\documentclass[dvipsnames,14pt,t]{beamer}
\usepackage{../slides}
\usepackage{../graphics}
\usepackage{../langs}

\setmonofont[Scale=.88]{Consolas}
\newfontfamily{\consolas}{Consolas}

\hfuzz=220pt 

% beamer stuff 
\renewcommand{\slidecaption}{SEN 03, King's College London}


\begin{document}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[t]
\frametitle{%
  \begin{tabular}{@ {}c@ {}}
  \\
  \LARGE Security Engineering (3)\\[-3mm] 
  \end{tabular}}\bigskip\bigskip\bigskip

  \normalsize
  \begin{center}
  \begin{tabular}{ll}
  Email:  & christian.urban at kcl.ac.uk\\
  Office: & S1.27 (1st floor Strand Building)\\
  Slides: & KEATS (also home work is there)
  \end{tabular}
  \end{center}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{\Large Buffer Overflow Attacks}

\begin{center}
\begin{columns}[b]
\begin{column}{.4\textwidth}
\centering
\includegraphics[scale=0.3]{../pics/barrier.jpg}\\
lectures so far
\end{column}
\begin{column}{.4\textwidth}
\centering
\includegraphics[scale=0.32]{../pics/trainwreck.jpg}\\
today
\end{column}
\end{columns}
\end{center}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Smash the Stack for Fun\ldots}

\begin{itemize}
\item \alert{\bf Buffer Overflow Attacks (BOAs)} or\\ 
{\bf Smashing the Stack Attacks}\medskip

\item unfortunately one of the most popular attacks\\ 
($>$ 50\% of security incidents reported at CERT are related 
to buffer overflows)
\begin{flushright}
\small\url{http://www.kb.cert.org/vuls}
\end{flushright}
\medskip
\item made popular in an article from 1996 by Elias Levy
(also known as Aleph One):\\
\begin{center}
{\bf ``Smashing The Stack For Fun and Profit''}
\end{center}\medskip

\begin{flushright}
\small\url{http://phrack.org/issues/49/14.html}
\end{flushright} 
 
\end{itemize}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{A Long Printed ``Twice''}
\mbox{}\\[-10mm]

\footnotesize
\lstinputlisting[language=C,xleftmargin=4mm]{../progs/C0.c}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Printing Out ``Zombies''}
\mbox{}\\[-10mm]

\footnotesize
\lstinputlisting[language=C,xleftmargin=4mm]{../progs/C1.c}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{A ``Login'' Function (1)}
\mbox{}\\[-10mm]

\footnotesize
\lstinputlisting[language=C,xleftmargin=4mm]{../progs/C2a.c}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{A ``Login'' Function (2)}
\mbox{}\\[-10mm]

\footnotesize
\lstinputlisting[language=C,xleftmargin=-3mm]{../progs/C2b.c}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{What the Hell Is Going On?}

\begin{itemize}
\item Let's start with a very simple program:
\end{itemize}

\lstinputlisting[language=C,xleftmargin=4mm]{../progs/example1.c}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Memory}

\begin{itemize}
\item each process will get a chunk of memory that is
      organised as follows: 
\end{itemize}

\begin{center}
  \begin{tikzpicture}[scale=0.8]
  %\draw[step=1cm] (-3,-3) grid (3,3);
  \draw[line width=1mm] (-2, -3) rectangle (2,3);
  \draw[line width=1mm] (-2,1) -- (2,1);
  \draw[line width=1mm] (-2,-1) -- (2,-1);
  \draw (0,2) node {\large\tt text};
  \draw (0,0) node {\large\tt heap};
  \draw (0,-2) node {\large\tt stack};

  \draw (-2.7,3) node[anchor=north east] {\tt\begin{tabular}{@{}l@{}}lower\\ address\end{tabular}};
  \draw (-2.7,-3) node[anchor=south east] {\tt\begin{tabular}{@{}l@{}}higher\\ address\end{tabular}};
  \draw[->, line width=1mm] (-2.5,3) -- (-2.5,-3);

  \draw (2.7,-2) node[anchor=west] {\tt grows};
  \draw (2.7,-3) node[anchor=south west] {\tt\footnotesize older};
  \draw (2.7,-1) node[anchor=north west] {\tt\footnotesize newer};
  \draw[|->, line width=1mm] (2.5,-3) -- (2.5,-1);
  \end{tikzpicture}
\end{center}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{The Stack}

\begin{textblock}{7}(1,1)
  \begin{tikzpicture}[scale=0.8]
  %\draw[step=1cm] (-3,-1) grid (3,8);
  \draw[gray!20,fill=gray!20] (-1, 0) rectangle (1,-1);
  \draw[line width=1mm] (-1,-1.2) -- (-1,7.4);
  \draw[line width=1mm] ( 1,-1.2) -- ( 1,7.4);
  \draw (0,-1) node[anchor=south] {\tt main};
  \draw[line width=1mm] (-1,0) -- (1,0);
  \draw (0,0) node[anchor=south] {\tt arg$_3$=3};
  \draw[line width=1mm] (-1,1) -- (1,1);
  \draw (0,1) node[anchor=south] {\tt arg$_2$=2};
  \draw[line width=1mm] (-1,2) -- (1,2);
  \draw (0,2) node[anchor=south] {\tt arg$_1$=1};
  \draw[line width=1mm] (-1,3) -- (1,3);
  \draw (0,3.1) node[anchor=south] {\tt ret};
  \draw[line width=1mm] (-1,4) -- (1,4);
  \draw (0,4) node[anchor=south] {\small\tt last sp};
  \draw[line width=1mm] (-1,5) -- (1,5);
  \draw (0,5) node[anchor=south] {\tt buf$_1$};
  \draw[line width=1mm] (-1,6) -- (1,6);
  \draw (0,6) node[anchor=south] {\tt buf$_2$};
  \draw[line width=1mm] (-1,7) -- (1,7);
  \draw (2,6.1) node[anchor=south] {\code{$esp}};
  \draw[<-,line width=0.5mm] (1.1,7) -- (2.5,7);

  \draw[->,line width=0.5mm] (1,4.5) -- (1.8,4.5) -- (1.8, 0) -- (1.1,0); 
  \draw[->,line width=0.5mm] (1,3.5) -- (2.5,3.5);
  \draw (2.6,3.1) node[anchor=south west] {\tt back to main()};

  \draw[->,red,line width=2mm] (2.5,0.1) -- (4.2,0.1);
\end{tikzpicture}
\end{textblock}

\begin{textblock}{7}(6.4,8)
\begin{bubble}[6.8cm]
\footnotesize
\lstinputlisting[language=C,xleftmargin=5mm]{../progs/example1.c} 
\end{bubble}
\end{textblock}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Behind the Scenes}

\only<2->{
\begin{textblock}{7}(1,0.6)
\begin{bubble}[6.8cm]
\footnotesize
\lstinputlisting[language=C,
                 xleftmargin=5mm,
                 belowskip=-1mm,
                 aboveskip=-1mm]{../progs/example1.c} 
\end{bubble}
\end{textblock}}

\only<2>{
\begin{textblock}{7}(0.5,6.6)
\footnotesize
\lstinputlisting[language={[x86masm]Assembler},morekeywords={movl},xleftmargin=5mm,numbers=none]{../progs/example1a.s} 
\end{textblock}}

\only<3>{
\begin{textblock}{7}(0.5,6.6)
\footnotesize
\lstinputlisting[language={[x86masm]Assembler},morekeywords={movl,movw},xleftmargin=5mm,numbers=none]{../progs/example1b.s} 
\end{textblock}}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Overwriting the Stack}

\begin{textblock}{7}(1,2)
  \begin{tikzpicture}[scale=0.8]
  %\draw[step=1cm] (-3,-1) grid (3,8);
  \draw[gray!20,fill=gray!20] (-1, 0) rectangle (1,-1);
  \draw[line width=1mm] (-1,-1.2) -- (-1,6.4);
  \draw[line width=1mm] ( 1,-1.2) -- ( 1,6.4);
  \draw (0,-1) node[anchor=south] {\tt main};
  \draw[line width=1mm] (-1,0) -- (1,0);
  \draw (0,0) node[anchor=south] {\tt arg$_3$=3};
  \draw[line width=1mm] (-1,1) -- (1,1);
  \draw (0,1) node[anchor=south] {\tt arg$_2$=2};
  \draw[line width=1mm] (-1,2) -- (1,2);
  \draw (0,2) node[anchor=south] {\tt arg$_1$=1};
  \draw[line width=1mm] (-1,3) -- (1,3);
  \draw (0,3.1) node[anchor=south] {\tt ret};
  \draw[line width=1mm] (-1,4) -- (1,4);
  \draw (0,4) node[anchor=south] {\small\tt last sp};
  \draw[line width=1mm] (-1,5) -- (1,5);
  \draw (0,5) node[anchor=south] {\tt buf};
  \draw[line width=1mm] (-1,6) -- (1,6);
  \draw (2,5.1) node[anchor=south] {\code{$esp}};
  \draw[<-,line width=0.5mm] (1.1,6) -- (2.5,6);

  \draw[->,line width=0.5mm] (1,4.5) -- (1.8,4.5);
  \draw (2.5,4.1) node[anchor=south] {\code{BBBB}};
  
  \draw[->,line width=0.5mm] (1,3.5) -- (2.5,3.5);
  \draw (2.6,3.1) node[anchor=south west] {\tt jump to \code{\\x080483f4}};
\end{tikzpicture}
\end{textblock}

\begin{textblock}{7}(1,13.5)
\code{char buf[8] = "AAAAAAAABBBB\\xf4\\x83\\x04\\x08\\x00"}
\end{textblock}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{C-Library Functions}

\begin{itemize}
\item copy everything up to the zero byte
\end{itemize}\medskip

{\small
\lstinputlisting[language=C,numbers=none]{../progs/app5.c}}
  
  
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   



%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Payloads}

\begin{itemize}
\item the idea is that you store some code in the buffer (the payload)
\item you then override the return address to execute this payload\medskip
\item normally you want to start a shell\pause
\item difficulty is to guess the right place where to ``jump''
\end{itemize}
  
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[t]
\frametitle{Starting a Shell}

\small
\lstinputlisting[language=C,numbers=none,xleftmargin=-6mm]{../progs/o2.c}

\begin{textblock}{7}(5,7.5)
\begin{bubble}[7cm]
\lstinputlisting[language=C,numbers=none,xleftmargin=-0mm]{../progs/shell.c}
\end{bubble}
\end{textblock}
  
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Avoiding \texttt{$\backslash$x00}}

\begin{itemize}
\item another difficulty is that the code is not allowed to contain \texttt{$\backslash$x00}:

\begin{center}
\texttt{xorl   \%eax, \%eax}
\end{center}
\end{itemize}\bigskip\bigskip
  
{\small
\lstinputlisting[language=C,numbers=none]{../progs/app5.c}}
  
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[t]
\frametitle{String from the Web}

{\small
\lstinputlisting[language=C,numbers=none,xleftmargin=-6mm]{../progs/o1.c}}
\bigskip\bigskip

\noindent 
More ``interesting'' shell programs can be found at 

\begin{center}
\url{http://shellblade.net/shellcode.html}
\end{center}
  
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Overflow.c}
\mbox{}\\[-10mm]

\small
\lstinputlisting[language=C,xleftmargin=-4mm,numbers=none]{../progs/overflow.c}

  
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Optimising Success}

\begin{center}
\begin{tabular}{l@{\hspace{2cm}}l}
  \begin{tikzpicture}[scale=0.6]
  \draw[line width=1mm] (-2, -1) rectangle (2,3);
  \draw[line width=1mm,fill=blue!30] (-2, 1.9) rectangle (2,3);
  \draw (0,2.5) node {\small\tt shell code};
  \draw[line width=1mm,fill=black] (0.3, -1) rectangle (2,-0.7);
  \draw[->,line width=0.3mm] (1.05, -1) -- (1.05,-1.7) --
  (-3,-1.7) -- (-3, 3.7) -- (-1.9, 3.7) -- (-1.9, 3.1);
   \end{tikzpicture}
&
 \onslide<2>{
 \begin{tikzpicture}[scale=0.6]
  \draw[gray!50,fill=red!30] (-2,0.3) rectangle (2,3);
  \draw[line width=1mm] (-2, -1) rectangle (2,3);
  \draw[line width=1mm,fill=blue!30] (-2, 0.3) rectangle (2, -0.7);
  \draw (0,-0.2) node {\small\tt shell code};
  \draw[line width=1mm,fill=black] (0.3, -1) rectangle (2,-0.7);
  \draw [line width=0.5,decoration={brace,amplitude=2mm},decorate] 
    (2.3,3) -- (2.3,0.3);
  \draw[line width=0.3mm] (1.05, -1) -- (1.05,-1.7) --
  (3,-1.7) -- (3,1.65) -- (2.6, 1.65);
  \end{tikzpicture}}
\end{tabular}
\end{center}\bigskip
  
