\documentclass[dvipsnames,14pt,t]{beamer}
\usepackage{../slides}
\usepackage{../graphics}
\usepackage{../langs}

\setmonofont[Scale=.88]{Consolas}
\newfontfamily{\consolas}{Consolas}

\hfuzz=220pt 

% beamer stuff 
\renewcommand{\slidecaption}{SEN 03, King's College London}


\begin{document}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[t]
\frametitle{%
  \begin{tabular}{@ {}c@ {}}
  \\
  \LARGE Security Engineering (3)\\[-3mm] 
  \end{tabular}}\bigskip\bigskip\bigskip

  \normalsize
  \begin{center}
  \begin{tabular}{ll}
  Email:  & christian.urban at kcl.ac.uk\\
  Office: & S1.27 (1st floor Strand Building)\\
  Slides: & KEATS (also home work is there)
  \end{tabular}
  \end{center}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     



%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{\begin{tabular}{c}Network Applications:\\[-1mm] Privilege Separation\end{tabular}}

\begin{center}
  \begin{tikzpicture}[scale=1]
  
  \draw[line width=1mm] (-.3, 0) rectangle (1.5,2);
  \draw (4.7,1) node {Internet};
  \draw (-2.7,1.7) node {\footnotesize Application};
  \draw (0.6,1.7) node {\footnotesize Interface};
  \draw (0.6,-0.4) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] process\end{tabular}};
  \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}};
  
  \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2);

  \draw[white] (1.7,1) node (X) {};
  \draw[white] (3.7,1) node (Y) {};
  \draw[red, <->, line width = 2mm] (X) -- (Y);
 
  \draw[red, <->, line width = 1mm] (-0.6,1) -- (-1.6,1);
  \end{tikzpicture}
\end{center}

\begin{itemize}
\item the idea is make the attack surface smaller and 
mitigate the consequences of an attack
\item you need an OS that supports different roles (root vs.~users)
\end{itemize}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Weaknesses of Unix AC}

\begin{itemize}
\item if you have too many roles (for example too finegrained AC), then
  hierarchy is too complex\medskip\\ \textcolor{gray}{you invite situations
    like\ldots let's be root}\bigskip

\item you can still abuse the system\ldots
\end{itemize}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{A ``Cron''-Attack}

The idea is to trick a privileged person to do something on your
behalf:

\begin{itemize}
\item root:\\\texttt{rm /tmp/*/*}\bigskip\bigskip\pause

\small
\begin{minipage}{1.1\textwidth}
\textcolor{gray}{the shell behind the scenes:}\\
\textcolor{gray}{\texttt{rm /tmp/dir$_1$/file$_1$ /tmp/dir$_1$/file$_2$ /tmp/dir$_2$/file$_1$ \ldots}}\bigskip\\

\textcolor{gray}{this takes time}
\end{minipage}
\end{itemize}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{A ``Cron''-Attack}

\begin{enumerate}
\item attacker \textcolor{gray}{(creates a fake passwd file)}\\ 
\texttt{mkdir /tmp/a; cat > /tmp/a/passwd}\medskip
\item root \textcolor{gray}{(does the daily cleaning)}\\
\texttt{rm /tmp/*/*}\medskip\\
\hspace{2cm}\textcolor{gray}{records that \texttt{/tmp/a/passwd}}\\ 
\hspace{2cm}\textcolor{gray}{should be deleted, but does not do it yet}\medskip\\

\item attacker \textcolor{gray}{(meanwhile deletes the fake passwd file, and establishes a link to 
the real passwd file)}\\
\texttt{rm /tmp/a/passwd; rmdir /tmp/a;}\\\texttt{ln -s /etc /tmp/a}\\
\item root now deletes  the real passwd file
\end{enumerate}

\only<2>{
\begin{textblock}{11}(2,5)
\begin{tikzpicture}
\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] 
{\normalsize\color{darkgray}
\begin{minipage}{9.5cm}\raggedright
To prevent this kind of attack, you need additional
policies (don't do such operations as root).
\end{minipage}};
\end{tikzpicture}
\end{textblock}}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{\Large Buffer Overflow Attacks}

\begin{center}
\begin{columns}[b]
\begin{column}{.4\textwidth}
\centering
\includegraphics[scale=1.2]{../pics/barrier.jpg}\\
lectures so far
\end{column}
\begin{column}<2>{.4\textwidth}
\centering
\includegraphics[scale=0.32]{../pics/trainwreck.jpg}\\
today
\end{column}
\end{columns}
\end{center}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Smash the Stack for Fun\ldots}

\begin{itemize}
\item {\bf Buffer Overflow Attacks} or\\ {\bf Smashing the Stack Attacks}\medskip

