--- a/slides/slides03.tex Tue Oct 07 01:43:46 2014 +0100
+++ b/slides/slides03.tex Tue Oct 07 02:10:22 2014 +0100
@@ -432,8 +432,10 @@
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Overflow.c}
+\mbox{}\\[-10mm]
-\lstinputlisting[language=C,numbers=none]{../progs/overflow.c}
+\small
+\lstinputlisting[language=C,xleftmargin=-4mm,numbers=none]{../progs/overflow.c}
\end{frame}
@@ -518,285 +520,8 @@
\begin{itemize}
\item the idea is make the attack surface smaller and mitigate the
consequences of an attack
-\item you need an OS that supports different roles (root vs.~users)
\end{itemize}
-
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{Weaknesses of Unix AC}
-
-Not just restricted to Unix:
-
-\begin{itemize}
-\item if you have too many roles (i.e.~too finegrained AC), then
- hierarchy is too complex\\ \textcolor{gray}{you invite situations
- like\ldots let's be root}\bigskip
-
-\item you can still abuse the system\ldots
-\end{itemize}
-
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{A ``Cron''-Attack}
-
-\begin{enumerate}
-\item attacker \textcolor{gray}{(creates a fake passwd file)}\\
-\texttt{mkdir /tmp/a; cat > /tmp/a/passwd}\medskip
-\item root \textcolor{gray}{(does the daily cleaning)}\\
-\texttt{rm /tmp/*/*}\medskip\\
-\hspace{2cm}\textcolor{gray}{\small records that \texttt{/tmp/a/passwd}}\\
-\hspace{2cm}\textcolor{gray}{\small should be deleted, but does not do it yet}\medskip\\
-
-\item attacker \textcolor{gray}{(meanwhile deletes the fake passwd file, and establishes a link to
-the real passwd file)}\\
-\texttt{rm /tmp/a/passwd; rmdir /tmp/a;}\\\texttt{ln -s /etc /tmp/a}\\
-\item root now deletes the real passwd file
-\end{enumerate}
-
-\only<2>{
-\begin{textblock}{11}(2,5)
-\begin{bubble}[8cm]
-\normalsize To prevent this kind of attack, you need additional
-policies (don't do such operations as root).
-\end{bubble}
-\end{textblock}}
-
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{The Problem}
-
-\begin{itemize}
-\item The basic problem is that library routines in C look as follows:
-\end{itemize}
-
-\begin{center}
-\small\lstinputlisting[language=C,numbers=none]{../progs/app5.c}
-\end{center}
-
-
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{Security Goals}
-
-\begin{itemize}
-\item Prevent common vulnerabilities from occurring (e.g. buffer overflows)\pause
-\item Recover from attacks (traceability and auditing of security-relevant actions)\pause
-\item Monitoring (detect attacks)\pause
-\item Privacy, confidentiality, anonymity (to protect secrets)\pause
-\item Authenticity (needed for access control)\pause
-\item Integrity (prevent unwanted modification or tampering)\pause
-\item Availability and reliability (reduce the risk of DoS attacks)
-\end{itemize}
-
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{Homework}
-
-\begin{itemize}
-\item Assume format string attacks allow you to read out the stack. What can you do
- with this information?\bigskip
-
-\item Assume you can crash a program remotely. Why is this a problem?
-\end{itemize}
-
\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Access Control in Unix}
-
-\begin{itemize}
-\item access control provided by the OS
-\item authenticate principals (login)
-\item mediate access to files, ports, processes according to \alert{roles} (user ids)\\
-\item roles get attached with privileges\bigskip\\%
-\hspace{8mm}
-\begin{tikzpicture}
-\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
-{\begin{minipage}{8cm}
-\alert{The principle of least privilege:}\\
-programs should only have as much privilege as they need
-\end{minipage}};
-\end{tikzpicture}
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-\frametitle{Process Ownership}
-
-\begin{itemize}
-\item access control in Unix is very coarse
-\end{itemize}\bigskip\bigskip\bigskip
-
-\begin{center}
-\begin{tabular}{c}
-root\\
-\hline
-
-user$_1$ user$_2$ \ldots www, mail, lp
-\end{tabular}
-\end{center}\bigskip\bigskip\bigskip
-
-
-\textcolor{gray}{\small root has UID $=$ 0}\\\pause
-\textcolor{gray}{\small you also have groups that can share access to a file}\\
-\textcolor{gray}{\small but it is difficult to exclude access selectively}\\
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Access Control in Unix (2)}
-
-
-\begin{itemize}
-\item privileges are specified by file access permissions (``everything is a file'')
-\item there are 9 (plus 2) bits that specify the permissions of a file
-
-\begin{center}
-\begin{tabular}{l}
-\texttt{\$ ls - la}\\
-\texttt{-rwxrw-r-{}- \hspace{3mm} foo\_file.txt}
-\end{tabular}
-\end{center}
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Login Process}
-
-
-\begin{itemize}
-\item login processes run under UID $=$ 0\medskip
-\begin{center}
-\texttt{ps -axl | grep login}
-\end{center}\medskip
-
-\item after login, shells run under UID $=$ user (e.g.~501)\medskip
-\begin{center}
-\texttt{id cu}
-\end{center}\medskip\pause
-
-\item non-root users are not allowed to change the UID --- would break
-access control
-\item but needed for example for \texttt{passwd}
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Setuid and Setgid}
-
-The solution is that unix file permissions are 9 + \underline{2 Bits}:
-\alert{Setuid} and \alert{Setgid} Bits
-
-\begin{itemize}
-\item When a file with setuid is executed, the resulting process will assume the UID given to the owner of the file.
-\item This enables users to create processes as root (or another user).\bigskip
-
-\item Essential for changing passwords, for example.
-\end{itemize}
-
-\begin{center}
-\texttt{chmod 4755 fobar\_file}
-\end{center}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Privilege Separation in\\ OpenSSH\end{tabular}}
-
-\begin{center}
-\begin{tikzpicture}[scale=1]
-
- \draw[line width=1mm] (0, 1.1) rectangle (1.2,2);
- \draw (4.7,1) node {Internet};
- \draw (0.6,1.7) node {\footnotesize Slave};
- \draw[line width=1mm] (0, 0) rectangle (1.2,0.9);
- \draw (0.6,1.7) node {\footnotesize Slave};
- \draw (0.6,0.6) node {\footnotesize Slave};
- \draw (0.6,-0.5) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] processes\end{tabular}};
- \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}};
-
- \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2);
- \draw (-2.9,1.7) node {\footnotesize Monitor};
-
- \draw[white] (1.7,1) node (X) {};
- \draw[white] (3.7,1) node (Y) {};
- \draw[red, <->, line width = 2mm] (X) -- (Y);
-
- \draw[red, <->, line width = 1mm] (-0.4,1.4) -- (-1.4,1.1);
- \draw[red, <->, line width = 1mm] (-0.4,0.6) -- (-1.4,0.9);
-
- \end{tikzpicture}
-\end{center}
-
-\begin{itemize}
-\item pre-authorisation slave
-\item post-authorisation\bigskip
-\item 25\% codebase is privileged, 75\% is unprivileged
-\end{itemize}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Network Applications}
-
-ideally network application in Unix should be designed as follows:
-
-\begin{itemize}
-\item need two distinct processes
-\begin{itemize}
-\item one that listens to the network; has no privilege
-\item one that is privileged and listens to the latter only (but does not trust it)
-
-\end{itemize}
-
-\item to implement this you need a parent process, which forks a child process
-\item this child process drops privileges and listens to hostile data\medskip
-
-\item after authentication the parent forks again and the new child becomes the user
-\end{itemize}
-
-
-\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
@@ -827,8 +552,6 @@
\end{tikzpicture}
\end{textblock}}
-
-
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%