\onslide<2>{  
fill up the red part of the string with \pcode{NOP} operations
(Intel \texttt{$\backslash$x90})}  
  
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Why BOAs Work?}

\begin{itemize}
\item stack grows from higher addresses to lower addresses
\item library functions copy memory until a zero-byte is 
encountered
\end{itemize}

\begin{center}
\begin{tabular}{@{\hspace{-7mm}}c@{\hspace{2mm}}c@{}}
\small
\begin{tikzpicture}[scale=0.45]
  %\draw[step=1cm] (-3,-3) grid (3,3);
  \draw[line width=1mm] (-2, -3) rectangle (2,3);
  \draw[line width=1mm] (-2,1) -- (2,1);
  \draw[line width=1mm] (-2,-1) -- (2,-1);
  \draw (0,2) node {\tt text};
  \draw (0,0) node {\tt heap};
  \draw (0,-2) node {\tt stack};

  \draw (-2.7,3) node[anchor=north east] 
     {\tt\begin{tabular}{@{}l@{}}lower\\ address\end{tabular}};
  \draw (-2.7,-3) node[anchor=south east] 
     {\tt\begin{tabular}{@{}l@{}}higher\\ address\end{tabular}};
  \draw[->, line width=1mm] (-2.5,3) -- (-2.5,-3);

  \draw (2.7,-3) node[anchor=south west] {\tt\footnotesize older};
  \draw (2.7,-1) node[anchor=north west] {\tt\footnotesize newer};
  \draw[|->, line width=1mm] (2.5,-3.09) -- (2.5,-1);
  \end{tikzpicture}
&  
\raisebox{1.3cm}{\footnotesize
\lstinputlisting[language=C,numbers=none]{../progs/app5.c}}
\end{tabular}  
\end{center}  
  
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Variants}

There are many variants:

\begin{itemize}
\item return-to-lib-C attacks
\item heap-smashing attacks\\
\textcolor{gray}{\small(Slammer Worm in 2003 infected 90\% of vulnerable systems within 10 minutes)}\bigskip

\item ``zero-days-attacks'' (new unknown vulnerability)
\end{itemize}
  
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{\begin{tabular}{c}
            Protections against\\
            Buffer Overflow Attacks
            \end{tabular}}

\begin{itemize}
\item use safe library functions
\item stack canaries
\item ensure stack data is not executable (can be defeated)
\item address space randomisation (makes one-size-fits-all more difficult)
\item choice of programming language (one of the selling points of Java)
\end{itemize}

\only<2>{  
\begin{textblock}{7}(6,1)
  \begin{bubble}[5.5cm]
  \begin{tabular}{cp{2.9cm}}
  \begin{tikzpicture}[baseline=40mm,scale=0.8]
  %\draw[step=1cm] (-3,-1) grid (3,8);
  \draw[gray!20,fill=gray!20] (-1, 0) rectangle (1,-1);
  \draw[line width=1mm] (-1,-1.2) -- (-1,7.4);
  \draw[line width=1mm] ( 1,-1.2) -- ( 1,7.4);
  \draw (0,-1) node[anchor=south] {\tt main};
  \draw[line width=1mm] (-1,0) -- (1,0);
  \draw (0,0) node[anchor=south] {\tt arg$_3$=3};
  \draw[line width=1mm] (-1,1) -- (1,1);
  \draw (0,1) node[anchor=south] {\tt arg$_2$=2};
  \draw[line width=1mm] (-1,2) -- (1,2);
  \draw (0,2) node[anchor=south] {\tt arg$_1$=1};
  \draw[line width=1mm] (-1,3) -- (1,3);
  \draw (0,3.1) node[anchor=south] {\tt ret};
  \draw[line width=1mm] (-1,4) -- (1,4);
  \draw (0,4) node[anchor=south] {\small\tt last sp};
  \draw[line width=1mm] (-1,5) -- (1,5);
  \draw (0,5) node[anchor=south] {\tt\small\alert{\textbf{random}}};
  \draw[line width=1mm] (-1,6) -- (1,6);
  \draw (0,6) node[anchor=south] {\tt buf};
  \draw[line width=1mm] (-1,7) -- (1,7);
  \end{tikzpicture} &
  \raggedright stack canary: a random value after the local variables
  \end{tabular}
\end{bubble}
\end{textblock}}


