|
1 \documentclass[dvipsnames,14pt,t]{beamer} |
|
2 \usepackage{beamerthemeplainculight} |
|
3 \usepackage[T1]{fontenc} |
|
4 \usepackage[latin1]{inputenc} |
|
5 \usepackage{mathpartir} |
|
6 \usepackage[absolute,overlay]{textpos} |
|
7 \usepackage{ifthen} |
|
8 \usepackage{tikz} |
|
9 \usepackage{pgf} |
|
10 \usepackage{calc} |
|
11 \usepackage{ulem} |
|
12 \usepackage{courier} |
|
13 \usepackage{listings} |
|
14 \renewcommand{\uline}[1]{#1} |
|
15 \usetikzlibrary{arrows} |
|
16 \usetikzlibrary{automata} |
|
17 \usetikzlibrary{shapes} |
|
18 \usetikzlibrary{shadows} |
|
19 \usetikzlibrary{positioning} |
|
20 \usetikzlibrary{calc} |
|
21 \usepackage{graphicx} |
|
22 |
|
23 \definecolor{javared}{rgb}{0.6,0,0} % for strings |
|
24 \definecolor{javagreen}{rgb}{0.25,0.5,0.35} % comments |
|
25 \definecolor{javapurple}{rgb}{0.5,0,0.35} % keywords |
|
26 \definecolor{javadocblue}{rgb}{0.25,0.35,0.75} % javadoc |
|
27 |
|
28 \lstset{language=Java, |
|
29 basicstyle=\ttfamily, |
|
30 keywordstyle=\color{javapurple}\bfseries, |
|
31 stringstyle=\color{javagreen}, |
|
32 commentstyle=\color{javagreen}, |
|
33 morecomment=[s][\color{javadocblue}]{/**}{*/}, |
|
34 numbers=left, |
|
35 numberstyle=\tiny\color{black}, |
|
36 stepnumber=1, |
|
37 numbersep=10pt, |
|
38 tabsize=2, |
|
39 showspaces=false, |
|
40 showstringspaces=false} |
|
41 |
|
42 \lstdefinelanguage{scala}{ |
|
43 morekeywords={abstract,case,catch,class,def,% |
|
44 do,else,extends,false,final,finally,% |
|
45 for,if,implicit,import,match,mixin,% |
|
46 new,null,object,override,package,% |
|
47 private,protected,requires,return,sealed,% |
|
48 super,this,throw,trait,true,try,% |
|
49 type,val,var,while,with,yield}, |
|
50 otherkeywords={=>,<-,<\%,<:,>:,\#,@}, |
|
51 sensitive=true, |
|
52 morecomment=[l]{//}, |
|
53 morecomment=[n]{/*}{*/}, |
|
54 morestring=[b]", |
|
55 morestring=[b]', |
|
56 morestring=[b]""" |
|
57 } |
|
58 |
|
59 \lstset{language=Scala, |
|
60 basicstyle=\ttfamily, |
|
61 keywordstyle=\color{javapurple}\bfseries, |
|
62 stringstyle=\color{javagreen}, |
|
63 commentstyle=\color{javagreen}, |
|
64 morecomment=[s][\color{javadocblue}]{/**}{*/}, |
|
65 numbers=left, |
|
66 numberstyle=\tiny\color{black}, |
|
67 stepnumber=1, |
|
68 numbersep=10pt, |
|
69 tabsize=2, |
|
70 showspaces=false, |
|
71 showstringspaces=false} |
|
72 |
|
73 % beamer stuff |
|
74 \renewcommand{\slidecaption}{APP 02, King's College London, 2 October 2012} |
|
75 |
|
76 |
|
77 \begin{document} |
|
78 |
|
79 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
80 \mode<presentation>{ |
|
81 \begin{frame}<1>[t] |
|
82 \frametitle{% |
|
83 \begin{tabular}{@ {}c@ {}} |
|
84 \\ |
|
85 \LARGE Access Control and \\[-3mm] |
|
86 \LARGE Privacy Policies (2)\\[-6mm] |
|
87 \end{tabular}}\bigskip\bigskip\bigskip |
|
88 |
|
89 %\begin{center} |
|
90 %\includegraphics[scale=1.3]{pics/barrier.jpg} |
|
91 %\end{center} |
|
92 |
|
93 \normalsize |
|
94 \begin{center} |
|
95 \begin{tabular}{ll} |
|
96 Email: & christian.urban at kcl.ac.uk\\ |
|
97 Of$\!$fice: & S1.27 (1st floor Strand Building)\\ |
|
98 Slides: & KEATS (also home work is there) |
|
99 \end{tabular} |
|
100 \end{center} |
|
101 |
|
102 |
|
103 \end{frame}} |
|
104 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
105 |
|
106 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
107 \mode<presentation>{ |
|
108 \begin{frame}[c] |
|
109 \frametitle{\begin{tabular}{c}Homework\end{tabular}} |
|
110 |
|
111 |
|
112 \ldots{} I have a question about the homework.\\[3mm] |
|
113 Is it required to submit the homework before\\ |
|
114 the next lecture?\\[5mm] |
|
115 |
|
116 Thank you!\\ |
|
117 Anonymous |
|
118 |
|
119 \end{frame}} |
|
120 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
121 |
|
122 |
|
123 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
124 \mode<presentation>{ |
|
125 \begin{frame}[c] |
|
126 \frametitle{\begin{tabular}{@ {}c@ {}}SmartWater\end{tabular}} |
|
127 |
|
128 \begin{textblock}{1}(1,3) |
|
129 \begin{tabular}{c} |
|
130 \includegraphics[scale=0.15]{pics/SmartWater} |
|
131 \end{tabular} |
|
132 \end{textblock} |
|
133 |
|
134 |
|
135 \begin{textblock}{8.5}(7,3) |
|
136 \begin{itemize} |
|
137 \item seems helpful for preventing cable theft\medskip |
|
138 \item wouldn't be helpful to make your property safe, because of possible abuse\medskip |
|
139 |
|
140 \item security is always a tradeoff |
|
141 \end{itemize} |
|
142 \end{textblock} |
|
143 |
|
144 \end{frame}} |
|
145 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
146 |
|
147 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
148 \mode<presentation>{ |
|
149 \begin{frame}[c] |
|
150 \frametitle{\begin{tabular}{@ {}c@ {}}Plaintext Passwords from IEEE\end{tabular}} |
|
151 |
|
152 \small\textcolor{gray}{On 25 September 2012, a report on a data breach at IEEE:} |
|
153 |
|
154 |
|
155 \begin{itemize} |
|
156 \item IEEE is a standards organisation (not for profit) |
|
157 \item many standards in CS are by IEEE\medskip |
|
158 \item 100k plain-text passwords were recorded in logs |
|
159 \item the logs were openly accessible on their FTP server |
|
160 \end{itemize}\bigskip |
|
161 |
|
162 \begin{flushright}\small |
|
163 \textcolor{gray}{\url{http://ieeelog.com}} |
|
164 \end{flushright} |
|
165 |
|
166 \only<2>{ |
|
167 \begin{textblock}{11}(3,2) |
|
168 \begin{tikzpicture} |
|
169 \draw (0,0) node[inner sep=2mm,fill=white, ultra thick, draw=red, rounded corners=2mm] |
|
170 {\normalsize\color{darkgray} |
|
171 \begin{minipage}{7.5cm}\raggedright\small |
|
172 \includegraphics[scale=0.6]{pics/IEEElog.jpg} |
|
173 \end{minipage}}; |
|
174 \end{tikzpicture} |
|
175 \end{textblock}} |
|
176 |
|
177 \end{frame}} |
|
178 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
179 |
|
180 |
|
181 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
182 \mode<presentation>{ |
|
183 \begin{frame}[c] |
|
184 \frametitle{\begin{tabular}{@ {}c@ {}}Virgin Mobile (USA)\end{tabular}} |
|
185 |
|
186 \begin{flushright}\small |
|
187 \textcolor{gray}{\url{http://arstechnica.com/security/2012/09/virgin-mobile-password-crack-risk/}} |
|
188 \end{flushright} |
|
189 |
|
190 \begin{itemize} |
|
191 \item for online accounts passwords must be 6 digits |
|
192 \item you must cycle through 1M combinations (online)\pause\bigskip |
|
193 |
|
194 \item he limited the attack on his own account to 1 guess per second, \alert{\bf and} |
|
195 \item wrote a script that cleared the cookies set after each guess |
|
196 \end{itemize} |
|
197 |
|
198 |
|
199 |
|
200 \end{frame}} |
|
201 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
202 |
|
203 |
|
204 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
205 \mode<presentation>{ |
|
206 \begin{frame}[c] |
|
207 \frametitle{\begin{tabular}{@ {}c@ {}}Smash the Stack for Fun\ldots\end{tabular}} |
|
208 |
|
209 \begin{itemize} |
|
210 \item ``smashing the stack attacks'' or ``buffer overflow attacks'' |
|
211 \item one of the most popular attacks\\ ($>$ 50\% of security incidents reported at CERT are related to buffer overflows)\medskip |
|
212 \item made popular in an article by Elias Levy\\ (also known as Aleph One):\\ |
|
213 \begin{center} |
|
214 {\bf ``Smashing The Stack For Fun and Profit''} |
|
215 \end{center}\bigskip |
|
216 |
|
217 \begin{flushright} |
|
218 \small |
|
219 \textcolor{gray}{\url{http://www.phrack.org}, Issue 49, Article 14} |
|
220 \end{flushright} |
|
221 |
|
222 \end{itemize} |
|
223 |
|
224 |
|
225 \end{frame}} |
|
226 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
227 |
|
228 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
229 \mode<presentation>{ |
|
230 \begin{frame}[c] |
|
231 \frametitle{\begin{tabular}{c}The Problem\end{tabular}} |
|
232 |
|
233 \begin{itemize} |
|
234 \item The basic problem is that library routines look as follows: |
|
235 \begin{center} |
|
236 {\lstset{language=Java}\fontsize{8}{10}\selectfont% |
|
237 \texttt{\lstinputlisting{app5.c}}} |
|
238 \end{center} |
|
239 \item the resulting problems are often remotely exploitable |
|
240 \item can be used to circumvents all access control |
|
241 \end{itemize} |
|
242 |
|
243 \end{frame}} |
|
244 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
245 |
|
246 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
247 \mode<presentation>{ |
|
248 \begin{frame}[c] |
|
249 |
|
250 \small |
|
251 \texttt{my\_float} is printed twice:\bigskip |
|
252 |
|
253 {\lstset{language=Java}\fontsize{8}{10}\selectfont% |
|
254 \texttt{\lstinputlisting{C1.c}}} |
|
255 |
|
256 |
|
257 \end{frame}} |
|
258 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
259 |
|
260 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
261 \mode<presentation>{ |
|
262 \begin{frame}[c] |
|
263 |
|
264 \begin{center} |
|
265 \onslide<1->{\includegraphics[scale=0.5]{pics/stack1}\;\;} |
|
266 \onslide<2->{\includegraphics[scale=0.5]{pics/stack2}\;\;} |
|
267 \onslide<3->{\includegraphics[scale=0.5]{pics/stack3}\;\;} |
|
268 \end{center} |
|
269 |
|
270 |
|
271 \end{frame}} |
|
272 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
273 |
|
274 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
275 \mode<presentation>{ |
|
276 \begin{frame}[c] |
|
277 |
|
278 {\lstset{language=Java}\fontsize{8}{10}\selectfont% |
|
279 \texttt{\lstinputlisting{C2.c}}} |
|
280 |
|
281 |
|
282 \end{frame}} |
|
283 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
284 |
|
285 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
286 \mode<presentation>{ |
|
287 \begin{frame}[c] |
|
288 |
|
289 \small |
|
290 A programmer might be careful, but still introducing vulnerabilities:\bigskip |
|
291 |
|
292 {\lstset{language=Java}\fontsize{8}{10}\selectfont% |
|
293 \texttt{\lstinputlisting{C2a.c}}} |
|
294 |
|
295 |
|
296 \end{frame}} |
|
297 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
298 |
|
299 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
300 \mode<presentation>{ |
|
301 \begin{frame}[c] |
|
302 \frametitle{\begin{tabular}{c}Payloads\end{tabular}} |
|
303 |
|
304 \begin{itemize} |
|
305 \item the idea is you store some code as part to the buffer |
|
306 \item you then override the return address to execute this payload\medskip |
|
307 \item normally you start a root-shell\pause |
|
308 \item difficulty is to guess the place where to ``jump'' |
|
309 \end{itemize} |
|
310 |
|
311 \end{frame}} |
|
312 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
313 |
|
314 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
315 \mode<presentation>{ |
|
316 \begin{frame}[c] |
|
317 \frametitle{\begin{tabular}{c}Payloads (2)\end{tabular}} |
|
318 |
|
319 \begin{itemize} |
|
320 \item another difficulty is that the code is not allowed to contain \texttt{$\backslash$x00}: |
|
321 |
|
322 \begin{center} |
|
323 \texttt{xorl \%eax, \%eax} |
|
324 \end{center} |
|
325 \end{itemize}\bigskip\bigskip |
|
326 |
|
327 {\lstset{language=Java}\fontsize{8}{10}\selectfont% |
|
328 \texttt{\lstinputlisting{app5.c}}} |
|
329 |
|
330 \end{frame}} |
|
331 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
332 |
|
333 |
|
334 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
335 \mode<presentation>{ |
|
336 \begin{frame}[c] |
|
337 \frametitle{\begin{tabular}{c}Format String Vulnerability\end{tabular}} |
|
338 |
|
339 \small |
|
340 \texttt{string} is nowhere used:\bigskip |
|
341 |
|
342 {\lstset{language=Java}\fontsize{8}{10}\selectfont% |
|
343 \texttt{\lstinputlisting{C6.c}}}\bigskip |
|
344 |
|
345 this vulnerability can be used to read out the stack |
|
346 |
|
347 \end{frame}} |
|
348 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
349 |
|
350 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
351 \mode<presentation>{ |
|
352 \begin{frame}[c] |
|
353 \frametitle{\begin{tabular}{c}Protections against BO Attacks\end{tabular}} |
|
354 |
|
355 \begin{itemize} |
|
356 \item use safe library functions |
|
357 \item ensure stack data is not executable (can be defeated) |
|
358 \item address space randomisation (makes one-size-fits-all more difficult) |
|
359 \item choice of programming language (one of the selling points of Java) |
|
360 |
|
361 \end{itemize} |
|
362 |
|
363 \end{frame}} |
|
364 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
365 |
|
366 |
|
367 \end{document} |
|
368 |
|
369 %%% Local Variables: |
|
370 %%% mode: latex |
|
371 %%% TeX-master: t |
|
372 %%% End: |
|
373 |