\documentclass[dvipsnames,14pt,t]{beamer}
\usepackage{beamerthemeplainculight}
\usepackage[T1]{fontenc}
\usepackage[latin1]{inputenc}
\usepackage{mathpartir}
\usepackage[absolute,overlay]{textpos}
\usepackage{ifthen}
\usepackage{tikz}
\usepackage{pgf}
\usepackage{calc} 
\usepackage{ulem}
\usepackage{courier}
\usepackage{listings}
\renewcommand{\uline}[1]{#1}
\usetikzlibrary{arrows}
\usetikzlibrary{automata}
\usetikzlibrary{shapes}
\usetikzlibrary{shadows}
\usetikzlibrary{positioning}
\usetikzlibrary{calc}
\usepackage{graphicx} 

\definecolor{javared}{rgb}{0.6,0,0} % for strings
\definecolor{javagreen}{rgb}{0.25,0.5,0.35} % comments
\definecolor{javapurple}{rgb}{0.5,0,0.35} % keywords
\definecolor{javadocblue}{rgb}{0.25,0.35,0.75} % javadoc

\lstset{language=Java,
	basicstyle=\ttfamily,
	keywordstyle=\color{javapurple}\bfseries,
	stringstyle=\color{javagreen},
	commentstyle=\color{javagreen},
	morecomment=[s][\color{javadocblue}]{/**}{*/},
	numbers=left,
	numberstyle=\tiny\color{black},
	stepnumber=1,
	numbersep=10pt,
	tabsize=2,
	showspaces=false,
	showstringspaces=false}

\lstdefinelanguage{scala}{
  morekeywords={abstract,case,catch,class,def,%
    do,else,extends,false,final,finally,%
    for,if,implicit,import,match,mixin,%
    new,null,object,override,package,%
    private,protected,requires,return,sealed,%
    super,this,throw,trait,true,try,%
    type,val,var,while,with,yield},
  otherkeywords={=>,<-,<\%,<:,>:,\#,@},
  sensitive=true,
  morecomment=[l]{//},
  morecomment=[n]{/*}{*/},
  morestring=[b]",
  morestring=[b]',
  morestring=[b]"""
}

\lstset{language=Scala,
	basicstyle=\ttfamily,
	keywordstyle=\color{javapurple}\bfseries,
	stringstyle=\color{javagreen},
	commentstyle=\color{javagreen},
	morecomment=[s][\color{javadocblue}]{/**}{*/},
	numbers=left,
	numberstyle=\tiny\color{black},
	stepnumber=1,
	numbersep=10pt,
	tabsize=2,
	showspaces=false,
	showstringspaces=false}

% beamer stuff 
\renewcommand{\slidecaption}{APP 02, King's College London, 2 October 2012}


\begin{document}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}<1>[t]
\frametitle{%
  \begin{tabular}{@ {}c@ {}}
  \\
  \LARGE Access Control and \\[-3mm] 
  \LARGE Privacy Policies (2)\\[-6mm] 
  \end{tabular}}\bigskip\bigskip\bigskip

  %\begin{center}
  %\includegraphics[scale=1.3]{pics/barrier.jpg}
  %\end{center}

\normalsize
  \begin{center}
  \begin{tabular}{ll}
  Email:  & christian.urban at kcl.ac.uk\\
  Of$\!$fice: & S1.27 (1st floor Strand Building)\\
  Slides: & KEATS (also home work is there)
  \end{tabular}
  \end{center}


\end{frame}}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{c}Homework\end{tabular}}


\ldots{} I have a question about the homework.\\[3mm] 
Is it required to submit the homework before\\ 
the next lecture?\\[5mm]

Thank you!\\
Anonymous
  
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]

\begin{center}
\begin{tabular}[t]{c}
\includegraphics[scale=1.2]{pics/barrier.jpg}\\
future lectures
\end{tabular}\;\;\;
\onslide<2>{
\begin{tabular}[t]{c}
\includegraphics[scale=0.32]{pics/trainwreck.jpg}\\
today
\end{tabular}
}
\end{center}

  
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{@ {}c@ {}}SmartWater\end{tabular}}

\begin{textblock}{1}(1,3)
\begin{tabular}{c}
\includegraphics[scale=0.15]{pics/SmartWater}
\end{tabular}
\end{textblock}


\begin{textblock}{8.5}(7,3)
\begin{itemize}
\item seems helpful for preventing cable theft\medskip
\item wouldn't be helpful to make your property safe, because of possible abuse\medskip

\item security is always a tradeoff
\end{itemize}
\end{textblock}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{@ {}c@ {}}Plain-text Passwords at IEEE\end{tabular}}

\small\textcolor{gray}{On 25 September 2012, a report on a data breach at IEEE:}


\begin{itemize}
\item IEEE is a standards organisation (not for profit) 
\item many standards in CS are by IEEE\medskip
\item 100k plain-text passwords were recorded in logs
\item the logs were openly accessible on their FTP server
\end{itemize}\bigskip

\begin{flushright}\small
\textcolor{gray}{\url{http://ieeelog.com}}
\end{flushright}

\only<2>{
\begin{textblock}{11}(3,2)
\begin{tikzpicture}
\draw (0,0) node[inner sep=2mm,fill=white, ultra thick, draw=red, rounded corners=2mm] 
{\normalsize\color{darkgray}
\begin{minipage}{7.5cm}\raggedright\small
\includegraphics[scale=0.6]{pics/IEEElog.jpg}
\end{minipage}};
\end{tikzpicture}
\end{textblock}}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{@ {}c@ {}}Virgin Mobile (USA)\end{tabular}}

\begin{flushright}\small
\textcolor{gray}{\url{http://arstechnica.com/security/2012/09/virgin-mobile-password-crack-risk/}}
\end{flushright}

\begin{itemize}
\item for online accounts passwords must be 6 digits
\item you must cycle through 1M combinations (online)\pause\bigskip

\item he limited the attack on his own account to 1 guess per second, \alert{\bf and}
\item wrote a script that cleared the cookie set after each guess\pause
\item has been fixed now
\end{itemize}



\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{@ {}c@ {}}Smash the Stack for Fun \ldots\end{tabular}}

\begin{itemize}
\item ``smashing the stack attacks'' or ``buffer overflow attacks''
\item one of the most popular attacks;\\ attack of the (last) decade\\ ($>$ 50\% of security incidents reported at CERT are related to buffer overflows)
\begin{flushright}\small
\textcolor{gray}{\url{http://www.kb.cert.org/vuls}}
\end{flushright}
\medskip
\item made popular in an article by Elias Levy\\ (also known as Aleph One):\\
\begin{center}
{\bf ``Smashing The Stack For Fun and Profit''}
\end{center}\medskip

\begin{flushright}
\small\textcolor{gray}{\url{http://www.phrack.org}, Issue 49, Article 14}
\end{flushright} 
 
\end{itemize}


\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{c}The Problem\end{tabular}}

\begin{itemize}
\item The basic problem is that library routines in C look as follows:
\begin{center}
{\lstset{language=Java}\fontsize{8}{10}\selectfont%
\texttt{\lstinputlisting{app5.c}}}
\end{center}
\item the resulting problems are often remotely exploitable 
\item can be used to circumvents all access control
(botnets for further attacks)
\end{itemize}
  
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{c}Variants\end{tabular}}

There are many variants:

\begin{itemize}
\item return-to-lib-C attacks
\item heap-smashing attacks\\
\textcolor{gray}{\small(Slammer Worm in 2003 infected 90\% of vulnerable systems within 10 minutes)}\bigskip

\item ``zero-days-attacks'' (new unknown vulnerability)
\end{itemize}
  
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   



%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]

\small
\texttt{my\_float} is printed twice:\bigskip

{\lstset{language=Java}\fontsize{8}{10}\selectfont%
\texttt{\lstinputlisting{C1.c}}}

  
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]

\begin{center}
\onslide<1->{\includegraphics[scale=0.5]{pics/stack1}\;\;}
\onslide<2->{\includegraphics[scale=0.5]{pics/stack2}\;\;}
\onslide<3->{\includegraphics[scale=0.5]{pics/stack3}\;\;}
\end{center}
  
  
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]

{\lstset{language=Java}\fontsize{8}{10}\selectfont%
\texttt{\lstinputlisting{C2.c}}}

  
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]

\small
A programmer might be careful, but still introduce vulnerabilities:\bigskip

{\lstset{language=Java}\fontsize{8}{10}\selectfont%
\texttt{\lstinputlisting{C2a.c}}}

  
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{c}Payloads\end{tabular}}

\begin{itemize}
\item the idea is you store some code as part to the buffer
\item you then override the return address to execute this payload\medskip
\item normally you start a root-shell\pause
\item difficulty is to guess the right place where to ``jump''
\end{itemize}
  
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{c}Payloads (2)\end{tabular}}

\begin{itemize}
\item another difficulty is that the code is not allowed to contain \texttt{$\backslash$x00}:

\begin{center}
\texttt{xorl   \%eax, \%eax}
\end{center}
\end{itemize}\bigskip\bigskip
  
{\lstset{language=Java}\fontsize{8}{10}\selectfont%
\texttt{\lstinputlisting{app5.c}}}
  
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{c}Format String Vulnerability\end{tabular}}

\small
\texttt{string} is nowhere used:\bigskip

{\lstset{language=Java}\fontsize{8}{10}\selectfont%
\texttt{\lstinputlisting{C6.c}}}\bigskip

this vulnerability can be used to read out the stack
  
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{c}Protections against BO Attacks\end{tabular}}

\begin{itemize}
\item use safe library functions
\item ensure stack data is not executable (can be defeated)
\item address space randomisation (makes one-size-fits-all more difficult)
\item choice of programming language (one of the selling points of Java)

\end{itemize}
  
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{c}Security Goals\end{tabular}}

\begin{itemize}
\item Prevent common vulnerabilities from occurring (e.g. buffer overflows)\pause
\item Recover from attacks (traceability and auditing of security-relevant actions)\pause
\item Monitoring (detect attacks)\pause
\item Privacy, confidentiality, anonymity (to protect secrets)\pause
\item Authenticity (eeded for access control)\pause
\item Integrity (prevent unwanted modification or tampering)\pause
\item Availability and reliability (reduce the risk of DoS attacks)
\end{itemize}
  
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   



%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{c}Homework\end{tabular}}

\begin{itemize}
\item Assume format string attacks allow you to read out the stack. What can you do
	with this information?\bigskip

\item Assume you can crash a program remotely. Why is this a problem?
\end{itemize}
  
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   


\end{document}

%%% Local Variables:  
%%% mode: latex
%%% TeX-master: t
%%% End: