--- a/slides/slides03.tex Mon Oct 06 02:44:23 2014 +0100
+++ b/slides/slides03.tex Mon Oct 06 20:52:53 2014 +0100
@@ -35,6 +35,295 @@
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Network Applications:\\[-1mm] Privilege Separation\end{tabular}}
+
+\begin{center}
+ \begin{tikzpicture}[scale=1]
+
+ \draw[line width=1mm] (-.3, 0) rectangle (1.5,2);
+ \draw (4.7,1) node {Internet};
+ \draw (-2.7,1.7) node {\footnotesize Application};
+ \draw (0.6,1.7) node {\footnotesize Interface};
+ \draw (0.6,-0.4) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] process\end{tabular}};
+ \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}};
+
+ \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2);
+
+ \draw[white] (1.7,1) node (X) {};
+ \draw[white] (3.7,1) node (Y) {};
+ \draw[red, <->, line width = 2mm] (X) -- (Y);
+
+ \draw[red, <->, line width = 1mm] (-0.6,1) -- (-1.6,1);
+ \end{tikzpicture}
+\end{center}
+
+\begin{itemize}
+\item the idea is make the attack surface smaller and
+mitigate the consequences of an attack
+\item you need an OS that supports different roles (root vs.~users)
+\end{itemize}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{Weaknesses of Unix AC}
+
+\begin{itemize}
+\item if you have too many roles (for example too finegrained AC), then
+ hierarchy is too complex\medskip\\ \textcolor{gray}{you invite situations
+ like\ldots let's be root}\bigskip
+
+\item you can still abuse the system\ldots
+\end{itemize}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{A ``Cron''-Attack}
+
+The idea is to trick a privileged person to do something on your
+behalf:
+
+\begin{itemize}
+\item root:\\\texttt{rm /tmp/*/*}\bigskip\bigskip\pause
+
+\small
+\begin{minipage}{1.1\textwidth}
+\textcolor{gray}{the shell behind the scenes:}\\
+\textcolor{gray}{\texttt{rm /tmp/dir$_1$/file$_1$ /tmp/dir$_1$/file$_2$ /tmp/dir$_2$/file$_1$ \ldots}}\bigskip\\
+
+\textcolor{gray}{this takes time}
+\end{minipage}
+\end{itemize}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{A ``Cron''-Attack}
+
+\begin{enumerate}
+\item attacker \textcolor{gray}{(creates a fake passwd file)}\\
+\texttt{mkdir /tmp/a; cat > /tmp/a/passwd}\medskip
+\item root \textcolor{gray}{(does the daily cleaning)}\\
+\texttt{rm /tmp/*/*}\medskip\\
+\hspace{2cm}\textcolor{gray}{records that \texttt{/tmp/a/passwd}}\\
+\hspace{2cm}\textcolor{gray}{should be deleted, but does not do it yet}\medskip\\
+
+\item attacker \textcolor{gray}{(meanwhile deletes the fake passwd file, and establishes a link to
+the real passwd file)}\\
+\texttt{rm /tmp/a/passwd; rmdir /tmp/a;}\\\texttt{ln -s /etc /tmp/a}\\
+\item root now deletes the real passwd file
+\end{enumerate}
+
+\only<2>{
+\begin{textblock}{11}(2,5)
+\begin{tikzpicture}
+\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
+{\normalsize\color{darkgray}
+\begin{minipage}{9.5cm}\raggedright
+To prevent this kind of attack, you need additional
+policies (don't do such operations as root).
+\end{minipage}};
+\end{tikzpicture}
+\end{textblock}}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{\Large Buffer Overflow Attacks}
+
+\begin{center}
+\begin{columns}[b]
+\begin{column}{.4\textwidth}
+\centering
+\includegraphics[scale=1.2]{../pics/barrier.jpg}\\
+lectures so far
+\end{column}
+\begin{column}<2>{.4\textwidth}
+\centering
+\includegraphics[scale=0.32]{../pics/trainwreck.jpg}\\
+today
+\end{column}
+\end{columns}
+\end{center}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{Smash the Stack for Fun\ldots}
+
+\begin{itemize}
+\item {\bf Buffer Overflow Attacks} or\\ {\bf Smashing the Stack Attacks}\medskip
+
+\item one of the most popular attacks, unfortunately\\
+($>$ 50\% of security incidents reported at CERT are related
+to buffer overflows)
+\begin{flushright}
+\small\url{http://www.kb.cert.org/vuls}
+\end{flushright}
+\medskip
+\item made popular in an article from 1996 by Elias Levy
+(also known as Aleph One):\\
+\begin{center}
+{\bf ``Smashing The Stack For Fun and Profit''}
+\end{center}\medskip
+
+\begin{flushright}
+\small\url{http://phrack.org/issues/49/14.html}
+\end{flushright}
+
+\end{itemize}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{A Long Printed ``Twice''}
+\mbox{}\\[-10mm]
+
+\footnotesize
+\lstinputlisting[language=C,xleftmargin=4mm]{../progs/C0.c}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{``A Login Function'' (1)}
+\mbox{}\\[-10mm]
+
+\footnotesize
+\lstinputlisting[language=C,xleftmargin=4mm]{../progs/C2a.c}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{``A Login Function'' (2)}
+\mbox{}\\[-10mm]
+
+\footnotesize
+\lstinputlisting[language=C,xleftmargin=-3mm]{../progs/C2b.c}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{What the Hell Is Going On?}
+
+\lstinputlisting[language=C,xleftmargin=4mm]{../progs/example1.c}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{Memory}
+
+\begin{itemize}
+\item each process will get a chunk of memory that is organised as
+follows:
+\end{itemize}
+
+\begin{center}
+ \begin{tikzpicture}[scale=0.8]
+ %\draw[step=1cm] (-3,-3) grid (3,3);
+ \draw[line width=1mm] (-2, -3) rectangle (2,3);
+ \draw[line width=1mm] (-2,1) -- (2,1);
+ \draw[line width=1mm] (-2,-1) -- (2,-1);
+ \draw (0,2) node {\large\tt text};
+ \draw (0,0) node {\large\tt heap};
+ \draw (0,-2) node {\large\tt stack};
+
+ \draw (-2.7,3) node[anchor=north east] {\tt\begin{tabular}{@{}l@{}}lower\\ address\end{tabular}};
+ \draw (-2.7,-3) node[anchor=south east] {\tt\begin{tabular}{@{}l@{}}higher\\ address\end{tabular}};
+ \draw[->, line width=1mm] (-2.5,3) -- (-2.5,-3);
+
+ \draw (2.7,-2) node[anchor=west] {\tt grows};
+ \draw (2.7,-3) node[anchor=south west] {\tt\footnotesize older};
+ \draw (2.7,-1) node[anchor=north west] {\tt\footnotesize newer};
+ \draw[|->, line width=1mm] (2.5,-3) -- (2.5,-1);
+ \end{tikzpicture}
+\end{center}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{The Stack}
+
+\begin{textblock}{7}(1,1)
+ \begin{tikzpicture}[scale=0.8]
+ %\draw[step=1cm] (-3,-1) grid (3,8);
+ \draw[gray!20,fill=gray!20] (-1, 0) rectangle (1,-1);
+ \draw[line width=1mm] (-1,-1.2) -- (-1,7.4);
+ \draw[line width=1mm] ( 1,-1.2) -- ( 1,7.4);
+ \draw (0,-1) node[anchor=south] {\tt main};
+ \draw[line width=1mm] (-1,0) -- (1,0);
+ \draw (0,0) node[anchor=south] {\tt arg$_3$=3};
+ \draw[line width=1mm] (-1,1) -- (1,1);
+ \draw (0,1) node[anchor=south] {\tt arg$_2$=2};
+ \draw[line width=1mm] (-1,2) -- (1,2);
+ \draw (0,2) node[anchor=south] {\tt arg$_1$=1};
+ \draw[line width=1mm] (-1,3) -- (1,3);
+ \draw (0,3.1) node[anchor=south] {\tt ret};
+ \draw[line width=1mm] (-1,4) -- (1,4);
+ \draw (0,4) node[anchor=south] {\small\tt last sp};
+ \draw[line width=1mm] (-1,5) -- (1,5);
+ \draw (0,5) node[anchor=south] {\tt buf$_1$};
+ \draw[line width=1mm] (-1,6) -- (1,6);
+ \draw (0,6) node[anchor=south] {\tt buf$_2$};
+ \draw[line width=1mm] (-1,7) -- (1,7);
+ \draw (2,6.1) node[anchor=south] {\code{$esp}};
+ \draw[<-,line width=0.5mm] (1.1,7) -- (2.5,7);
+
+ \draw[->,line width=0.5mm] (1,4.5) -- (1.8,4.5) -- (1.8, 0) -- (1.1,0);
+ \draw[->,line width=0.5mm] (1,3.5) -- (2.5,3.5);
+ \draw (2.6,3.1) node[anchor=south west] {\tt back to main()};
+
+ \draw[->,red,line width=2mm] (2.5,0.1) -- (4.2,0.1);
+\end{tikzpicture}
+\end{textblock}
+
+\begin{textblock}{7}(6.4,8)
+\begin{bubble}[6.8cm]
+\footnotesize
+\lstinputlisting[language=C,xleftmargin=5mm]{../progs/example1.c}
+\end{bubble}
+\end{textblock}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{Behind the Scenes}
+
+machine code
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{\begin{tabular}{c}Network Applications:\\[-1mm] Privilege Separation\end{tabular}}
@@ -86,27 +375,6 @@
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{A ``Cron''-Attack}
-
-The idea is to trick a privileged person to do something on your
-behalf:
-
-\begin{itemize}
-\item root:\\\texttt{rm /tmp/*/*}\bigskip\bigskip\pause
-
-\small
-\begin{minipage}{1.1\textwidth}
-\textcolor{gray}{the shell behind the scenes:}\\
-\textcolor{gray}{\texttt{rm /tmp/dir$_1$/file$_1$ /tmp/dir$_1$/file$_2$ /tmp/dir$_2$/file$_1$ \ldots}}\bigskip\\
-
-\textcolor{gray}{this takes time}
-\end{minipage}
-\end{itemize}
-
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
@@ -137,60 +405,155 @@
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
-\frametitle{\Large Buffer Overflow Attacks}
+\frametitle{The Problem}
+
+\begin{itemize}
+\item The basic problem is that library routines in C look as follows:
+\end{itemize}
\begin{center}
-\begin{columns}[b]
-\begin{column}{.4\textwidth}
-\centering
-\includegraphics[scale=1.2]{../pics/barrier.jpg}\\
-lectures so far
-\end{column}
-\begin{column}<2>{.4\textwidth}
-\centering
-\includegraphics[scale=0.32]{../pics/trainwreck.jpg}\\
-today
-\end{column}
-\end{columns}
+\small\lstinputlisting[language=C,numbers=none]{../progs/app5.c}
\end{center}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{Variants}
+
+There are many variants:
+
+\begin{itemize}
+\item return-to-lib-C attacks
+\item heap-smashing attacks\\
+\textcolor{gray}{\small(Slammer Worm in 2003 infected 90\% of vulnerable systems within 10 minutes)}\bigskip
+
+\item ``zero-days-attacks'' (new unknown vulnerability)
+\end{itemize}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+
+{\small\lstinputlisting[language=C]{../progs/C2.c}}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%\mode<presentation>{
+%\begin{frame}[c]
+%
+%\small
+%A programmer might be careful, but still introduce vulnerabilities:\bigskip
+%
+%{\lstset{language=Java}\footnotesize
+%\texttt{\lstinputlisting{../progs/C2a.c}}}
+%
+%
+%\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{Payloads}
+
+\begin{itemize}
+\item the idea is you store some code to the buffer
+\item you then override the return address to execute this payload\medskip
+\item normally you start a root-shell\pause
+\item difficulty is to guess the right place where to ``jump''
+\end{itemize}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{Payloads (2)}
+
+\begin{itemize}
+\item another difficulty is that the code is not allowed to contain \texttt{$\backslash$x00}:
+
+\begin{center}
+\texttt{xorl \%eax, \%eax}
+\end{center}
+\end{itemize}\bigskip\bigskip
+
+{\small
+\lstinputlisting[language=C]{../progs/app5.c}}
+
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Network Applications:\\[-1mm] Privilege Separation\end{tabular}}
+\frametitle{Format String Vulnerability}
-\begin{center}
- \begin{tikzpicture}[scale=1]
+\small
+\texttt{string} is nowhere used:\bigskip
+
+{\footnotesize\lstinputlisting[language=C]{../progs/C4.c}}\bigskip
+
+this vulnerability can be used to read out the stack
- \draw[line width=1mm] (-.3, 0) rectangle (1.5,2);
- \draw (4.7,1) node {Internet};
- \draw (-2.7,1.7) node {\footnotesize Application};
- \draw (0.6,1.7) node {\footnotesize Interface};
- \draw (0.6,-0.4) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] process\end{tabular}};
- \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}};
-
- \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2);
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \draw[white] (1.7,1) node (X) {};
- \draw[white] (3.7,1) node (Y) {};
- \draw[red, <->, line width = 2mm] (X) -- (Y);
-
- \draw[red, <->, line width = 1mm] (-0.6,1) -- (-1.6,1);
- \end{tikzpicture}
-\end{center}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Protections against\\ Buffer Overflow Attacks\end{tabular}}
\begin{itemize}
-\item the idea is make the attack surface smaller and
-mitigate the consequences of an attack
+\item use safe library functions
+\item stack caneries
+\item ensure stack data is not executable (can be defeated)
+\item address space randomisation (makes one-size-fits-all more difficult)
+\item choice of programming language (one of the selling points of Java)
+
\end{itemize}
-
+
\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{Security Goals}
+
+\begin{itemize}
+\item Prevent common vulnerabilities from occurring (e.g. buffer overflows)\pause
+\item Recover from attacks (traceability and auditing of security-relevant actions)\pause
+\item Monitoring (detect attacks)\pause
+\item Privacy, confidentiality, anonymity (to protect secrets)\pause
+\item Authenticity (needed for access control)\pause
+\item Integrity (prevent unwanted modification or tampering)\pause
+\item Availability and reliability (reduce the risk of DoS attacks)
+\end{itemize}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{Homework}
+
+\begin{itemize}
+\item Assume format string attacks allow you to read out the stack. What can you do
+ with this information?\bigskip
+
+\item Assume you can crash a program remotely. Why is this a problem?
+\end{itemize}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
@@ -406,333 +769,6 @@
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}A ``Cron''-Attack\end{tabular}}
-
-\begin{enumerate}
-\item attacker \textcolor{gray}{(creates a fake passwd file)}\\
-\texttt{mkdir /tmp/a; cat > /tmp/a/passwd}\medskip
-\item root \textcolor{gray}{(does the daily cleaning)}\\
-\texttt{rm /tmp/*/*}\medskip\\
-\hspace{2cm}\textcolor{gray}{\small records that \texttt{/tmp/a/passwd}}\\
-\hspace{2cm}\textcolor{gray}{\small should be deleted, but does not do it yet}\medskip\\
-
-\item attacker \textcolor{gray}{(meanwhile deletes the fake passwd file, and establishes a link to
-the real passwd file)}\\
-\texttt{rm /tmp/a/passwd; rmdir /tmp/a;}\\\texttt{ln -s /etc /tmp/a}\\
-\item root now deletes the real passwd file
-\end{enumerate}
-
-\only<2>{
-\begin{textblock}{11}(2,5)
-\begin{tikzpicture}
-\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
-{\normalsize\color{darkgray}
-\begin{minipage}{9cm}\raggedright
-To prevent this kind of attack, you need additional
-policies (don't do such operations as root).
-\end{minipage}};
-\end{tikzpicture}
-\end{textblock}}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-
-\begin{center}
-\includegraphics[scale=0.45]{../pics/trainwreck.jpg}\\
-one general defence mechanism is\\\alert{\bf defence in depth}
-\end{center}
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{Smash the Stack for Fun\ldots}
-
-\begin{itemize}
-\item ``smashing the stack attacks'' or\\ ``buffer overflow attacks''\medskip
-\item one of the most popular attacks\\ ($>$ 50\% of security incidents reported at CERT are related to buffer overflows)
-\begin{flushright}\small
-\textcolor{gray}{\url{http://www.kb.cert.org/vuls}}
-\end{flushright}
-\medskip
-\item made popular in an article by Elias Levy\\ (also known as Aleph One):\\
-\begin{center}
-{\bf ``Smashing The Stack For Fun and Profit''}
-\end{center}\medskip
-
-\begin{flushright}
-\small\textcolor{gray}{Issue 49, Article 14}
-\end{flushright}
-
-\end{itemize}
-
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{A Float Printed ``Twice''}
-
-\footnotesize
-\lstinputlisting[language=C]{../progs/C1.c}
-
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{Memory}
-
-\begin{itemize}
-\item each process will get a chunk of memory that is organised as
-follows:
-\end{itemize}
-
-\begin{center}
- \begin{tikzpicture}[scale=0.8]
- %\draw[step=1cm] (-3,-3) grid (3,3);
- \draw[line width=1mm] (-2, -3) rectangle (2,3);
- \draw[line width=1mm] (-2,1) -- (2,1);
- \draw[line width=1mm] (-2,-1) -- (2,-1);
- \draw (0,2) node {\large\tt text};
- \draw (0,0) node {\large\tt heap};
- \draw (0,-2) node {\large\tt stack};
-
- \draw (-2.7,3) node[anchor=north east] {\tt\begin{tabular}{@{}l@{}}lower\\ address\end{tabular}};
- \draw (-2.7,-3) node[anchor=south east] {\tt\begin{tabular}{@{}l@{}}higher\\ address\end{tabular}};
- \draw[->, line width=1mm] (-2.5,3) -- (-2.5,-3);
-
- \draw (2.7,-2) node[anchor=west] {\tt grows};
- \draw (2.7,-3) node[anchor=south west] {\tt\footnotesize older};
- \draw (2.7,-1) node[anchor=north west] {\tt\footnotesize newer};
- \draw[|->, line width=1mm] (2.5,-3) -- (2.5,-1);
- \end{tikzpicture}
-\end{center}
-
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{The Stack}
-
-\begin{textblock}{7}(1,1)
- \begin{tikzpicture}[scale=0.8]
- %\draw[step=1cm] (-3,-1) grid (3,8);
- \draw[gray!20,fill=gray!20] (-1, 0) rectangle (1,-1);
- \draw[line width=1mm] (-1,-1.2) -- (-1,7.4);
- \draw[line width=1mm] ( 1,-1.2) -- ( 1,7.4);
- \draw (0,-1) node[anchor=south] {\tt main};
- \draw[line width=1mm] (-1,0) -- (1,0);
- \draw (0,0) node[anchor=south] {\tt arg$_3$=3};
- \draw[line width=1mm] (-1,1) -- (1,1);
- \draw (0,1) node[anchor=south] {\tt arg$_2$=2};
- \draw[line width=1mm] (-1,2) -- (1,2);
- \draw (0,2) node[anchor=south] {\tt arg$_1$=1};
- \draw[line width=1mm] (-1,3) -- (1,3);
- \draw (0,3.1) node[anchor=south] {\tt ret};
- \draw[line width=1mm] (-1,4) -- (1,4);
- \draw (0,4) node[anchor=south] {\small\tt last sp};
- \draw[line width=1mm] (-1,5) -- (1,5);
- \draw (0,5) node[anchor=south] {\tt buf$_1$};
- \draw[line width=1mm] (-1,6) -- (1,6);
- \draw (0,6) node[anchor=south] {\tt buf$_2$};
- \draw[line width=1mm] (-1,7) -- (1,7);
- \draw (2,6.1) node[anchor=south] {\code{$esp}};
- \draw[<-,line width=0.5mm] (1.1,7) -- (2.5,7);
-
- \draw[->,line width=0.5mm] (1,4.5) -- (1.8,4.5) -- (1.8, 0) -- (1.1,0);
- \draw[->,line width=0.5mm] (1,3.5) -- (2.5,3.5);
- \draw (2.6,3.1) node[anchor=south west] {\tt back to main()};
-
- \draw[->,red,line width=2mm] (2.5,0.1) -- (4.2,0.1);
-\end{tikzpicture}
-\end{textblock}
-
-\begin{textblock}{7}(6.4,8)
-\begin{bubble}[6.8cm]
-\footnotesize
-\lstinputlisting[language=C,xleftmargin=5mm]{../progs/example1.c}
-\end{bubble}
-\end{textblock}
-
-
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{The Problem}
-
-\begin{itemize}
-\item The basic problem is that library routines in C look as follows:
-\end{itemize}
-
-\begin{center}
-\small\lstinputlisting[language=C,numbers=none]{../progs/app5.c}
-\end{center}
-
-
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{Variants}
-
-There are many variants:
-
-\begin{itemize}
-\item return-to-lib-C attacks
-\item heap-smashing attacks\\
-\textcolor{gray}{\small(Slammer Worm in 2003 infected 90\% of vulnerable systems within 10 minutes)}\bigskip
-
-\item ``zero-days-attacks'' (new unknown vulnerability)
-\end{itemize}
-
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-
-\begin{center}
-\only<1>{\includegraphics[scale=0.9]{../pics/stack1}\;\;}
-\only<2>{\includegraphics[scale=0.9]{../pics/stack2}\;\;}
-\only<3>{\includegraphics[scale=0.9]{../pics/stack3}\;\;}
-\end{center}
-
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-
-{\small\lstinputlisting[language=C]{../progs/C2.c}}
-
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%\mode<presentation>{
-%\begin{frame}[c]
-%
-%\small
-%A programmer might be careful, but still introduce vulnerabilities:\bigskip
-%
-%{\lstset{language=Java}\footnotesize
-%\texttt{\lstinputlisting{../progs/C2a.c}}}
-%
-%
-%\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{Payloads}
-
-\begin{itemize}
-\item the idea is you store some code to the buffer
-\item you then override the return address to execute this payload\medskip
-\item normally you start a root-shell\pause
-\item difficulty is to guess the right place where to ``jump''
-\end{itemize}
-
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{Payloads (2)}
-
-\begin{itemize}
-\item another difficulty is that the code is not allowed to contain \texttt{$\backslash$x00}:
-
-\begin{center}
-\texttt{xorl \%eax, \%eax}
-\end{center}
-\end{itemize}\bigskip\bigskip
-
-{\small
-\lstinputlisting[language=C]{../progs/app5.c}}
-
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{Format String Vulnerability}
-
-\small
-\texttt{string} is nowhere used:\bigskip
-
-{\footnotesize\lstinputlisting[language=C]{../progs/C4.c}}\bigskip
-
-this vulnerability can be used to read out the stack
-
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Protections against\\ Buffer Overflow Attacks\end{tabular}}
-
-\begin{itemize}
-\item use safe library functions
-\item stack caneries
-\item ensure stack data is not executable (can be defeated)
-\item address space randomisation (makes one-size-fits-all more difficult)
-\item choice of programming language (one of the selling points of Java)
-
-\end{itemize}
-
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{Security Goals}
-
-\begin{itemize}
-\item Prevent common vulnerabilities from occurring (e.g. buffer overflows)\pause
-\item Recover from attacks (traceability and auditing of security-relevant actions)\pause
-\item Monitoring (detect attacks)\pause
-\item Privacy, confidentiality, anonymity (to protect secrets)\pause
-\item Authenticity (needed for access control)\pause
-\item Integrity (prevent unwanted modification or tampering)\pause
-\item Availability and reliability (reduce the risk of DoS attacks)
-\end{itemize}
-
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{Homework}
-
-\begin{itemize}
-\item Assume format string attacks allow you to read out the stack. What can you do
- with this information?\bigskip
-
-\item Assume you can crash a program remotely. Why is this a problem?
-\end{itemize}
-
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
\end{document}
%%% Local Variables: