|
1 \documentclass[dvipsnames,14pt,t]{beamer} |
|
2 \usepackage{beamerthemeplainculight} |
|
3 \usepackage[T1]{fontenc} |
|
4 \usepackage[latin1]{inputenc} |
|
5 \usepackage{mathpartir} |
|
6 \usepackage[absolute,overlay]{textpos} |
|
7 \usepackage{ifthen} |
|
8 \usepackage{tikz} |
|
9 \usepackage{pgf} |
|
10 \usepackage{calc} |
|
11 \usepackage{ulem} |
|
12 \usepackage{courier} |
|
13 \usepackage{listings} |
|
14 \renewcommand{\uline}[1]{#1} |
|
15 \usetikzlibrary{arrows} |
|
16 \usetikzlibrary{automata} |
|
17 \usetikzlibrary{shapes} |
|
18 \usetikzlibrary{shadows} |
|
19 \usetikzlibrary{positioning} |
|
20 \usetikzlibrary{calc} |
|
21 \usepackage{graphicx} |
|
22 |
|
23 \definecolor{javared}{rgb}{0.6,0,0} % for strings |
|
24 \definecolor{javagreen}{rgb}{0.25,0.5,0.35} % comments |
|
25 \definecolor{javapurple}{rgb}{0.5,0,0.35} % keywords |
|
26 \definecolor{javadocblue}{rgb}{0.25,0.35,0.75} % javadoc |
|
27 |
|
28 \lstset{language=Java, |
|
29 basicstyle=\ttfamily, |
|
30 keywordstyle=\color{javapurple}\bfseries, |
|
31 stringstyle=\color{javagreen}, |
|
32 commentstyle=\color{javagreen}, |
|
33 morecomment=[s][\color{javadocblue}]{/**}{*/}, |
|
34 numbers=left, |
|
35 numberstyle=\tiny\color{black}, |
|
36 stepnumber=1, |
|
37 numbersep=10pt, |
|
38 tabsize=2, |
|
39 showspaces=false, |
|
40 showstringspaces=false} |
|
41 |
|
42 \lstdefinelanguage{scala}{ |
|
43 morekeywords={abstract,case,catch,class,def,% |
|
44 do,else,extends,false,final,finally,% |
|
45 for,if,implicit,import,match,mixin,% |
|
46 new,null,object,override,package,% |
|
47 private,protected,requires,return,sealed,% |
|
48 super,this,throw,trait,true,try,% |
|
49 type,val,var,while,with,yield}, |
|
50 otherkeywords={=>,<-,<\%,<:,>:,\#,@}, |
|
51 sensitive=true, |
|
52 morecomment=[l]{//}, |
|
53 morecomment=[n]{/*}{*/}, |
|
54 morestring=[b]", |
|
55 morestring=[b]', |
|
56 morestring=[b]""" |
|
57 } |
|
58 |
|
59 \lstset{language=Scala, |
|
60 basicstyle=\ttfamily, |
|
61 keywordstyle=\color{javapurple}\bfseries, |
|
62 stringstyle=\color{javagreen}, |
|
63 commentstyle=\color{javagreen}, |
|
64 morecomment=[s][\color{javadocblue}]{/**}{*/}, |
|
65 numbers=left, |
|
66 numberstyle=\tiny\color{black}, |
|
67 stepnumber=1, |
|
68 numbersep=10pt, |
|
69 tabsize=2, |
|
70 showspaces=false, |
|
71 showstringspaces=false} |
|
72 |
|
73 % beamer stuff |
|
74 \renewcommand{\slidecaption}{APP 02, King's College London, 2 October 2012} |
|
75 |
|
76 |
|
77 \begin{document} |
|
78 |
|
79 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
80 \mode<presentation>{ |
|
81 \begin{frame}<1>[t] |
|
82 \frametitle{% |
|
83 \begin{tabular}{@ {}c@ {}} |
|
84 \\ |
|
85 \LARGE Access Control and \\[-3mm] |
|
86 \LARGE Privacy Policies (2)\\[-6mm] |
|
87 \end{tabular}}\bigskip\bigskip\bigskip |
|
88 |
|
89 %\begin{center} |
|
90 %\includegraphics[scale=1.3]{pics/barrier.jpg} |
|
91 %\end{center} |
|
92 |
|
93 \normalsize |
|
94 \begin{center} |
|
95 \begin{tabular}{ll} |
|
96 Email: & christian.urban at kcl.ac.uk\\ |
|
97 Of$\!$fice: & S1.27 (1st floor Strand Building)\\ |
|
98 Slides: & KEATS (also home work is there) |
|
99 \end{tabular} |
|
100 \end{center} |
|
101 |
|
102 |
|
103 \end{frame}} |
|
104 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
105 |
|
106 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
107 \mode<presentation>{ |
|
108 \begin{frame}[c] |
|
109 \frametitle{\begin{tabular}{c}Homework\end{tabular}} |
|
110 |
|
111 |
|
112 \ldots{} I have a question about the homework.\\[3mm] |
|
113 Is it required to submit the homework before\\ |
|
114 the next lecture?\\[5mm] |
|
115 |
|
116 Thank you!\\ |
|
117 Anonymous |
|
118 |
|
119 \end{frame}} |
|
120 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
121 |
|
122 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
