sen-material: comparison slides/slides03.tex

equal deleted inserted replaced

-:e8445573c812
+:e6e160c7ea33
 \end{center}
 \end{frame}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \begin{frame}[c]
 \frametitle{\begin{tabular}{c}Network Applications:\\[-1mm] Privilege Separation\end{tabular}}
 \begin{center}
 \begin{tikzpicture}[scale=1]
 \draw[line width=1mm] (-.3, 0) rectangle (1.5,2);
 \draw[red, <->, line width = 1mm] (-0.6,1) -- (-1.6,1);
 \end{tikzpicture}
 \end{center}
 \begin{itemize}
-\item the idea is make the attack surface smaller and mitigate the
+\item the idea is make the attack surface smaller and
-consequences of an attack
+mitigate the consequences of an attack
 \item you need an OS that supports different roles (root vs.~users)
 \end{itemize}
 \end{frame}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \begin{frame}[c]
 \frametitle{Weaknesses of Unix AC}
-Not just restricted to Unix:
+\begin{itemize}
+\item if you have too many roles (for example too finegrained AC), then
-\begin{itemize}
+hierarchy is too complex\medskip\\ \textcolor{gray}{you invite situations
-\item if you have too many roles (i.e.~too finegrained AC), then
-hierarchy is too complex\\ \textcolor{gray}{you invite situations
 like\ldots let's be root}\bigskip
 \item you can still abuse the system\ldots
 \end{itemize}
 \end{frame}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \begin{frame}[c]
 \frametitle{A ``Cron''-Attack}
 \begin{enumerate}
 \item attacker \textcolor{gray}{(creates a fake passwd file)}\\
 \texttt{mkdir /tmp/a; cat > /tmp/a/passwd}\medskip
 \item root \textcolor{gray}{(does the daily cleaning)}\\
 \texttt{rm /tmp/*/*}\medskip\\
-\hspace{2cm}\textcolor{gray}{\small records that \texttt{/tmp/a/passwd}}\\
+\hspace{2cm}\textcolor{gray}{records that \texttt{/tmp/a/passwd}}\\
-\hspace{2cm}\textcolor{gray}{\small should be deleted, but does not do it yet}\medskip\\
+\hspace{2cm}\textcolor{gray}{should be deleted, but does not do it yet}\medskip\\
 \item attacker \textcolor{gray}{(meanwhile deletes the fake passwd file, and establishes a link to
 the real passwd file)}\\
 \texttt{rm /tmp/a/passwd; rmdir /tmp/a;}\\\texttt{ln -s /etc /tmp/a}\\
 \item root now deletes  the real passwd file
 \end{enumerate}
 \only<2>{
 \begin{textblock}{11}(2,5)
-\begin{bubble}[8cm]
+\begin{tikzpicture}
-\normalsize To prevent this kind of attack, you need additional
+\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
+{\normalsize\color{darkgray}
+\begin{minipage}{9.5cm}\raggedright
+To prevent this kind of attack, you need additional
 policies (don't do such operations as root).
-\end{bubble}
+\end{minipage}};
+\end{tikzpicture}
 \end{textblock}}
 \end{frame}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \begin{frame}[c]
 \frametitle{\Large Buffer Overflow Attacks}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \begin{frame}[c]
-\frametitle{\begin{tabular}{c}Network Applications:\\[-1mm] Privilege Separation\end{tabular}}
-\begin{center}
-\begin{tikzpicture}[scale=1]
-\draw[line width=1mm] (-.3, 0) rectangle (1.5,2);
-\draw (4.7,1) node {Internet};
-\draw (-2.7,1.7) node {\footnotesize Application};
-\draw (0.6,1.7) node {\footnotesize Interface};
-\draw (0.6,-0.4) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] process\end{tabular}};
-\draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}};
-\draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2);
-\draw[white] (1.7,1) node (X) {};
-\draw[white] (3.7,1) node (Y) {};
-\draw[red, <->, line width = 2mm] (X) -- (Y);
-\draw[red, <->, line width = 1mm] (-0.6,1) -- (-1.6,1);
-\end{tikzpicture}
-\end{center}
-\begin{itemize}
-\item the idea is make the attack surface smaller and
-mitigate the consequences of an attack
-\end{itemize}
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Access Control in Unix}
-\begin{itemize}
-\item access control provided by the OS
-\item authenticate principals (login)
-\item mediate access to files, ports, processes according to \alert{roles} (user ids)\\
-\item roles get attached with privileges\bigskip\\%
-\hspace{8mm}
-\begin{tikzpicture}
-\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
-{\begin{minipage}{8cm}
-\alert{The principle of least privilege:}\\
-programs should only have as much privilege as they need
-\end{minipage}};
-\end{tikzpicture}
-\end{itemize}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-\frametitle{Process Ownership}
-\begin{itemize}
-\item access control in Unix is very coarse
-\end{itemize}\bigskip\bigskip\bigskip
-\begin{center}
-\begin{tabular}{c}
-root\\
-\hline
-user$_1$ user$_2$ \ldots www, mail, lp
-\end{tabular}
-\end{center}\bigskip\bigskip\bigskip
-\textcolor{gray}{\small root has UID $=$ 0}\\\pause
-\textcolor{gray}{\small you also have groups that can share access to a file}\\
-\textcolor{gray}{\small but it is difficult to exclude access selectively}\\
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Access Control in Unix (2)}
-\begin{itemize}
-\item privileges are specified by file access permissions (``everything is a file'')
-\item there are 9 (plus 2) bits that specify the permissions of a file
-\begin{center}
-\begin{tabular}{l}
-\texttt{\$ ls - la}\\
-\texttt{-rwxrw-r-{}- \hspace{3mm} foo\_file.txt}
-\end{tabular}
-\end{center}
-\end{itemize}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Login Process}
-\begin{itemize}
-\item login processes run under UID $=$ 0\medskip
-\begin{center}
-\texttt{ps -axl | grep login}
-\end{center}\medskip
-\item after login, shells run under UID $=$ user (e.g.~501)\medskip
-\begin{center}
-\texttt{id cu}
-\end{center}\medskip\pause
-\item non-root users are not allowed to change the UID --- would break
-access control
-\item but needed for example for \texttt{passwd}
-\end{itemize}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Setuid and Setgid}
-The solution is that unix file permissions are 9 + \underline{2 Bits}:
-\alert{Setuid} and \alert{Setgid} Bits
-\begin{itemize}
-\item When a file with setuid is executed, the resulting process will assume the UID given to the owner of the file.
-\item This enables users to create processes as root (or another user).\bigskip
-\item Essential for changing passwords, for example.
-\end{itemize}
-\begin{center}
-\texttt{chmod 4755 fobar\_file}
-\end{center}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Privilege Separation in\\ OpenSSH\end{tabular}}
-\begin{center}
-\begin{tikzpicture}[scale=1]
-\draw[line width=1mm] (0, 1.1) rectangle (1.2,2);
-\draw (4.7,1) node {Internet};
-\draw (0.6,1.7) node {\footnotesize Slave};
-\draw[line width=1mm] (0, 0) rectangle (1.2,0.9);
-\draw (0.6,1.7) node {\footnotesize Slave};
-\draw (0.6,0.6) node {\footnotesize Slave};
-\draw (0.6,-0.5) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] processes\end{tabular}};
-\draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}};
-\draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2);
-\draw (-2.9,1.7) node {\footnotesize Monitor};
-\draw[white] (1.7,1) node (X) {};
-\draw[white] (3.7,1) node (Y) {};
-\draw[red, <->, line width = 2mm] (X) -- (Y);
-\draw[red, <->, line width = 1mm] (-0.4,1.4) -- (-1.4,1.1);
-\draw[red, <->, line width = 1mm] (-0.4,0.6) -- (-1.4,0.9);
-\end{tikzpicture}
-\end{center}
-\begin{itemize}
-\item pre-authorisation slave
-\item post-authorisation\bigskip
-\item 25\% codebase is privileged, 75\% is unprivileged
-\end{itemize}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Network Applications}
-ideally network application in Unix should be designed as follows:
-\begin{itemize}
-\item need two distinct processes
-\begin{itemize}
-\item one that listens to the network; has no privilege
-\item one that is privileged and listens to the latter only (but does not trust it)
-\end{itemize}
-\item to implement this you need a parent process, which forks a child process
-\item this child process drops privileges and listens to hostile data\medskip
-\item after authentication the parent forks again and the new child becomes the user
-\end{itemize}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Famous Security Flaws\\[-1mm] in Unix\end{tabular}}
-\begin{itemize}
-\item \texttt{lpr} unfortunately runs with root privileges; you had the option to delete files after printing \ldots\pause\pause
-\item for debugging purposes (FreeBSD) Unix provides a ``core dump'', but allowed to follow links \ldots\pause
-\item \texttt{mkdir foo} is owned by root\medskip
-\begin{center}
-\texttt{-rwxr-xr-x  1 root  wheel /bin/mkdir}
-\end{center}\medskip
-it first creates an i-node as root and then changes to ownership to the user's id\\ \textcolor{gray}{\small (race condition -- can be automated with a shell script)}
-\end{itemize}
-\only<5->{
-\begin{textblock}{1}(3,7)
-\begin{tikzpicture}
-\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
-{\begin{minipage}{8cm}
-Only failure makes us experts.
-	-- Theo de Raadt (OpenBSD, OpenSSH)
-\end{minipage}};
-\end{tikzpicture}
-\end{textblock}}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}A ``Cron''-Attack\end{tabular}}
-\begin{enumerate}
-\item attacker \textcolor{gray}{(creates a fake passwd file)}\\
-\texttt{mkdir /tmp/a; cat > /tmp/a/passwd}\medskip
-\item root \textcolor{gray}{(does the daily cleaning)}\\
-\texttt{rm /tmp/*/*}\medskip\\
-\hspace{2cm}\textcolor{gray}{\small records that \texttt{/tmp/a/passwd}}\\
-\hspace{2cm}\textcolor{gray}{\small should be deleted, but does not do it yet}\medskip\\
-\item attacker \textcolor{gray}{(meanwhile deletes the fake passwd file, and establishes a link to
-the real passwd file)}\\
-\texttt{rm /tmp/a/passwd; rmdir /tmp/a;}\\\texttt{ln -s /etc /tmp/a}\\
-\item root now deletes  the real passwd file
-\end{enumerate}
-\only<2>{
-\begin{textblock}{11}(2,5)
-\begin{tikzpicture}
-\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
-{\normalsize\color{darkgray}
-\begin{minipage}{9cm}\raggedright
-To prevent this kind of attack, you need additional
-policies (don't do such operations as root).
-\end{minipage}};
-\end{tikzpicture}
-\end{textblock}}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\begin{center}
-\includegraphics[scale=0.45]{../pics/trainwreck.jpg}\\
-one general defence mechanism is\\\alert{\bf defence in depth}
-\end{center}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
 \frametitle{Smash the Stack for Fun\ldots}
 \begin{itemize}
-\item ``smashing the stack attacks'' or\\ ``buffer overflow attacks''\medskip
+\item {\bf Buffer Overflow Attacks} or\\ {\bf Smashing the Stack Attacks}\medskip
-\item one of the most popular attacks\\ ($>$ 50\% of security incidents reported at CERT are related to buffer overflows)
-\begin{flushright}\small
+\item one of the most popular attacks, unfortunately\\
-\textcolor{gray}{\url{http://www.kb.cert.org/vuls}}
+($>$ 50\% of security incidents reported at CERT are related
+to buffer overflows)
+\begin{flushright}
+\small\url{http://www.kb.cert.org/vuls}
 \end{flushright}
 \medskip
-\item made popular in an article by Elias Levy\\ (also known as Aleph One):\\
+\item made popular in an article from 1996 by Elias Levy
+(also known as Aleph One):\\
 \begin{center}
 {\bf ``Smashing The Stack For Fun and Profit''}
 \end{center}\medskip
 \begin{flushright}
-\small\textcolor{gray}{Issue 49, Article 14}
+\small\url{http://phrack.org/issues/49/14.html}
 \end{flushright}
 \end{itemize}
 \end{frame}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \begin{frame}[c]
-\frametitle{A Float Printed ``Twice''}
+\frametitle{A Long Printed ``Twice''}
+\mbox{}\\[-10mm]
 \footnotesize
-\lstinputlisting[language=C]{../progs/C1.c}
+\lstinputlisting[language=C,xleftmargin=4mm]{../progs/C0.c}
 \end{frame}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{``A Login Function'' (1)}
+\mbox{}\\[-10mm]
+\footnotesize
+\lstinputlisting[language=C,xleftmargin=4mm]{../progs/C2a.c}
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{``A Login Function'' (2)}
+\mbox{}\\[-10mm]
+\footnotesize
+\lstinputlisting[language=C,xleftmargin=-3mm]{../progs/C2b.c}
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{What the Hell Is Going On?}
+\lstinputlisting[language=C,xleftmargin=4mm]{../progs/example1.c}
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \begin{frame}[c]
 \frametitle{Memory}
 \footnotesize
 \lstinputlisting[language=C,xleftmargin=5mm]{../progs/example1.c}
 \end{bubble}
 \end{textblock}
 \end{frame}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{Behind the Scenes}
+machine code
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Network Applications:\\[-1mm] Privilege Separation\end{tabular}}
+\begin{center}
+\begin{tikzpicture}[scale=1]
+\draw[line width=1mm] (-.3, 0) rectangle (1.5,2);
+\draw (4.7,1) node {Internet};
+\draw (-2.7,1.7) node {\footnotesize Application};
+\draw (0.6,1.7) node {\footnotesize Interface};
+\draw (0.6,-0.4) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] process\end{tabular}};
+\draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}};
+\draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2);
+\draw[white] (1.7,1) node (X) {};
+\draw[white] (3.7,1) node (Y) {};
+\draw[red, <->, line width = 2mm] (X) -- (Y);
+\draw[red, <->, line width = 1mm] (-0.6,1) -- (-1.6,1);
+\end{tikzpicture}
+\end{center}
+\begin{itemize}
+\item the idea is make the attack surface smaller and mitigate the
+consequences of an attack
+\item you need an OS that supports different roles (root vs.~users)
+\end{itemize}
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{Weaknesses of Unix AC}
+Not just restricted to Unix:
+\begin{itemize}
+\item if you have too many roles (i.e.~too finegrained AC), then
+hierarchy is too complex\\ \textcolor{gray}{you invite situations
+like\ldots let's be root}\bigskip
+\item you can still abuse the system\ldots
+\end{itemize}
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{A ``Cron''-Attack}
+\begin{enumerate}
+\item attacker \textcolor{gray}{(creates a fake passwd file)}\\
+\texttt{mkdir /tmp/a; cat > /tmp/a/passwd}\medskip
+\item root \textcolor{gray}{(does the daily cleaning)}\\
+\texttt{rm /tmp/*/*}\medskip\\
+\hspace{2cm}\textcolor{gray}{\small records that \texttt{/tmp/a/passwd}}\\
+\hspace{2cm}\textcolor{gray}{\small should be deleted, but does not do it yet}\medskip\\
+\item attacker \textcolor{gray}{(meanwhile deletes the fake passwd file, and establishes a link to
+the real passwd file)}\\
+\texttt{rm /tmp/a/passwd; rmdir /tmp/a;}\\\texttt{ln -s /etc /tmp/a}\\
+\item root now deletes  the real passwd file
+\end{enumerate}
+\only<2>{
+\begin{textblock}{11}(2,5)
+\begin{bubble}[8cm]
+\normalsize To prevent this kind of attack, you need additional
+policies (don't do such operations as root).
+\end{bubble}
+\end{textblock}}
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \begin{frame}[c]
 \frametitle{The Problem}
 \textcolor{gray}{\small(Slammer Worm in 2003 infected 90\% of vulnerable systems within 10 minutes)}\bigskip
 \item ``zero-days-attacks'' (new unknown vulnerability)
 \end{itemize}
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\begin{center}
-\only<1>{\includegraphics[scale=0.9]{../pics/stack1}\;\;}
-\only<2>{\includegraphics[scale=0.9]{../pics/stack2}\;\;}
-\only<3>{\includegraphics[scale=0.9]{../pics/stack3}\;\;}
-\end{center}
 \end{frame}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \begin{frame}[c]
 \end{itemize}
 \end{frame}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Access Control in Unix}
+\begin{itemize}
+\item access control provided by the OS
+\item authenticate principals (login)
+\item mediate access to files, ports, processes according to \alert{roles} (user ids)\\
+\item roles get attached with privileges\bigskip\\%
+\hspace{8mm}
+\begin{tikzpicture}
+\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
+{\begin{minipage}{8cm}
+\alert{The principle of least privilege:}\\
+programs should only have as much privilege as they need
+\end{minipage}};
+\end{tikzpicture}
+\end{itemize}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{Process Ownership}
+\begin{itemize}
+\item access control in Unix is very coarse
+\end{itemize}\bigskip\bigskip\bigskip
+\begin{center}
+\begin{tabular}{c}
+root\\
+\hline
+user$_1$ user$_2$ \ldots www, mail, lp
+\end{tabular}
+\end{center}\bigskip\bigskip\bigskip
+\textcolor{gray}{\small root has UID $=$ 0}\\\pause
+\textcolor{gray}{\small you also have groups that can share access to a file}\\
+\textcolor{gray}{\small but it is difficult to exclude access selectively}\\
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Access Control in Unix (2)}
+\begin{itemize}
+\item privileges are specified by file access permissions (``everything is a file'')
+\item there are 9 (plus 2) bits that specify the permissions of a file
+\begin{center}
+\begin{tabular}{l}
+\texttt{\$ ls - la}\\
+\texttt{-rwxrw-r-{}- \hspace{3mm} foo\_file.txt}
+\end{tabular}
+\end{center}
+\end{itemize}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Login Process}
+\begin{itemize}
+\item login processes run under UID $=$ 0\medskip
+\begin{center}
+\texttt{ps -axl | grep login}
+\end{center}\medskip
+\item after login, shells run under UID $=$ user (e.g.~501)\medskip
+\begin{center}
+\texttt{id cu}
+\end{center}\medskip\pause
+\item non-root users are not allowed to change the UID --- would break
+access control
+\item but needed for example for \texttt{passwd}
+\end{itemize}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Setuid and Setgid}
+The solution is that unix file permissions are 9 + \underline{2 Bits}:
+\alert{Setuid} and \alert{Setgid} Bits
+\begin{itemize}
+\item When a file with setuid is executed, the resulting process will assume the UID given to the owner of the file.
+\item This enables users to create processes as root (or another user).\bigskip
+\item Essential for changing passwords, for example.
+\end{itemize}
+\begin{center}
+\texttt{chmod 4755 fobar\_file}
+\end{center}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Privilege Separation in\\ OpenSSH\end{tabular}}
+\begin{center}
+\begin{tikzpicture}[scale=1]
+\draw[line width=1mm] (0, 1.1) rectangle (1.2,2);
+\draw (4.7,1) node {Internet};
+\draw (0.6,1.7) node {\footnotesize Slave};
+\draw[line width=1mm] (0, 0) rectangle (1.2,0.9);
+\draw (0.6,1.7) node {\footnotesize Slave};
+\draw (0.6,0.6) node {\footnotesize Slave};
+\draw (0.6,-0.5) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] processes\end{tabular}};
+\draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}};
+\draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2);
+\draw (-2.9,1.7) node {\footnotesize Monitor};
+\draw[white] (1.7,1) node (X) {};
+\draw[white] (3.7,1) node (Y) {};
+\draw[red, <->, line width = 2mm] (X) -- (Y);
+\draw[red, <->, line width = 1mm] (-0.4,1.4) -- (-1.4,1.1);
+\draw[red, <->, line width = 1mm] (-0.4,0.6) -- (-1.4,0.9);
+\end{tikzpicture}
+\end{center}
+\begin{itemize}
+\item pre-authorisation slave
+\item post-authorisation\bigskip
+\item 25\% codebase is privileged, 75\% is unprivileged
+\end{itemize}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Network Applications}
+ideally network application in Unix should be designed as follows:
+\begin{itemize}
+\item need two distinct processes
+\begin{itemize}
+\item one that listens to the network; has no privilege
+\item one that is privileged and listens to the latter only (but does not trust it)
+\end{itemize}
+\item to implement this you need a parent process, which forks a child process
+\item this child process drops privileges and listens to hostile data\medskip
+\item after authentication the parent forks again and the new child becomes the user
+\end{itemize}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}Famous Security Flaws\\[-1mm] in Unix\end{tabular}}
+\begin{itemize}
+\item \texttt{lpr} unfortunately runs with root privileges; you had the option to delete files after printing \ldots\pause\pause
+\item for debugging purposes (FreeBSD) Unix provides a ``core dump'', but allowed to follow links \ldots\pause
+\item \texttt{mkdir foo} is owned by root\medskip
+\begin{center}
+\texttt{-rwxr-xr-x  1 root  wheel /bin/mkdir}
+\end{center}\medskip
+it first creates an i-node as root and then changes to ownership to the user's id\\ \textcolor{gray}{\small (race condition -- can be automated with a shell script)}
+\end{itemize}
+\only<5->{
+\begin{textblock}{1}(3,7)
+\begin{tikzpicture}
+\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
+{\begin{minipage}{8cm}
+Only failure makes us experts.
+	-- Theo de Raadt (OpenBSD, OpenSSH)
+\end{minipage}};
+\end{tikzpicture}
+\end{textblock}}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \end{document}
 %%% Local Variables:
 %%% mode: latex

changeset 211	e6e160c7ea33
parent 206	0105257429f3
child 216	38718062709a