779 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

   780 \mode<presentation>{

   781 \begin{frame}[c]

   782 \frametitle{Unix-Style Access Control}

   783 

   784 How to do access control? In Unix you have

   785 

   786 \begin{itemize}

   787 \item you have users and you have groups/roles:

   788 

   789 \item some special roles: root

   790 \end{itemize}

   791 

   792   

   793 \end{frame}}

   794 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

   795 

   796 

   797 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

   798 \mode<presentation>{

   799 \begin{frame}[c]

   800 \frametitle{Unix-Style Access Control}

   801 

   802 \begin{itemize}

   803 \item Q: ``I am using Windows. Why should I care?'' \\ A: In Windows you have similar AC:

   804 

   805 \begin{center}

   806 \begin{tabular}{l}

   807 administrators group\\ 

   808 \hspace{5mm}(has complete control over the machine)\\

   809 authenticated users\\

   810 server operators\\

   811 power users\\

   812 network configuration operators\\

   813 \end{tabular}

   814 \end{center}\medskip

   815 

   816 \item Modern versions of Windows have more fine-grained AC than Unix; they do not have a setuid bit, but

   817 have \texttt{runas} (asks for a password).\pause

   818 

   819 \item OS-provided access control can \alert{\bf add} to your

   820 security.

   821 \end{itemize}

   822 

   823   

   824 \end{frame}}

   825 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

   826 

   827 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

   828 \mode<presentation>{

   829 \begin{frame}[c]

   830 \frametitle{\begin{tabular}{c}Network Applications:\\[-1mm] Privilege Separation\end{tabular}}

   831 

   832 

   833 \begin{center}

   834   \begin{tikzpicture}[scale=1]

   835   

   836   \draw[line width=1mm] (-.3, 0) rectangle (1.5,2);

   837   \draw (4.7,1) node {Internet};

   838   \draw (-2.7,1.7) node {\footnotesize Application};

   839   \draw (0.6,1.7) node {\footnotesize Interface};

   840   \draw (0.6,-0.4) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] process\end{tabular}};

   841   \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}};

   842   

   843   \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2);

   844 

   845   \draw[white] (1.7,1) node (X) {};

   846   \draw[white] (3.7,1) node (Y) {};

   847   \draw[red, <->, line width = 2mm] (X) -- (Y);

   848  

   849   \draw[red, <->, line width = 1mm] (-0.6,1) -- (-1.6,1);

   850   \end{tikzpicture}

   851 \end{center}

   852 

   853 \begin{itemize}

   854 \item the idea is make the attack surface smaller and 

   855 mitigate the consequences of an attack

   856 \end{itemize}

   857 

   858 

   859 \end{frame}}

   860 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     

   861 

   862 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

   863 \mode<presentation>{

   864 \begin{frame}[c]

   865 \frametitle{Lessons from Access Control}

   866 

   867 Not just restricted to Unix:

   868 

   869 \begin{itemize}

   870 \item if you have too many roles (i.e.~too finegrained AC), then 

   871 	hierarchy is too complex\\

   872 	\textcolor{gray}{you invite situations like\ldots let's be root}\bigskip

   873 

   874 \item you can still abuse the system\ldots

   875 

   876 \end{itemize}

   877 

   878 \end{frame}}

   879 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

   880 

   881 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

   882 \mode<presentation>{

   883 \begin{frame}[c]

   884 \frametitle{\begin{tabular}{@ {}c@ {}}A ``Cron''-Attack\end{tabular}}

   885 

   886 The idea is to trick a privileged person to do something on your behalf:

   887 

   888 \begin{itemize}

   889 \item root:\\\texttt{rm /tmp/*/*}\bigskip\bigskip\pause

   890 

   891 \footnotesize

   892 \begin{minipage}{1.1\textwidth}

   893 \textcolor{gray}{the shell behind the scenes:}\\

   894 \textcolor{gray}{\texttt{rm /tmp/dir$_1$/file$_1$ /tmp/dir$_1$/file$_2$ /tmp/dir$_2$/file$_1$ \ldots}}\bigskip\\

   895 

   896 \textcolor{gray}{this takes time}

   897 \end{minipage}

   898 \end{itemize}

   899 

   900 

   901 \end{frame}}

   902 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

   903 

   904 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

   905 \mode<presentation>{

   906 \begin{frame}[c]

   907 \frametitle{\begin{tabular}{@ {}c@ {}}A ``Cron''-Attack\end{tabular}}

   908 

   909 \begin{enumerate}

   910 \item attacker \textcolor{gray}{(creates a fake passwd file)}\\ 

   911 \texttt{mkdir /tmp/a; cat > /tmp/a/passwd}\medskip

   912 \item root \textcolor{gray}{(does the daily cleaning)}\\

   913 \texttt{rm /tmp/*/*}\medskip\\

   914 \hspace{2cm}\textcolor{gray}{\small records that \texttt{/tmp/a/passwd}}\\ 

   915 \hspace{2cm}\textcolor{gray}{\small should be deleted, but does not do it yet}\medskip\\

   916 

   917 \item attacker \textcolor{gray}{(meanwhile deletes the fake passwd file, and establishes a link to 

   918 the real passwd file)}\\

   919 \texttt{rm /tmp/a/passwd; rmdir /tmp/a;}\\\texttt{ln -s /etc /tmp/a}\\

   920 \item root now deletes  the real passwd file

   921 \end{enumerate}

   922 

   923 \only<2>{

   924 \begin{textblock}{11}(2,5)

   925 \begin{tikzpicture}

   926 \draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] 

   927 {\normalsize\color{darkgray}

   928 \begin{minipage}{9cm}\raggedright

   929 To prevent this kind of attack, you need additional

   930 policies (don't do such operations as root).

   931 \end{minipage}};

   932 \end{tikzpicture}

   933 \end{textblock}}

   934 

   935 \end{frame}}

   936 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%