123 \mode<presentation>{ |
|
124 \begin{frame}[c] |
|
125 |
|
126 \begin{center} |
|
127 \begin{tabular}[t]{c} |
|
128 \includegraphics[scale=1.2]{pics/barrier.jpg}\\ |
|
129 future lectures |
|
130 \end{tabular}\;\;\; |
|
131 \onslide<2>{ |
|
132 \begin{tabular}[t]{c} |
|
133 \includegraphics[scale=0.32]{pics/trainwreck.jpg}\\ |
|
134 today |
|
135 \end{tabular} |
|
136 } |
|
137 \end{center} |
|
138 |
|
139 |
|
140 \end{frame}} |
|
141 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
142 |
|
143 |
|
144 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
145 \mode<presentation>{ |
|
146 \begin{frame}[c] |
|
147 \frametitle{\begin{tabular}{@ {}c@ {}}SmartWater\end{tabular}} |
|
148 |
|
149 \begin{textblock}{1}(1,3) |
|
150 \begin{tabular}{c} |
|
151 \includegraphics[scale=0.15]{pics/SmartWater} |
|
152 \end{tabular} |
|
153 \end{textblock} |
|
154 |
|
155 |
|
156 \begin{textblock}{8.5}(7,3) |
|
157 \begin{itemize} |
|
158 \item seems helpful for preventing cable theft\medskip |
|
159 \item wouldn't be helpful to make your property safe, because of possible abuse\medskip |
|
160 |
|
161 \item security is always a tradeoff |
|
162 \end{itemize} |
|
163 \end{textblock} |
|
164 |
|
165 \end{frame}} |
|
166 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
167 |
|
168 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
169 \mode<presentation>{ |
|
170 \begin{frame}[c] |
|
171 \frametitle{\begin{tabular}{@ {}c@ {}}Plain-text Passwords at IEEE\end{tabular}} |
|
172 |
|
173 \small\textcolor{gray}{On 25 September 2012, a report on a data breach at IEEE:} |
|
174 |
|
175 |
|
176 \begin{itemize} |
|
177 \item IEEE is a standards organisation (not-for-profit) |
|
178 \item many standards in CS are by IEEE\medskip |
|
179 \item 100k plain-text passwords were recorded in logs |
|
180 \item the logs were openly accessible on their FTP server |
|
181 \end{itemize}\bigskip |
|
182 |
|
183 \begin{flushright}\small |
|
184 \textcolor{gray}{\url{http://ieeelog.com}} |
|
185 \end{flushright} |
|
186 |
|
187 \only<2>{ |
|
188 \begin{textblock}{11}(3,2) |
|
189 \begin{tikzpicture} |
|
190 \draw (0,0) node[inner sep=2mm,fill=white, ultra thick, draw=red, rounded corners=2mm] |
|
191 {\normalsize\color{darkgray} |
|
192 \begin{minipage}{7.5cm}\raggedright\small |
|
193 \includegraphics[scale=0.6]{pics/IEEElog.jpg} |
|
194 \end{minipage}}; |
|
195 \end{tikzpicture} |
|
196 \end{textblock}} |
|
197 |
|
198 \end{frame}} |
|
199 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
200 |
|
201 |
|
202 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
203 \mode<presentation>{ |
|
204 \begin{frame}[c] |
|
205 \frametitle{\begin{tabular}{@ {}c@ {}}Virgin Mobile (USA)\end{tabular}} |
|
206 |
|
207 \begin{flushright}\small |
|
208 \textcolor{gray}{\url{http://arstechnica.com/security/2012/09/virgin-mobile-password-crack-risk/}} |
|
209 \end{flushright} |
|
210 |
|
211 \begin{itemize} |
|
212 \item for online accounts passwords must be 6 digits |
|
213 \item you must cycle through 1M combinations (online)\pause\bigskip |
|
214 |
|
215 \item he limited the attack on his own account to 1 guess per second, \alert{\bf and} |
|
216 \item wrote a script that cleared the cookie set after each guess\pause |
|
217 \item has been fixed now |
|
218 \end{itemize} |
|
219 |
|
220 |
|
221 |
|
222 \end{frame}} |
|
223 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
224 |
|
225 |
|
226 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
227 \mode<presentation>{ |
|
228 \begin{frame}[c] |
|
229 \frametitle{\begin{tabular}{@ {}c@ {}}Smash the Stack for Fun \ldots\end{tabular}} |
|
230 |
|
231 \begin{itemize} |
|
232 \item ``smashing the stack attacks'' or ``buffer overflow attacks'' |
|
233 \item one of the most popular attacks;\\ attack of the (last) decade\\ ($>$ 50\% of security incidents reported at CERT are related to buffer overflows) |