\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{In my Examples I Cheated}

I compiled the programs with

\begin{center}
\begin{tabular}{l@{\hspace{1mm}}l}
\pcode{/usr/bin/gcc} & \pcode{-ggdb -O0}\\
                     & \pcode{-fno-stack-protector}\\
                     & \pcode{-mpreferred-stack-boundary=2}\\
                     & \pcode{-z execstack} 
\end{tabular}
\end{center}
  
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   



%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{NIST Statistics about BOA}

\begin{center}
\begin{tikzpicture}
\begin{axis}[
    xlabel={year},
    ylabel={\% of total attacks},
    ylabel style={yshift=0em},
    enlargelimits=false,
    xtick={1997,1999,2001,...,2015},
    xmin=1996.5,
    xmax=2016,
    ymax=21,
    ytick={0,5,...,20},
    scaled ticks=false,
    axis lines=left,
    width=11cm,
    height=5cm,
    ybar,
    nodes near coords=
     {\footnotesize
      $\pgfmathprintnumber[fixed,fixed zerofill,precision=1,use comma]{\pgfkeysvalueof{/data point/y}}$},
    x tick label style={font=\footnotesize,/pgf/number format/1000 sep={}}]
\addplot
   table [x=Year,y=Percentage] {../handouts/bufferoverflows.data};
\end{axis}
\end{tikzpicture}
\end{center}
  
from the US National Vulnerability Database\\
\small\url{http://web.nvd.nist.gov/view/vuln/statistics}
  
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[fragile]
\frametitle{D-Link Wifi Router, BOA}
\small

As a proof-of-concept, the following URL allows 
attackers to control the return value saved on 
the stack (the vulnerability is triggered when
executing \pcode{"/usr/sbin/widget"}):

\begin{center}\footnotesize 
\pcode{curl http://<target ip>/post_login.xml?hash=AAA...AAABBBB}
\end{center}

The value of the "hash" HTTP GET parameter consists of
292 occurrences of the \pcode{'A'} character, followed by four 
occurrences of character \pcode{'B'}. In our lab setup, characters 
\pcode{'B'} overwrite the saved program counter (\pcode{\%ra}).\bigskip


\begin{tabular}{@{}ll}
Discovery date: & 06/03/2013\\
Release date:   & 02/08/2013
\end{tabular}\bigskip


\footnotesize
\hfill\url{http://roberto.greyhats.it/advisories/20130801-dlink-dir645.txt} 
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[fragile]
\frametitle{GHOST in Glibc}

\small The GHOST vulnerability is a buffer overflow condition
that can be easily exploited locally and remotely. This
vulnerability is named after the GetHOSTbyname function
involved in the exploit.\medskip 

The attack allows the attacker to execute arbitrary code and
take control of the victim’s vulnerable machine.
Unfortunately, the vulnerability exists in the GNU C Library
(glibc), a code library originally released in 2000, meaning
it has been widely distributed. Although an update released by
Linux in 2013 mitigated this vulnerability, most systems and
products have not installed the patch.\medskip 


\begin{tabular}{@{}ll} 
Release date: & 01/28/2015
\end{tabular}\smallskip


\footnotesize
\hfill\url{https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability} 
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Format String Vulnerability}

\small
\texttt{string} is nowhere used:\bigskip

{\footnotesize\lstinputlisting[language=C]{../progs/C4.c}}\bigskip

this vulnerability can be used to read out the stack
  
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   


\end{document}

%%% Local Variables:  
%%% mode: latex
%%% TeX-master: t
%%% End: