  \LARGE Access Control and \\[-3mm] 
  \LARGE Privacy Policies (10)\\[-6mm] 


  Email:  & christian.urban at\\
  Office: & S1.27 (1st floor Strand Building)\\
  Slides: & KEATS (also homework is there)\\


\frametitle{\mbox{}\\[20mm]\huge Revision}


\frametitle{1st Lecture}

\item hashes and salts to guaranty data integrity\bigskip
\item storing passwords (brute force attacks and dictionary attacks)


\frametitle{\begin{tabular}{c}2nd Lecture:\\ E-Voting\end{tabular}}

\item Integrity 
\item Ballot Secrecy
\item Voter Authentication
\item Enfranchisement
\item Availability


\frametitle{\begin{tabular}{c}2nd Lecture:\\ E-Voting\end{tabular}}

Online Banking vs.~E-Voting

\item online banking: if fraud occurred you try to identify who did what (somebody's account got zero)\bigskip
\item e-voting: some parts can be done electronically, but not the actual voting (final year project: online voting)


\frametitle{\begin{tabular}{c}3rd Lecture:\\ Buffer Overflow Attacks\end{tabular}}

\item the problem arises from the way C/C++ organises its function calls\\[-8mm]\mbox{}

\frametitle{\begin{tabular}{c}3rd Lecture:\\ Unix Access Control\end{tabular}}

\item privileges are specified by file access permissions (``everything is a file'') 

\item the idea is make the attack surface smaller and 
mitigate the consequences of an attack


\frametitle{\begin{tabular}{c}3rd Lecture:\\ Unix Access Control\end{tabular}}

\item when a file with setuid is executed, the resulting process will assume the 
UID given to the owner of the file

$ ls -ld . * */*
drwxr-xr-x 1 ping staff  32768 Apr  2 2010 .
-rw----r-- 1 ping students  31359 Jul 24 2011 manual.txt
-r--rw--w- 1 bob students   4359 Jul 24 2011 report.txt
-rwsr--r-x 1 bob students 141359 Jun  1 2013 microedit
dr--r-xr-x 1 bob staff  32768 Jul 23 2011 src
-rw-r--r-- 1 bob staff  81359 Feb 28 2012 src/code.c
-r--rw---- 1 emma students    959 Jan 23 2012 src/code.h


\frametitle{\begin{tabular}{c}4th Lecture:\\ Security Levels\end{tabular}}

Bell-LaPadula access model:

  \item \alert{Read Rule}: A principal \bl{$P$} can read an object \bl{$O$} if and only if
  \bl{$P$}'s security level is at least as high as \bl{$O$}'s.
  \item \alert{Write Rule}: A principal \bl{$P$} can write an object \bl{$O$} if and only if
  \bl{$O$}'s security level is at least as high as \bl{$P$}'s.\medskip

  \item Meta-Rule: All principals in a system should have a sufficiently high security level
  in order to access an object.


\frametitle{\begin{tabular}{c}4th Lecture:\\ Security Levels\end{tabular}}

Biba (data integrity)

  \item Biba: {\bf `no read down'} - {\bf `no write up'}
  \item \alert{Read Rule}: A principal \bl{$P$} can read an object \bl{$O$} if and only if
  \bl{$P$}'s security level is lower or equal than \bl{$O$}'s.
  \item \alert{Write Rule}: A principal \bl{$P$} can write an object \bl{$O$} if and only if
  \bl{$O$}'s security level is lower or equal than \bl{$P$}'s.


\frametitle{\begin{tabular}{c}4th Lecture:\\ Protocols\end{tabular}}

A mutual authentication protocol

\bl{$A \rightarrow B$:} & \bl{$N_a$}\\  
\bl{$B \rightarrow A$:} & \bl{$\{N_a, N_b\}_{K_{ab}}$}\\
\bl{$A \rightarrow B$:} & \bl{$N_b$}\\


\frametitle{\begin{tabular}{c}5th Lecture:\\ Access Control Logic\end{tabular}}

\item formulas
\item judgements

\frametitle{\begin{tabular}{c}5th Lecture:\\ Access Control Logic\end{tabular}}

\frametitle{\begin{tabular}{c}5th Lecture:\\ Inference Rules\end{tabular}}

\frametitle{\begin{tabular}{c}8th Lecture: Privacy\end{tabular}}

\item differential privacy for annonymizing research data

\item \bl{$f(x)$} can be released, if \bl{$f$} is insensitive to
individual entries  \bl{$x_1, \ldots, x_n$}\\
\item The intuition: whatever is learned from the dataset would be learned regardless of whether
\bl{$x_i$} participates\bigskip\pause

\item Tor webservice


\frametitle{\begin{tabular}{c}9th Lecture:\\ Privacy\end{tabular}}

\item zero-knowledge proofs
\item requires NP problems, for example graph isomorphisms\bigskip\pause
\item random number generators