|
234 \begin{flushright}\small |
|
235 \textcolor{gray}{\url{http://www.kb.cert.org/vuls}} |
|
236 \end{flushright} |
|
237 \medskip |
|
238 \item made popular in an article by Elias Levy\\ (also known as Aleph One):\\ |
|
239 \begin{center} |
|
240 {\bf ``Smashing The Stack For Fun and Profit''} |
|
241 \end{center}\medskip |
|
242 |
|
243 \begin{flushright} |
|
244 \small\textcolor{gray}{\url{http://www.phrack.org}, Issue 49, Article 14} |
|
245 \end{flushright} |
|
246 |
|
247 \end{itemize} |
|
248 |
|
249 |
|
250 \end{frame}} |
|
251 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
252 |
|
253 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
254 \mode<presentation>{ |
|
255 \begin{frame}[c] |
|
256 \frametitle{\begin{tabular}{c}The Problem\end{tabular}} |
|
257 |
|
258 \begin{itemize} |
|
259 \item The basic problem is that library routines in C look as follows: |
|
260 \begin{center} |
|
261 {\lstset{language=Java}\fontsize{8}{10}\selectfont% |
|
262 \texttt{\lstinputlisting{app5.c}}} |
|
263 \end{center} |
|
264 \item the resulting problems are often remotely exploitable |
|
265 \item can be used to circumvents all access control |
|
266 (botnets for further attacks) |
|
267 \end{itemize} |
|
268 |
|
269 \end{frame}} |
|
270 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
271 |
|
272 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
273 \mode<presentation>{ |
|
274 \begin{frame}[c] |
|
275 \frametitle{\begin{tabular}{c}Variants\end{tabular}} |
|
276 |
|
277 There are many variants: |
|
278 |
|
279 \begin{itemize} |
|
280 \item return-to-lib-C attacks |
|
281 \item heap-smashing attacks\\ |
|
282 \textcolor{gray}{\small(Slammer Worm in 2003 infected 90\% of vulnerable systems within 10 minutes)}\bigskip |
|
283 |
|
284 \item ``zero-days-attacks'' (new unknown vulnerability) |
|
285 \end{itemize} |
|
286 |
|
287 \end{frame}} |
|
288 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
289 |
|
290 |
|
291 |
|
292 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
293 \mode<presentation>{ |
|
294 \begin{frame}[c] |
|
295 |
|
296 \small |
|
297 \texttt{my\_float} is printed twice:\bigskip |
|
298 |
|
299 {\lstset{language=Java}\fontsize{8}{10}\selectfont% |
|
300 \texttt{\lstinputlisting{C1.c}}} |
|
301 |
|
302 |
|
303 \end{frame}} |
|
304 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
305 |
|
306 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
307 \mode<presentation>{ |
|
308 \begin{frame}[c] |
|
309 |
|
310 \begin{center} |
|
311 \only<1>{\includegraphics[scale=0.9]{pics/stack1}\;\;} |
|
312 \only<2>{\includegraphics[scale=0.9]{pics/stack2}\;\;} |
|
313 \only<3>{\includegraphics[scale=0.9]{pics/stack3}\;\;} |
|
314 \end{center} |
|
315 |
|
316 |
|
317 \end{frame}} |
|
318 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
319 |
|
320 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
321 \mode<presentation>{ |
|
322 \begin{frame}[c] |
|
323 |
|
324 {\lstset{language=Java}\fontsize{8}{10}\selectfont% |
|
325 \texttt{\lstinputlisting{C2.c}}} |
|
326 |
|
327 |
|
328 \end{frame}} |
|
329 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
330 |
|
331 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
332 \mode<presentation>{ |
|
333 \begin{frame}[c] |
|
334 |
|
335 \small |
|
336 A programmer might be careful, but still introduce vulnerabilities:\bigskip |
|
337 |
|
338 {\lstset{language=Java}\fontsize{8}{10}\selectfont% |
|
339 \texttt{\lstinputlisting{C2a.c}}} |
|
340 |
|
341 |
|
342 \end{frame}} |
|
343 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
344 |
|
345 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
346 \mode<presentation>{ |
|
347 \begin{frame}[c] |
|
348 \frametitle{\begin{tabular}{c}Payloads\end{tabular}} |
