190 \begin{itemize} |
190 \begin{itemize} |
191 \item for online accounts passwords must be 6 digits |
191 \item for online accounts passwords must be 6 digits |
192 \item you must cycle through 1M combinations (online)\pause\bigskip |
192 \item you must cycle through 1M combinations (online)\pause\bigskip |
193 |
193 |
194 \item he limited the attack on his own account to 1 guess per second, \alert{\bf and} |
194 \item he limited the attack on his own account to 1 guess per second, \alert{\bf and} |
195 \item wrote a script that cleared the cookies set after each guess |
195 \item wrote a script that cleared the cookie set after each guess\pause |
196 \end{itemize} |
196 \item has been fixed now |
197 |
197 \end{itemize} |
198 |
198 |
199 |
199 |
200 \end{frame}} |
200 |
201 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
201 \end{frame}} |
202 |
202 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
203 |
203 |
204 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
204 |
205 \mode<presentation>{ |
205 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
206 \begin{frame}[c] |
206 \mode<presentation>{ |
207 \frametitle{\begin{tabular}{@ {}c@ {}}Smash the Stack for Fun\ldots\end{tabular}} |
207 \begin{frame}[c] |
|
208 \frametitle{\begin{tabular}{@ {}c@ {}}Smash the Stack for Fun \ldots\end{tabular}} |
208 |
209 |
209 \begin{itemize} |
210 \begin{itemize} |
210 \item ``smashing the stack attacks'' or ``buffer overflow attacks'' |
211 \item ``smashing the stack attacks'' or ``buffer overflow attacks'' |
211 \item one of the most popular attacks\\ ($>$ 50\% of security incidents reported at CERT are related to buffer overflows)\medskip |
212 \item one of the most popular attacks;\\ attack of the (last) decade\\ ($>$ 50\% of security incidents reported at CERT are related to buffer overflows) |
|
213 \begin{flushright}\small |
|
214 \textcolor{gray}{\url{http://www.kb.cert.org/vuls}} |
|
215 \end{flushright} |
|
216 \medskip |
212 \item made popular in an article by Elias Levy\\ (also known as Aleph One):\\ |
217 \item made popular in an article by Elias Levy\\ (also known as Aleph One):\\ |
213 \begin{center} |
218 \begin{center} |
214 {\bf ``Smashing The Stack For Fun and Profit''} |
219 {\bf ``Smashing The Stack For Fun and Profit''} |
215 \end{center}\bigskip |
220 \end{center}\medskip |
216 |
221 |
217 \begin{flushright} |
222 \begin{flushright} |
218 \small |
223 \small\textcolor{gray}{\url{http://www.phrack.org}, Issue 49, Article 14} |
219 \textcolor{gray}{\url{http://www.phrack.org}, Issue 49, Article 14} |
|
220 \end{flushright} |
224 \end{flushright} |
221 |
225 |
222 \end{itemize} |
226 \end{itemize} |
223 |
227 |
224 |
228 |
229 \mode<presentation>{ |
233 \mode<presentation>{ |
230 \begin{frame}[c] |
234 \begin{frame}[c] |
231 \frametitle{\begin{tabular}{c}The Problem\end{tabular}} |
235 \frametitle{\begin{tabular}{c}The Problem\end{tabular}} |
232 |
236 |
233 \begin{itemize} |
237 \begin{itemize} |
234 \item The basic problem is that library routines look as follows: |
238 \item The basic problem is that library routines in C look as follows: |
235 \begin{center} |
239 \begin{center} |
236 {\lstset{language=Java}\fontsize{8}{10}\selectfont% |
240 {\lstset{language=Java}\fontsize{8}{10}\selectfont% |
237 \texttt{\lstinputlisting{app5.c}}} |
241 \texttt{\lstinputlisting{app5.c}}} |
238 \end{center} |
242 \end{center} |
239 \item the resulting problems are often remotely exploitable |
243 \item the resulting problems are often remotely exploitable |
240 \item can be used to circumvents all access control |
244 \item can be used to circumvents all access control |
241 \end{itemize} |
245 (botnets for further attacks) |
242 |
246 \end{itemize} |
243 \end{frame}} |
247 |
244 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
248 \end{frame}} |
|
249 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
250 |
|
251 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
252 \mode<presentation>{ |
|
253 \begin{frame}[c] |
|
254 \frametitle{\begin{tabular}{c}Variants\end{tabular}} |
|
255 |
|
256 There are many variants: |
|
257 |
|
258 \begin{itemize} |
|
259 \item return-to-lib-C attacks |
|
260 \item heap-smashing attacks\\ |
|
261 \textcolor{gray}{\small(Slammer Worm in 2003 infected 90\% of vulnerable systems within 10 minutes)}\bigskip |
|
262 |
|
263 \item ``zero-days-attacks'' (new unknown vulnerability) |
|
264 \end{itemize} |
|
265 |
|
266 \end{frame}} |
|
267 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
268 |
|
269 |
245 |
270 |
246 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
271 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
247 \mode<presentation>{ |
272 \mode<presentation>{ |
248 \begin{frame}[c] |
273 \begin{frame}[c] |
249 |
274 |
364 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
389 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
365 |
390 |
366 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
391 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
367 \mode<presentation>{ |
392 \mode<presentation>{ |
368 \begin{frame}[c] |
393 \begin{frame}[c] |
|
394 \frametitle{\begin{tabular}{c}Security Goals\end{tabular}} |
|
395 |
|
396 \begin{itemize} |
|
397 \item Prevent common vulnerabilities from occurring (e.g. buffer overflows)\pause |
|
398 \item Recover from attacks (traceability and auditing of security-relevant actions)\pause |
|
399 \item Monitoring (detect attacks)\pause |
|
400 \item Privacy, confidentiality, anonymity (to protect secrets)\pause |
|
401 \item Authenticity (eeded for access control)\pause |
|
402 \item Integrity (prevent unwanted modification or tampering)\pause |
|
403 \item Availability and reliability (reduce the risk of DoS attacks) |
|
404 \end{itemize} |
|
405 |
|
406 \end{frame}} |
|
407 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
408 |
|
409 |
|
410 |
|
411 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
412 \mode<presentation>{ |
|
413 \begin{frame}[c] |
369 \frametitle{\begin{tabular}{c}Homework\end{tabular}} |
414 \frametitle{\begin{tabular}{c}Homework\end{tabular}} |
370 |
415 |
371 \begin{itemize} |
416 \begin{itemize} |
372 \item Assume format string attacks allow you to read out the stack. What can you do |
417 \item Assume format string attacks allow you to read out the stack. What can you do |
373 with this information.\bigskip |
418 with this information.\bigskip |