf Buffer Overflow Attacks} or\\ {\bf Smashing the Stack Attacks}\medskip
+\item {\bf Buffer Overflow Attacks} or\\
+{\bf Smashing the Stack Attacks}\medskip
 \item one of the most popular attacks, unfortunately\\
 ($>$ 50\% of security incidents reported at CERT are related
 to buffer overflows)
 \begin{flushright}
 \end{frame}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \begin{frame}[c]
-\frametitle{Printing Out Zombies}
+\frametitle{Printing Out ``Zombies''}
 \mbox{}\\[-10mm]
 \footnotesize
 \lstinputlisting[language=C,xleftmargin=4mm]{../progs/C1.c}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \begin{frame}[c]
 \frametitle{Memory}
 \begin{itemize}
-\item each process will get a chunk of memory that is organised as
+\item each process will get a chunk of memory that is
-follows:
+organised as follows:
 \end{itemize}
 \begin{center}
 \begin{tikzpicture}[scale=0.8]
 %\draw[step=1cm] (-3,-3) grid (3,3);
 \end{frame}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{Optimising Success}
+\begin{center}
+\begin{tabular}{l@{\hspace{2cm}}l}
+\begin{tikzpicture}[scale=0.6]
+\draw[line width=1mm] (-2, -1) rectangle (2,3);
+\draw[line width=1mm,fill=blue!30] (-2, 1.9) rectangle (2,3);
+\draw (0,2.5) node {\small\tt shell code};
+\draw[line width=1mm,fill=black] (0.3, -1) rectangle (2,-0.7);
+\draw[->,line width=0.3mm] (1.05, -1) -- (1.05,-1.7) --
+(-3,-1.7) -- (-3, 3.7) -- (-1.9, 3.7) -- (-1.9, 3.1);
+\end{tikzpicture}
+&
+\onslide<2>{
+\begin{tikzpicture}[scale=0.6]
+\draw[gray!50,fill=red!30] (-2,0.3) rectangle (2,3);
+\draw[line width=1mm] (-2, -1) rectangle (2,3);
+\draw[line width=1mm,fill=blue!30] (-2, 0.3) rectangle (2, -0.7);
+\draw (0,-0.2) node {\small\tt shell code};
+\draw[line width=1mm,fill=black] (0.3, -1) rectangle (2,-0.7);
+\draw [line width=0.5,decoration={brace,amplitude=2mm},decorate]
+(2.3,3) -- (2.3,0.3);
+\draw[line width=0.3mm] (1.05, -1) -- (1.05,-1.7) --
+(3,-1.7) -- (3,1.65) -- (2.6, 1.65);
+\end{tikzpicture}}
+\end{tabular}
+\end{center}\bigskip
+\onslide<2>{
+fill up the red part of the string with \pcode{NOP} operations
+(Intel \texttt{$\backslash$x90})}
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \begin{frame}[c]
 \frametitle{Variants}
 \item ``zero-days-attacks'' (new unknown vulnerability)
 \end{itemize}
 \end{frame}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \begin{frame}[c]
 \frametitle{Format String Vulnerability}
 \end{frame}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
-\begin{frame}[c]
+\frametitle{NIST Statistics about BOA}
-\frametitle{\begin{tabular}{c}Network Applications:\\[-1mm] Privilege Separation\end{tabular}}
 \begin{center}
-\begin{tikzpicture}[scale=1]
+\begin{tikzpicture}
+\begin{axis}[
-\draw[line width=1mm] (-.3, 0) rectangle (1.5,2);
+xlabel={year},
-\draw (4.7,1) node {Internet};
+ylabel={\% of total attacks},
-\draw (-2.7,1.7) node {\footnotesize Application};
+ylabel style={yshift=0em},
-\draw (0.6,1.7) node {\footnotesize Interface};
+enlargelimits=false,
-\draw (0.6,-0.4) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] process\end{tabular}};
+xtick={1997,1999,2001,...,2015},
-\draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}};
+xmin=1996.5,
+xmax=2016,
-\draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2);
+ymax=21,
+ytick={0,5,...,20},
-\draw[white] (1.7,1) node (X) {};
+scaled ticks=false,
-\draw[white] (3.7,1) node (Y) {};
+axis lines=left,
-\draw[red, <->, line width = 2mm] (X) -- (Y);
+width=11cm,
+height=5cm,
-\draw[red, <->, line width = 1mm] (-0.6,1) -- (-1.6,1);
+ybar,
-\end{tikzpicture}
+nodes near coords=
+{\footnotesize
+$\pgfmathprintnumber[fixed,fixed zerofill,precision=1,use comma]{\pgfkeysvalueof{/data point/y}}$},
+x tick label style={font=\footnotesize,/pgf/number format/1000 sep={}}]
+\addplot
+table [x=Year,y=Percentage] {../handouts/bufferoverflows.data};
+\end{axis}
+\end{tikzpicture}
 \end{center}
-\begin{itemize}
+from the US National Vulnerability Database\\
-\item the idea is make the attack surface smaller and mitigate the
+\small\url{http://web.nvd.nist.gov/view/vuln/statistics}
-consequences of an attack
-\end{itemize}
+\end{frame}
-\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[fragile]
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\frametitle{D-Link Wifi Router, BOA}
-\mode<presentation>{
+\small
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Infamous Security Flaws\\[-1mm] in Unix\end{tabular}}
+As a proof-of-concept, the following URL allows
+attackers to control the return value saved on
+the stack (the vulnerability is triggered when
-\begin{itemize}
+executing \pcode{"/usr/sbin/widget"}):
-\item \texttt{lpr} unfortunately runs with root privileges; you had the option to delete files after printing \ldots\pause\pause
-\item for debugging purposes (FreeBSD) Unix provides a ``core dump'', but allowed to follow links \ldots\pause
+\begin{center}\footnotesize
-\item \texttt{mkdir foo} is owned by root\medskip
+\pcode{curl http://<target ip>/post_login.xml?hash=AAA...AAABBBB}
-\begin{center}
+\end{center}
-\texttt{-rwxr-xr-x  1 root  wheel /bin/mkdir}
-\end{center}\medskip
+The value of the "hash" HTTP GET parameter consists of
-it first creates an i-node as root and then changes to ownership to the user's id\\ \textcolor{gray}{\small (race condition -- can be automated with a shell script)}
+292 occurrences of the \pcode{'A'} character, followed by four
-\end{itemize}
+occurrences of character \pcode{'B'}. In our lab setup, characters
+\pcode{'B'} overwrite the saved program counter (\pcode{\%ra}).\bigskip
-\only<5->{
-\begin{textblock}{1}(3,7)
-\begin{tikzpicture}
+\begin{tabular}{@{}ll}
-\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
+Discovery date: & 06/03/2013\\
-{\begin{minipage}{8cm}
+Release date:   & 02/08/2013
-Only failure makes us experts.
+\end{tabular}\bigskip
-	-- Theo de Raadt (OpenBSD, OpenSSH)
-\end{minipage}};
-\end{tikzpicture}
+\footnotesize
-\end{textblock}}
+\hfill\url{http://roberto.greyhats.it/advisories/20130801-dlink-dir645.txt}
+\end{frame}
-\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[fragile]
+\frametitle{GHOST in Glibc}
+\small The GHOST vulnerability is a buffer overflow condition
+that can be easily exploited locally and remotely. This
+vulnerability is named after the GetHOSTbyname function
+involved in the exploit.\medskip
+The attack allows the attacker to execute arbitrary code and
+take control of the victim’s vulnerable machine.
+Unfortunately, the vulnerability exists in the GNU C Library
+(glibc), a code library originally released in 2000, meaning
+it has been widely distributed. Although an update released by
+Linux in 2013 mitigated this vulnerability, most systems and
+products have not installed the patch.\medskip
+\begin{tabular}{@{}ll}
+Release date: & 01/28/2015
+\end{tabular}\smallskip
+\footnotesize
+\hfill\url{https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability}
+\end{frame}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \end{document}

changeset 391	a612dd3ddc81
parent 381	036a762b02cf
child 392	4dff36e2bbc6