|
349 |
|
350 \begin{itemize} |
|
351 \item the idea is you store some code as part to the buffer |
|
352 \item you then override the return address to execute this payload\medskip |
|
353 \item normally you start a root-shell\pause |
|
354 \item difficulty is to guess the right place where to ``jump'' |
|
355 \end{itemize} |
|
356 |
|
357 \end{frame}} |
|
358 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
359 |
|
360 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
361 \mode<presentation>{ |
|
362 \begin{frame}[c] |
|
363 \frametitle{\begin{tabular}{c}Payloads (2)\end{tabular}} |
|
364 |
|
365 \begin{itemize} |
|
366 \item another difficulty is that the code is not allowed to contain \texttt{$\backslash$x00}: |
|
367 |
|
368 \begin{center} |
|
369 \texttt{xorl \%eax, \%eax} |
|
370 \end{center} |
|
371 \end{itemize}\bigskip\bigskip |
|
372 |
|
373 {\lstset{language=Java}\fontsize{8}{10}\selectfont% |
|
374 \texttt{\lstinputlisting{app5.c}}} |
|
375 |
|
376 \end{frame}} |
|
377 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
378 |
|
379 |
|
380 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
381 \mode<presentation>{ |
|
382 \begin{frame}[c] |
|
383 \frametitle{\begin{tabular}{c}Format String Vulnerability\end{tabular}} |
|
384 |
|
385 \small |
|
386 \texttt{string} is nowhere used:\bigskip |
|
387 |
|
388 {\lstset{language=Java}\fontsize{8}{10}\selectfont% |
|
389 \texttt{\lstinputlisting{programs/C4.c}}}\bigskip |
|
390 |
|
391 this vulnerability can be used to read out the stack |
|
392 |
|
393 \end{frame}} |
|
394 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
395 |
|
396 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
397 \mode<presentation>{ |
|
398 \begin{frame}[c] |
|
399 \frametitle{\begin{tabular}{c}Protections against BO Attacks\end{tabular}} |
|
400 |
|
401 \begin{itemize} |
|
402 \item use safe library functions |
|
403 \item ensure stack data is not executable (can be defeated) |
|
404 \item address space randomisation (makes one-size-fits-all more difficult) |
|
405 \item choice of programming language (one of the selling points of Java) |
|
406 |
|
407 \end{itemize} |
|
408 |
|
409 \end{frame}} |
|
410 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
411 |
|
412 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
413 \mode<presentation>{ |
|
414 \begin{frame}[c] |
|
415 \frametitle{\begin{tabular}{c}Security Goals\end{tabular}} |
|
416 |
|
417 \begin{itemize} |
|
418 \item Prevent common vulnerabilities from occurring (e.g. buffer overflows)\pause |
|
419 \item Recover from attacks (traceability and auditing of security-relevant actions)\pause |
|
420 \item Monitoring (detect attacks)\pause |
|
421 \item Privacy, confidentiality, anonymity (to protect secrets)\pause |
|
422 \item Authenticity (needed for access control)\pause |
|
423 \item Integrity (prevent unwanted modification or tampering)\pause |
|
424 \item Availability and reliability (reduce the risk of DoS attacks) |
|
425 \end{itemize} |
|
426 |
|
427 \end{frame}} |
|
428 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
429 |
|
430 |
|
431 |
|
432 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
433 \mode<presentation>{ |
|
434 \begin{frame}[c] |
|
435 \frametitle{\begin{tabular}{c}Homework\end{tabular}} |
|
436 |
|
437 \begin{itemize} |
|
438 \item Assume format string attacks allow you to read out the stack. What can you do |
|
439 with this information?\bigskip |
|
440 |
|
441 \item Assume you can crash a program remotely. Why is this a problem? |
|
442 \end{itemize} |
|
443 |
|
444 \end{frame}} |
|
445 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
446 |
|
447 |
|
448 \end{document} |
|
449 |
|
450 %%% Local Variables: |
|
451 %%% mode: latex |
|
452 %%% TeX-master: t |
|
453 %%% End: |
|
454 |