\item one of the most popular attacks, unfortunately\\ 
($>$ 50\% of security incidents reported at CERT are related 
to buffer overflows)
\begin{flushright}
\small\url{http://www.kb.cert.org/vuls}
\end{flushright}
\medskip
\item made popular in an article from 1996 by Elias Levy
(also known as Aleph One):\\
\begin{center}
{\bf ``Smashing The Stack For Fun and Profit''}
\end{center}\medskip

\begin{flushright}
\small\url{http://phrack.org/issues/49/14.html}
\end{flushright} 
 
\end{itemize}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{A Long Printed ``Twice''}
\mbox{}\\[-10mm]

\footnotesize
\lstinputlisting[language=C,xleftmargin=4mm]{../progs/C0.c}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Printing Out Zombies}
\mbox{}\\[-10mm]

\footnotesize
\lstinputlisting[language=C,xleftmargin=4mm]{../progs/C1.c}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{A ``Login'' Function (1)}
\mbox{}\\[-10mm]

\footnotesize
\lstinputlisting[language=C,xleftmargin=4mm]{../progs/C2a.c}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{A ``Login'' Function (2)}
\mbox{}\\[-10mm]

\footnotesize
\lstinputlisting[language=C,xleftmargin=-3mm]{../progs/C2b.c}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{What the Hell Is Going On?}

\begin{itemize}
\item Let's start with a very simple program:
\end{itemize}

\lstinputlisting[language=C,xleftmargin=4mm]{../progs/example1.c}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Memory}

\begin{itemize}
\item each process will get a chunk of memory that is organised as
follows:
\end{itemize}

\begin{center}
  \begin{tikzpicture}[scale=0.8]
  %\draw[step=1cm] (-3,-3) grid (3,3);
  \draw[line width=1mm] (-2, -3) rectangle (2,3);
  \draw[line width=1mm] (-2,1) -- (2,1);
  \draw[line width=1mm] (-2,-1) -- (2,-1);
  \draw (0,2) node {\large\tt text};
  \draw (0,0) node {\large\tt heap};
  \draw (0,-2) node {\large\tt stack};

  \draw (-2.7,3) node[anchor=north east] {\tt\begin{tabular}{@{}l@{}}lower\\ address\end{tabular}};
  \draw (-2.7,-3) node[anchor=south east] {\tt\begin{tabular}{@{}l@{}}higher\\ address\end{tabular}};
  \draw[->, line width=1mm] (-2.5,3) -- (-2.5,-3);

  \draw (2.7,-2) node[anchor=west] {\tt grows};
  \draw (2.7,-3) node[anchor=south west] {\tt\footnotesize older};
  \draw (2.7,-1) node[anchor=north west] {\tt\footnotesize newer};
  \draw[|->, line width=1mm] (2.5,-3) -- (2.5,-1);
  \end{tikzpicture}
\end{center}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{The Stack}

\begin{textblock}{7}(1,1)
  \begin{tikzpicture}[scale=0.8]
  %\draw[step=1cm] (-3,-1) grid (3,8);
  \draw[gray!20,fill=gray!20] (-1, 0) rectangle (1,-1);
  \draw[line width=1mm] (-1,-1.2) -- (-1,7.4);
  \draw[line width=1mm] ( 1,-1.2) -- ( 1,7.4);
  \draw (0,-1) node[anchor=south] {\tt main};
  \draw[line width=1mm] (-1,0) -- (1,0);
  \draw (0,0) node[anchor=south] {\tt arg$_3$=3};
  \draw[line width=1mm] (-1,1) -- (1,1);
  \draw (0,1) node[anchor=south] {\tt arg$_2$=2};
  \draw[line width=1mm] (-1,2) -- (1,2);
  \draw (0,2) node[anchor=south] {\tt arg$_1$=1};
  \draw[line width=1mm] (-1,3) -- (1,3);
  \draw (0,3.1) node[anchor=south] {\tt ret};
  \draw[line width=1mm] (-1,4) -- (1,4);
  \draw (0,4) node[anchor=south] {\small\tt last sp};
  \draw[line width=1mm] (-1,5) -- (1,5);
  \draw (0,5) node[anchor=south] {\tt buf$_1$};
  \draw[line width=1mm] (-1,6) -- (1,6);
  \draw (0,6) node[anchor=south] {\tt buf$_2$};
  \draw[line width=1mm] (-1,7) -- (1,7);
  \draw (2,6.1) node[anchor=south] {\code{$esp}};
  \draw[<-,line width=0.5mm] (1.1,7) -- (2.5,7);

  \draw[->,line width=0.5mm] (1,4.5) -- (1.8,4.5) -- (1.8, 0) -- (1.1,0); 
  \draw[->,line width=0.5mm] (1,3.5) -- (2.5,3.5);
  \draw (2.6,3.1) node[anchor=south west] {\tt back to main()};

  \draw[->,red,line width=2mm] (2.5,0.1) -- (4.2,0.1);
\end{tikzpicture}
\end{textblock}

\begin{textblock}{7}(6.4,8)
\begin{bubble}[6.8cm]
\footnotesize
\lstinputlisting[language=C,xleftmargin=5mm]{../progs/example1.c} 
\end{bubble}
\end{textblock}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Behind the Scenes}

\only<2->{
\begin{textblock}{7}(1,1)
\begin{bubble}[6.8cm]
\footnotesize
\lstinputlisting[language=C,xleftmargin=5mm]{../progs/example1.c} 
\end{bubble}
\end{textblock}}

\only<2>{
\begin{textblock}{7}(5,8)
\footnotesize
\lstinputlisting[language={[x86masm]Assembler},morekeywords={movl},xleftmargin=5mm,numbers=none]{../progs/example1a.s} 
\end{textblock}}

\only<3>{
\begin{textblock}{7}(5,8)
\footnotesize
\lstinputlisting[language={[x86masm]Assembler},morekeywords={movl,movw},xleftmargin=5mm,numbers=none]{../progs/example1b.s} 
\end{textblock}}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Overwriting the Stack}

\begin{textblock}{7}(1,2)
  \begin{tikzpicture}[scale=0.8]
  %\draw[step=1cm] (-3,-1) grid (3,8);
  \draw[gray!20,fill=gray!20] (-1, 0) rectangle (1,-1);
  \draw[line width=1mm] (-1,-1.2) -- (-1,6.4);
  \draw[line width=1mm] ( 1,-1.2) -- ( 1,6.4);
  \draw (0,-1) node[anchor=south] {\tt main};
  \draw[line width=1mm] (-1,0) -- (1,0);
  \draw (0,0) node[anchor=south] {\tt arg$_3$=3};
  \draw[line width=1mm] (-1,1) -- (1,1);
  \draw (0,1) node[anchor=south] {\tt arg$_2$=2};
  \draw[line width=1mm] (-1,2) -- (1,2);
  \draw (0,2) node[anchor=south] {\tt arg$_1$=1};
  \draw[line width=1mm] (-1,3) -- (1,3);
  \draw (0,3.1) node[anchor=south] {\tt ret};
  \draw[line width=1mm] (-1,4) -- (1,4);
  \draw (0,4) node[anchor=south] {\small\tt last sp};
  \draw[line width=1mm] (-1,5) -- (1,5);
  \draw (0,5) node[anchor=south] {\tt buf};
  \draw[line width=1mm] (-1,6) -- (1,6);
  \draw (2,5.1) node[anchor=south] {\code{$esp}};
  \draw[<-,line width=0.5mm] (1.1,6) -- (2.5,6);

  \draw[->,line width=0.5mm] (1,4.5) -- (1.8,4.5);
  \draw (2.5,4.1) node[anchor=south] {\code{??}};
  
  \draw[->,line width=0.5mm] (1,3.5) -- (2.5,3.5);
  \draw (2.6,3.1) node[anchor=south west] {\tt jump to \code{\\x080483f4}};
\end{tikzpicture}
\end{textblock}

\begin{textblock}{7}(1,13.5)
\code{char buf[8] = "AAAAAAAABBBB\\xf4\\x83\\x04\\x08\\x00"}
\end{textblock}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Payloads}

\begin{itemize}
\item the idea is that you store some code in the buffer (the payload)
\item you then override the return address to execute this payload\medskip
\item normally you start a root-shell\pause
\item difficulty is to guess the right place where to ``jump''
\end{itemize}
  
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[t]
\frametitle{Starting a Shell}

\small
\lstinputlisting[language=C,numbers=none,xleftmargin=-6mm]{../progs/o1.c}

\begin{textblock}{7}(5,7.5)
\begin{bubble}[7cm]
\lstinputlisting[language=C,numbers=none,xleftmargin=-0mm]{../progs/shell.c}
\end{bubble}
\end{textblock}
  
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Avoiding \texttt{$\backslash$x00}}

\begin{itemize}
\item another difficulty is that the code is not allowed to contain \texttt{$\backslash$x00}:

\begin{center}
\texttt{xorl   \%eax, \%eax}
\end{center}
\end{itemize}\bigskip\bigskip
  
{\small
\lstinputlisting[language=C,numbers=none]{../progs/app5.c}}
  
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Overflow.c}
\mbox{}\\[-10mm]

\small
\lstinputlisting[language=C,xleftmargin=-4mm,numbers=none]{../progs/overflow.c}

  
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Variants}

There are many variants:

\begin{itemize}
\item return-to-lib-C attacks
\item heap-smashing attacks\\
\textcolor{gray}{\small(Slammer Worm in 2003 infected 90\% of vulnerable systems within 10 minutes)}\bigskip

\item ``zero-days-attacks'' (new unknown vulnerability)
\end{itemize}
  
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   



%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Format String Vulnerability}

\small
\texttt{string} is nowhere used:\bigskip

{\footnotesize\lstinputlisting[language=C]{../progs/C4.c}}\bigskip

this vulnerability can be used to read out the stack
  
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{\begin{tabular}{c}Protections against\\ Buffer Overflow Attacks\end{tabular}}

\begin{itemize}
\item use safe library functions
\item stack canaries
\item ensure stack data is not executable (can be defeated)
\item address space randomisation (makes one-size-fits-all more difficult)
\item choice of programming language (one of the selling points of Java)
\end{itemize}

\only<2>{  
\begin{textblock}{7}(6,1)
  \begin{bubble}[5cm]
  \begin{tabular}{cp{2cm}}
  \begin{tikzpicture}[baseline=40mm,scale=0.8]
  %\draw[step=1cm] (-3,-1) grid (3,8);
  \draw[gray!20,fill=gray!20] (-1, 0) rectangle (1,-1);
  \draw[line width=1mm] (-1,-1.2) -- (-1,7.4);
  \draw[line width=1mm] ( 1,-1.2) -- ( 1,7.4);
  \draw (0,-1) node[anchor=south] {\tt main};
  \draw[line width=1mm] (-1,0) -- (1,0);
  \draw (0,0) node[anchor=south] {\tt arg$_3$=3};
  \draw[line width=1mm] (-1,1) -- (1,1);
  \draw (0,1) node[anchor=south] {\tt arg$_2$=2};
  \draw[line width=1mm] (-1,2) -- (1,2);
  \draw (0,2) node[anchor=south] {\tt arg$_1$=1};
  \draw[line width=1mm] (-1,3) -- (1,3);
  \draw (0,3.1) node[anchor=south] {\tt ret};
  \draw[line width=1mm] (-1,4) -- (1,4);
  \draw (0,4) node[anchor=south] {\small\tt last sp};
  \draw[line width=1mm] (-1,5) -- (1,5);
  \draw (0,5) node[anchor=south] {\tt\small\alert{\textbf{random}}};
  \draw[line width=1mm] (-1,6) -- (1,6);
  \draw (0,6) node[anchor=south] {\tt buf};
  \draw[line width=1mm] (-1,7) -- (1,7);
  \end{tikzpicture} &
  canary: a random value after the local variables
  \end{tabular}
\end{bubble}
\end{textblock}}


\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{\begin{tabular}{c}Network Applications:\\[-1mm] Privilege Separation\end{tabular}}


\begin{center}
  \begin{tikzpicture}[scale=1]
  
  \draw[line width=1mm] (-.3, 0) rectangle (1.5,2);
  \draw (4.7,1) node {Internet};
  \draw (-2.7,1.7) node {\footnotesize Application};
  \draw (0.6,1.7) node {\footnotesize Interface};
  \draw (0.6,-0.4) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] process\end{tabular}};
  \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}};
  
  \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2);

  \draw[white] (1.7,1) node (X) {};
  \draw[white] (3.7,1) node (Y) {};
  \draw[red, <->, line width = 2mm] (X) -- (Y);
 
  \draw[red, <->, line width = 1mm] (-0.6,1) -- (-1.6,1);
  \end{tikzpicture}
\end{center}

\begin{itemize}
\item the idea is make the attack surface smaller and mitigate the
  consequences of an attack
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{@ {}c@ {}}Infamous Security Flaws\\[-1mm] in Unix\end{tabular}}


\begin{itemize}
\item \texttt{lpr} unfortunately runs with root privileges; you had the option to delete files after printing \ldots\pause\pause
\item for debugging purposes (FreeBSD) Unix provides a ``core dump'', but allowed to follow links \ldots\pause
\item \texttt{mkdir foo} is owned by root\medskip
\begin{center}
\texttt{-rwxr-xr-x  1 root  wheel /bin/mkdir}
\end{center}\medskip
it first creates an i-node as root and then changes to ownership to the user's id\\ \textcolor{gray}{\small (race condition -- can be automated with a shell script)}
\end{itemize}

\only<5->{
\begin{textblock}{1}(3,7)
\begin{tikzpicture}
\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] 
{\begin{minipage}{8cm}
Only failure makes us experts.
	-- Theo de Raadt (OpenBSD, OpenSSH)
\end{minipage}};
\end{tikzpicture}
\end{textblock}}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   



\end{document}

%%% Local Variables:  
%%% mode: latex
%%% TeX-master: t
%%% End: