--- a/slides/slides03.tex Sat Oct 03 20:31:57 2015 +0100
+++ b/slides/slides03.tex Mon Oct 05 05:20:07 2015 +0100
@@ -34,112 +34,6 @@
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Network Applications:\\[-1mm] Privilege Separation\end{tabular}}
-
-\begin{center}
- \begin{tikzpicture}[scale=1]
-
- \draw[line width=1mm] (-.3, 0) rectangle (1.5,2);
- \draw (4.7,1) node {Internet};
- \draw (-2.7,1.7) node {\footnotesize Application};
- \draw (0.6,1.7) node {\footnotesize Interface};
- \draw (0.6,-0.4) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] process\end{tabular}};
- \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}};
-
- \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2);
-
- \draw[white] (1.7,1) node (X) {};
- \draw[white] (3.7,1) node (Y) {};
- \draw[red, <->, line width = 2mm] (X) -- (Y);
-
- \draw[red, <->, line width = 1mm] (-0.6,1) -- (-1.6,1);
- \end{tikzpicture}
-\end{center}
-
-\begin{itemize}
-\item the idea is make the attack surface smaller and
-mitigate the consequences of an attack
-\item you need an OS that supports different roles (root vs.~users)
-\end{itemize}
-
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{Weaknesses of Unix AC}
-
-\begin{itemize}
-\item if you have too many roles (for example too finegrained AC), then
- hierarchy is too complex\medskip\\ \textcolor{gray}{you invite situations
- like\ldots let's be root}\bigskip
-
-\item you can still abuse the system\ldots
-\end{itemize}
-
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{A ``Cron''-Attack}
-
-The idea is to trick a privileged person to do something on your
-behalf:
-
-\begin{itemize}
-\item root:\\\texttt{rm /tmp/*/*}\bigskip\bigskip\pause
-
-\small
-\begin{minipage}{1.1\textwidth}
-\textcolor{gray}{the shell behind the scenes:}\\
-\textcolor{gray}{\texttt{rm /tmp/dir$_1$/file$_1$ /tmp/dir$_1$/file$_2$ /tmp/dir$_2$/file$_1$ \ldots}}\bigskip\\
-
-\textcolor{gray}{this takes time}
-\end{minipage}
-\end{itemize}
-
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{A ``Cron''-Attack}
-
-\begin{enumerate}
-\item attacker \textcolor{gray}{(creates a fake passwd file)}\\
-\texttt{mkdir /tmp/a; cat > /tmp/a/passwd}\medskip
-\item root \textcolor{gray}{(does the daily cleaning)}\\
-\texttt{rm /tmp/*/*}\medskip\\
-\hspace{2cm}\textcolor{gray}{records that \texttt{/tmp/a/passwd}}\\
-\hspace{2cm}\textcolor{gray}{should be deleted, but does not do it yet}\medskip\\
-
-\item attacker \textcolor{gray}{(meanwhile deletes the fake passwd file, and establishes a link to
-the real passwd file)}\\
-\texttt{rm /tmp/a/passwd; rmdir /tmp/a;}\\\texttt{ln -s /etc /tmp/a}\\
-\item root now deletes the real passwd file
-\end{enumerate}
-
-\only<2>{
-\begin{textblock}{11}(2,5)
-\begin{tikzpicture}
-\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
-{\normalsize\color{darkgray}
-\begin{minipage}{9.5cm}\raggedright
-To prevent this kind of attack, you need additional
-policies (don't do such operations as root).
-\end{minipage}};
-\end{tikzpicture}
-\end{textblock}}
-
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{\Large Buffer Overflow Attacks}
@@ -148,10 +42,10 @@
\begin{columns}[b]
\begin{column}{.4\textwidth}
\centering
-\includegraphics[scale=1.2]{../pics/barrier.jpg}\\
+\includegraphics[scale=0.3]{../pics/barrier.jpg}\\
lectures so far
\end{column}
-\begin{column}<2>{.4\textwidth}
+\begin{column}{.4\textwidth}
\centering
\includegraphics[scale=0.32]{../pics/trainwreck.jpg}\\
today
@@ -162,13 +56,13 @@
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Smash the Stack for Fun\ldots}
\begin{itemize}
-\item {\bf Buffer Overflow Attacks} or\\ {\bf Smashing the Stack Attacks}\medskip
+\item {\bf Buffer Overflow Attacks} or\\
+{\bf Smashing the Stack Attacks}\medskip
\item one of the most popular attacks, unfortunately\\
($>$ 50\% of security incidents reported at CERT are related
@@ -205,7 +99,7 @@
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
-\frametitle{Printing Out Zombies}
+\frametitle{Printing Out ``Zombies''}
\mbox{}\\[-10mm]
\footnotesize
@@ -254,8 +148,8 @@
\frametitle{Memory}
\begin{itemize}
-\item each process will get a chunk of memory that is organised as
-follows:
+\item each process will get a chunk of memory that is
+ organised as follows:
\end{itemize}
\begin{center}
@@ -458,6 +352,43 @@
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{Optimising Success}
+
+\begin{center}
+\begin{tabular}{l@{\hspace{2cm}}l}
+ \begin{tikzpicture}[scale=0.6]
+ \draw[line width=1mm] (-2, -1) rectangle (2,3);
+ \draw[line width=1mm,fill=blue!30] (-2, 1.9) rectangle (2,3);
+ \draw (0,2.5) node {\small\tt shell code};
+ \draw[line width=1mm,fill=black] (0.3, -1) rectangle (2,-0.7);
+ \draw[->,line width=0.3mm] (1.05, -1) -- (1.05,-1.7) --
+ (-3,-1.7) -- (-3, 3.7) -- (-1.9, 3.7) -- (-1.9, 3.1);
+ \end{tikzpicture}
+&
+ \onslide<2>{
+ \begin{tikzpicture}[scale=0.6]
+ \draw[gray!50,fill=red!30] (-2,0.3) rectangle (2,3);
+ \draw[line width=1mm] (-2, -1) rectangle (2,3);
+ \draw[line width=1mm,fill=blue!30] (-2, 0.3) rectangle (2, -0.7);
+ \draw (0,-0.2) node {\small\tt shell code};
+ \draw[line width=1mm,fill=black] (0.3, -1) rectangle (2,-0.7);
+ \draw [line width=0.5,decoration={brace,amplitude=2mm},decorate]
+ (2.3,3) -- (2.3,0.3);
+ \draw[line width=0.3mm] (1.05, -1) -- (1.05,-1.7) --
+ (3,-1.7) -- (3,1.65) -- (2.6, 1.65);
+ \end{tikzpicture}}
+\end{tabular}
+\end{center}\bigskip
+
+\onslide<2>{
+fill up the red part of the string with \pcode{NOP} operations
+(Intel \texttt{$\backslash$x90})}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
@@ -476,8 +407,6 @@
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Format String Vulnerability}
@@ -539,68 +468,100 @@
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Network Applications:\\[-1mm] Privilege Separation\end{tabular}}
-
+\frametitle{NIST Statistics about BOA}
\begin{center}
- \begin{tikzpicture}[scale=1]
-
- \draw[line width=1mm] (-.3, 0) rectangle (1.5,2);
- \draw (4.7,1) node {Internet};
- \draw (-2.7,1.7) node {\footnotesize Application};
- \draw (0.6,1.7) node {\footnotesize Interface};
- \draw (0.6,-0.4) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] process\end{tabular}};
- \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}};
+\begin{tikzpicture}
+\begin{axis}[
+ xlabel={year},
+ ylabel={\% of total attacks},
+ ylabel style={yshift=0em},
+ enlargelimits=false,
+ xtick={1997,1999,2001,...,2015},
+ xmin=1996.5,
+ xmax=2016,
+ ymax=21,
+ ytick={0,5,...,20},
+ scaled ticks=false,
+ axis lines=left,
+ width=11cm,
+ height=5cm,
+ ybar,
+ nodes near coords=
+ {\footnotesize
+ $\pgfmathprintnumber[fixed,fixed zerofill,precision=1,use comma]{\pgfkeysvalueof{/data point/y}}$},
+ x tick label style={font=\footnotesize,/pgf/number format/1000 sep={}}]
+\addplot
+ table [x=Year,y=Percentage] {../handouts/bufferoverflows.data};
+\end{axis}
+\end{tikzpicture}
+\end{center}
- \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2);
+from the US National Vulnerability Database\\
+\small\url{http://web.nvd.nist.gov/view/vuln/statistics}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \draw[white] (1.7,1) node (X) {};
- \draw[white] (3.7,1) node (Y) {};
- \draw[red, <->, line width = 2mm] (X) -- (Y);
-
- \draw[red, <->, line width = 1mm] (-0.6,1) -- (-1.6,1);
- \end{tikzpicture}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[fragile]
+\frametitle{D-Link Wifi Router, BOA}
+\small
+
+As a proof-of-concept, the following URL allows
+attackers to control the return value saved on
+the stack (the vulnerability is triggered when
+executing \pcode{"/usr/sbin/widget"}):
+
+\begin{center}\footnotesize
+\pcode{curl http://<target ip>/post_login.xml?hash=AAA...AAABBBB}
\end{center}
-\begin{itemize}
-\item the idea is make the attack surface smaller and mitigate the
- consequences of an attack
-\end{itemize}
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+The value of the "hash" HTTP GET parameter consists of
+292 occurrences of the \pcode{'A'} character, followed by four
+occurrences of character \pcode{'B'}. In our lab setup, characters
+\pcode{'B'} overwrite the saved program counter (\pcode{\%ra}).\bigskip
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Infamous Security Flaws\\[-1mm] in Unix\end{tabular}}
+\begin{tabular}{@{}ll}
+Discovery date: & 06/03/2013\\
+Release date: & 02/08/2013
+\end{tabular}\bigskip
-\begin{itemize}
-\item \texttt{lpr} unfortunately runs with root privileges; you had the option to delete files after printing \ldots\pause\pause
-\item for debugging purposes (FreeBSD) Unix provides a ``core dump'', but allowed to follow links \ldots\pause
-\item \texttt{mkdir foo} is owned by root\medskip
-\begin{center}
-\texttt{-rwxr-xr-x 1 root wheel /bin/mkdir}
-\end{center}\medskip
-it first creates an i-node as root and then changes to ownership to the user's id\\ \textcolor{gray}{\small (race condition -- can be automated with a shell script)}
-\end{itemize}
+\footnotesize
+\hfill\url{http://roberto.greyhats.it/advisories/20130801-dlink-dir645.txt}
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[fragile]
+\frametitle{GHOST in Glibc}
+
+\small The GHOST vulnerability is a buffer overflow condition
+that can be easily exploited locally and remotely. This
+vulnerability is named after the GetHOSTbyname function
+involved in the exploit.\medskip
-\only<5->{
-\begin{textblock}{1}(3,7)
-\begin{tikzpicture}
-\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
-{\begin{minipage}{8cm}
-Only failure makes us experts.
- -- Theo de Raadt (OpenBSD, OpenSSH)
-\end{minipage}};
-\end{tikzpicture}
-\end{textblock}}
+The attack allows the attacker to execute arbitrary code and
+take control of the victim’s vulnerable machine.
+Unfortunately, the vulnerability exists in the GNU C Library
+(glibc), a code library originally released in 2000, meaning
+it has been widely distributed. Although an update released by
+Linux in 2013 mitigated this vulnerability, most systems and
+products have not installed the patch.\medskip
+
-\end{frame}}
+\begin{tabular}{@{}ll}
+Release date: & 01/28/2015
+\end{tabular}\smallskip
+
+
+\footnotesize
+\hfill\url{https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability}
+\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%