\documentclass[dvipsnames,14pt,t]{beamer}
\usepackage{../slides}
\usepackage{../graphics}
\usepackage{../langs}
\setmonofont[Scale=.88]{Consolas}
\newfontfamily{\consolas}{Consolas}
\hfuzz=220pt
% beamer stuff
\renewcommand{\slidecaption}{APP 03, King's College London}
\begin{document}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[t]
\frametitle{%
\begin{tabular}{@ {}c@ {}}
\\
\LARGE Access Control and \\[-3mm]
\LARGE Privacy Policies (3)\\[-6mm]
\end{tabular}}\bigskip\bigskip\bigskip
\normalsize
\begin{center}
\begin{tabular}{ll}
Email: & christian.urban at kcl.ac.uk\\
Office: & S1.27 (1st floor Strand Building)\\
Slides: & KEATS (also home work is there)
\end{tabular}
\end{center}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{\begin{tabular}{c}Network Applications:\\[-1mm] Privilege Separation\end{tabular}}
\begin{center}
\begin{tikzpicture}[scale=1]
\draw[line width=1mm] (-.3, 0) rectangle (1.5,2);
\draw (4.7,1) node {Internet};
\draw (-2.7,1.7) node {\footnotesize Application};
\draw (0.6,1.7) node {\footnotesize Interface};
\draw (0.6,-0.4) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] process\end{tabular}};
\draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}};
\draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2);
\draw[white] (1.7,1) node (X) {};
\draw[white] (3.7,1) node (Y) {};
\draw[red, <->, line width = 2mm] (X) -- (Y);
\draw[red, <->, line width = 1mm] (-0.6,1) -- (-1.6,1);
\end{tikzpicture}
\end{center}
\begin{itemize}
\item the idea is make the attack surface smaller and
mitigate the consequences of an attack
\item you need an OS that supports different roles (root vs.~users)
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Weaknesses of Unix AC}
\begin{itemize}
\item if you have too many roles (for example too finegrained AC), then
hierarchy is too complex\medskip\\ \textcolor{gray}{you invite situations
like\ldots let's be root}\bigskip
\item you can still abuse the system\ldots
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{A ``Cron''-Attack}
The idea is to trick a privileged person to do something on your
behalf:
\begin{itemize}
\item root:\\\texttt{rm /tmp/*/*}\bigskip\bigskip\pause
\small
\begin{minipage}{1.1\textwidth}
\textcolor{gray}{the shell behind the scenes:}\\
\textcolor{gray}{\texttt{rm /tmp/dir$_1$/file$_1$ /tmp/dir$_1$/file$_2$ /tmp/dir$_2$/file$_1$ \ldots}}\bigskip\\
\textcolor{gray}{this takes time}
\end{minipage}
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{A ``Cron''-Attack}
\begin{enumerate}
\item attacker \textcolor{gray}{(creates a fake passwd file)}\\
\texttt{mkdir /tmp/a; cat > /tmp/a/passwd}\medskip
\item root \textcolor{gray}{(does the daily cleaning)}\\
\texttt{rm /tmp/*/*}\medskip\\
\hspace{2cm}\textcolor{gray}{records that \texttt{/tmp/a/passwd}}\\
\hspace{2cm}\textcolor{gray}{should be deleted, but does not do it yet}\medskip\\
\item attacker \textcolor{gray}{(meanwhile deletes the fake passwd file, and establishes a link to
the real passwd file)}\\
\texttt{rm /tmp/a/passwd; rmdir /tmp/a;}\\\texttt{ln -s /etc /tmp/a}\\
\item root now deletes the real passwd file
\end{enumerate}
\only<2>{
\begin{textblock}{11}(2,5)
\begin{tikzpicture}
\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
{\normalsize\color{darkgray}
\begin{minipage}{9.5cm}\raggedright
To prevent this kind of attack, you need additional
policies (don't do such operations as root).
\end{minipage}};
\end{tikzpicture}
\end{textblock}}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{\Large Buffer Overflow Attacks}
\begin{center}
\begin{columns}[b]
\begin{column}{.4\textwidth}
\centering
\includegraphics[scale=1.2]{../pics/barrier.jpg}\\
lectures so far
\end{column}
\begin{column}<2>{.4\textwidth}
\centering
\includegraphics[scale=0.32]{../pics/trainwreck.jpg}\\
today
\end{column}
\end{columns}
\end{center}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Smash the Stack for Fun\ldots}
\begin{itemize}
\item {\bf Buffer Overflow Attacks} or\\ {\bf Smashing the Stack Attacks}\medskip
\item one of the most popular attacks, unfortunately\\
($>$ 50\% of security incidents reported at CERT are related
to buffer overflows)
\begin{flushright}
\small\url{http://www.kb.cert.org/vuls}
\end{flushright}
\medskip
\item made popular in an article from 1996 by Elias Levy
(also known as Aleph One):\\
\begin{center}
{\bf ``Smashing The Stack For Fun and Profit''}
\end{center}\medskip
\begin{flushright}
\small\url{http://phrack.org/issues/49/14.html}
\end{flushright}
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{A Long Printed ``Twice''}
\mbox{}\\[-10mm]
\footnotesize
\lstinputlisting[language=C,xleftmargin=4mm]{../progs/C0.c}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Printing Out Zombies}
\mbox{}\\[-10mm]
\footnotesize
\lstinputlisting[language=C,xleftmargin=4mm]{../progs/C1.c}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{A ``Login'' Function (1)}
\mbox{}\\[-10mm]
\footnotesize
\lstinputlisting[language=C,xleftmargin=4mm]{../progs/C2a.c}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{A ``Login'' Function (2)}
\mbox{}\\[-10mm]
\footnotesize
\lstinputlisting[language=C,xleftmargin=-3mm]{../progs/C2b.c}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{What the Hell Is Going On?}
\begin{itemize}
\item Let's start with a very simple program:
\end{itemize}
\lstinputlisting[language=C,xleftmargin=4mm]{../progs/example1.c}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Memory}
\begin{itemize}
\item each process will get a chunk of memory that is organised as
follows:
\end{itemize}
\begin{center}
\begin{tikzpicture}[scale=0.8]
%\draw[step=1cm] (-3,-3) grid (3,3);
\draw[line width=1mm] (-2, -3) rectangle (2,3);
\draw[line width=1mm] (-2,1) -- (2,1);
\draw[line width=1mm] (-2,-1) -- (2,-1);
\draw (0,2) node {\large\tt text};
\draw (0,0) node {\large\tt heap};
\draw (0,-2) node {\large\tt stack};
\draw (-2.7,3) node[anchor=north east] {\tt\begin{tabular}{@{}l@{}}lower\\ address\end{tabular}};
\draw (-2.7,-3) node[anchor=south east] {\tt\begin{tabular}{@{}l@{}}higher\\ address\end{tabular}};
\draw[->, line width=1mm] (-2.5,3) -- (-2.5,-3);
\draw (2.7,-2) node[anchor=west] {\tt grows};
\draw (2.7,-3) node[anchor=south west] {\tt\footnotesize older};
\draw (2.7,-1) node[anchor=north west] {\tt\footnotesize newer};
\draw[|->, line width=1mm] (2.5,-3) -- (2.5,-1);
\end{tikzpicture}
\end{center}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{The Stack}
\begin{textblock}{7}(1,1)
\begin{tikzpicture}[scale=0.8]
%\draw[step=1cm] (-3,-1) grid (3,8);
\draw[gray!20,fill=gray!20] (-1, 0) rectangle (1,-1);
\draw[line width=1mm] (-1,-1.2) -- (-1,7.4);
\draw[line width=1mm] ( 1,-1.2) -- ( 1,7.4);
\draw (0,-1) node[anchor=south] {\tt main};
\draw[line width=1mm] (-1,0) -- (1,0);
\draw (0,0) node[anchor=south] {\tt arg$_3$=3};
\draw[line width=1mm] (-1,1) -- (1,1);
\draw (0,1) node[anchor=south] {\tt arg$_2$=2};
\draw[line width=1mm] (-1,2) -- (1,2);
\draw (0,2) node[anchor=south] {\tt arg$_1$=1};
\draw[line width=1mm] (-1,3) -- (1,3);
\draw (0,3.1) node[anchor=south] {\tt ret};
\draw[line width=1mm] (-1,4) -- (1,4);
\draw (0,4) node[anchor=south] {\small\tt last sp};
\draw[line width=1mm] (-1,5) -- (1,5);
\draw (0,5) node[anchor=south] {\tt buf$_1$};
\draw[line width=1mm] (-1,6) -- (1,6);
\draw (0,6) node[anchor=south] {\tt buf$_2$};
\draw[line width=1mm] (-1,7) -- (1,7);
\draw (2,6.1) node[anchor=south] {\code{$esp}};
\draw[<-,line width=0.5mm] (1.1,7) -- (2.5,7);
\draw[->,line width=0.5mm] (1,4.5) -- (1.8,4.5) -- (1.8, 0) -- (1.1,0);
\draw[->,line width=0.5mm] (1,3.5) -- (2.5,3.5);
\draw (2.6,3.1) node[anchor=south west] {\tt back to main()};
\draw[->,red,line width=2mm] (2.5,0.1) -- (4.2,0.1);
\end{tikzpicture}
\end{textblock}
\begin{textblock}{7}(6.4,8)
\begin{bubble}[6.8cm]
\footnotesize
\lstinputlisting[language=C,xleftmargin=5mm]{../progs/example1.c}
\end{bubble}
\end{textblock}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Behind the Scenes}
machine code
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Overwriting the Stack}
\begin{textblock}{7}(1,2)
\begin{tikzpicture}[scale=0.8]
%\draw[step=1cm] (-3,-1) grid (3,8);
\draw[gray!20,fill=gray!20] (-1, 0) rectangle (1,-1);
\draw[line width=1mm] (-1,-1.2) -- (-1,6.4);
\draw[line width=1mm] ( 1,-1.2) -- ( 1,6.4);
\draw (0,-1) node[anchor=south] {\tt main};
\draw[line width=1mm] (-1,0) -- (1,0);
\draw (0,0) node[anchor=south] {\tt arg$_3$=3};
\draw[line width=1mm] (-1,1) -- (1,1);
\draw (0,1) node[anchor=south] {\tt arg$_2$=2};
\draw[line width=1mm] (-1,2) -- (1,2);
\draw (0,2) node[anchor=south] {\tt arg$_1$=1};
\draw[line width=1mm] (-1,3) -- (1,3);
\draw (0,3.1) node[anchor=south] {\tt ret};
\draw[line width=1mm] (-1,4) -- (1,4);
\draw (0,4) node[anchor=south] {\small\tt last sp};
\draw[line width=1mm] (-1,5) -- (1,5);
\draw (0,5) node[anchor=south] {\tt buf};
\draw[line width=1mm] (-1,6) -- (1,6);
\draw (2,5.1) node[anchor=south] {\code{$esp}};
\draw[<-,line width=0.5mm] (1.1,6) -- (2.5,6);
\draw[->,line width=0.5mm] (1,4.5) -- (1.8,4.5);
\draw (2.5,4.1) node[anchor=south] {\code{??}};
\draw[->,line width=0.5mm] (1,3.5) -- (2.5,3.5);
\draw (2.6,3.1) node[anchor=south west] {\tt jump to \code{\\x080483f4}};
\end{tikzpicture}
\end{textblock}
\begin{textblock}{7}(1,13.5)
\code{char buf[8] = "AAAAAAAABBBB\\xf4\\x83\\x04\\x08\\x00"}
\end{textblock}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Payloads}
\begin{itemize}
\item the idea is that you store some code in the buffer (the payload)
\item you then override the return address to execute this payload\medskip
\item normally you start a root-shell\pause
\item difficulty is to guess the right place where to ``jump''
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Payloads (2)}
\begin{itemize}
\item another difficulty is that the code is not allowed to contain \texttt{$\backslash$x00}:
\begin{center}
\texttt{xorl \%eax, \%eax}
\end{center}
\end{itemize}\bigskip\bigskip
{\small
\lstinputlisting[language=C,numbers=none]{../progs/app5.c}}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Variants}
There are many variants:
\begin{itemize}
\item return-to-lib-C attacks
\item heap-smashing attacks\\
\textcolor{gray}{\small(Slammer Worm in 2003 infected 90\% of vulnerable systems within 10 minutes)}\bigskip
\item ``zero-days-attacks'' (new unknown vulnerability)
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Format String Vulnerability}
\small
\texttt{string} is nowhere used:\bigskip
{\footnotesize\lstinputlisting[language=C]{../progs/C4.c}}\bigskip
this vulnerability can be used to read out the stack
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{\begin{tabular}{c}Protections against\\ Buffer Overflow Attacks\end{tabular}}
\begin{itemize}
\item use safe library functions
\item stack caneries
\item ensure stack data is not executable (can be defeated)
\item address space randomisation (makes one-size-fits-all more difficult)
\item choice of programming language (one of the selling points of Java)
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{\begin{tabular}{c}Network Applications:\\[-1mm] Privilege Separation\end{tabular}}
\begin{center}
\begin{tikzpicture}[scale=1]
\draw[line width=1mm] (-.3, 0) rectangle (1.5,2);
\draw (4.7,1) node {Internet};
\draw (-2.7,1.7) node {\footnotesize Application};
\draw (0.6,1.7) node {\footnotesize Interface};
\draw (0.6,-0.4) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] process\end{tabular}};
\draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}};
\draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2);
\draw[white] (1.7,1) node (X) {};
\draw[white] (3.7,1) node (Y) {};
\draw[red, <->, line width = 2mm] (X) -- (Y);
\draw[red, <->, line width = 1mm] (-0.6,1) -- (-1.6,1);
\end{tikzpicture}
\end{center}
\begin{itemize}
\item the idea is make the attack surface smaller and mitigate the
consequences of an attack
\item you need an OS that supports different roles (root vs.~users)
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Weaknesses of Unix AC}
Not just restricted to Unix:
\begin{itemize}
\item if you have too many roles (i.e.~too finegrained AC), then
hierarchy is too complex\\ \textcolor{gray}{you invite situations
like\ldots let's be root}\bigskip
\item you can still abuse the system\ldots
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{A ``Cron''-Attack}
\begin{enumerate}
\item attacker \textcolor{gray}{(creates a fake passwd file)}\\
\texttt{mkdir /tmp/a; cat > /tmp/a/passwd}\medskip
\item root \textcolor{gray}{(does the daily cleaning)}\\
\texttt{rm /tmp/*/*}\medskip\\
\hspace{2cm}\textcolor{gray}{\small records that \texttt{/tmp/a/passwd}}\\
\hspace{2cm}\textcolor{gray}{\small should be deleted, but does not do it yet}\medskip\\
\item attacker \textcolor{gray}{(meanwhile deletes the fake passwd file, and establishes a link to
the real passwd file)}\\
\texttt{rm /tmp/a/passwd; rmdir /tmp/a;}\\\texttt{ln -s /etc /tmp/a}\\
\item root now deletes the real passwd file
\end{enumerate}
\only<2>{
\begin{textblock}{11}(2,5)
\begin{bubble}[8cm]
\normalsize To prevent this kind of attack, you need additional
policies (don't do such operations as root).
\end{bubble}
\end{textblock}}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{The Problem}
\begin{itemize}
\item The basic problem is that library routines in C look as follows:
\end{itemize}
\begin{center}
\small\lstinputlisting[language=C,numbers=none]{../progs/app5.c}
\end{center}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Security Goals}
\begin{itemize}
\item Prevent common vulnerabilities from occurring (e.g. buffer overflows)\pause
\item Recover from attacks (traceability and auditing of security-relevant actions)\pause
\item Monitoring (detect attacks)\pause
\item Privacy, confidentiality, anonymity (to protect secrets)\pause
\item Authenticity (needed for access control)\pause
\item Integrity (prevent unwanted modification or tampering)\pause
\item Availability and reliability (reduce the risk of DoS attacks)
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Homework}
\begin{itemize}
\item Assume format string attacks allow you to read out the stack. What can you do
with this information?\bigskip
\item Assume you can crash a program remotely. Why is this a problem?
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Access Control in Unix}
\begin{itemize}
\item access control provided by the OS
\item authenticate principals (login)
\item mediate access to files, ports, processes according to \alert{roles} (user ids)\\
\item roles get attached with privileges\bigskip\\%
\hspace{8mm}
\begin{tikzpicture}
\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
{\begin{minipage}{8cm}
\alert{The principle of least privilege:}\\
programs should only have as much privilege as they need
\end{minipage}};
\end{tikzpicture}
\end{itemize}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[t]
\frametitle{Process Ownership}
\begin{itemize}
\item access control in Unix is very coarse
\end{itemize}\bigskip\bigskip\bigskip
\begin{center}
\begin{tabular}{c}
root\\
\hline
user$_1$ user$_2$ \ldots www, mail, lp
\end{tabular}
\end{center}\bigskip\bigskip\bigskip
\textcolor{gray}{\small root has UID $=$ 0}\\\pause
\textcolor{gray}{\small you also have groups that can share access to a file}\\
\textcolor{gray}{\small but it is difficult to exclude access selectively}\\
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Access Control in Unix (2)}
\begin{itemize}
\item privileges are specified by file access permissions (``everything is a file'')
\item there are 9 (plus 2) bits that specify the permissions of a file
\begin{center}
\begin{tabular}{l}
\texttt{\$ ls - la}\\
\texttt{-rwxrw-r-{}- \hspace{3mm} foo\_file.txt}
\end{tabular}
\end{center}
\end{itemize}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Login Process}
\begin{itemize}
\item login processes run under UID $=$ 0\medskip
\begin{center}
\texttt{ps -axl | grep login}
\end{center}\medskip
\item after login, shells run under UID $=$ user (e.g.~501)\medskip
\begin{center}
\texttt{id cu}
\end{center}\medskip\pause
\item non-root users are not allowed to change the UID --- would break
access control
\item but needed for example for \texttt{passwd}
\end{itemize}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Setuid and Setgid}
The solution is that unix file permissions are 9 + \underline{2 Bits}:
\alert{Setuid} and \alert{Setgid} Bits
\begin{itemize}
\item When a file with setuid is executed, the resulting process will assume the UID given to the owner of the file.
\item This enables users to create processes as root (or another user).\bigskip
\item Essential for changing passwords, for example.
\end{itemize}
\begin{center}
\texttt{chmod 4755 fobar\_file}
\end{center}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{c}Privilege Separation in\\ OpenSSH\end{tabular}}
\begin{center}
\begin{tikzpicture}[scale=1]
\draw[line width=1mm] (0, 1.1) rectangle (1.2,2);
\draw (4.7,1) node {Internet};
\draw (0.6,1.7) node {\footnotesize Slave};
\draw[line width=1mm] (0, 0) rectangle (1.2,0.9);
\draw (0.6,1.7) node {\footnotesize Slave};
\draw (0.6,0.6) node {\footnotesize Slave};
\draw (0.6,-0.5) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] processes\end{tabular}};
\draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}};
\draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2);
\draw (-2.9,1.7) node {\footnotesize Monitor};
\draw[white] (1.7,1) node (X) {};
\draw[white] (3.7,1) node (Y) {};
\draw[red, <->, line width = 2mm] (X) -- (Y);
\draw[red, <->, line width = 1mm] (-0.4,1.4) -- (-1.4,1.1);
\draw[red, <->, line width = 1mm] (-0.4,0.6) -- (-1.4,0.9);
\end{tikzpicture}
\end{center}
\begin{itemize}
\item pre-authorisation slave
\item post-authorisation\bigskip
\item 25\% codebase is privileged, 75\% is unprivileged
\end{itemize}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Network Applications}
ideally network application in Unix should be designed as follows:
\begin{itemize}
\item need two distinct processes
\begin{itemize}
\item one that listens to the network; has no privilege
\item one that is privileged and listens to the latter only (but does not trust it)
\end{itemize}
\item to implement this you need a parent process, which forks a child process
\item this child process drops privileges and listens to hostile data\medskip
\item after authentication the parent forks again and the new child becomes the user
\end{itemize}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{@ {}c@ {}}Famous Security Flaws\\[-1mm] in Unix\end{tabular}}
\begin{itemize}
\item \texttt{lpr} unfortunately runs with root privileges; you had the option to delete files after printing \ldots\pause\pause
\item for debugging purposes (FreeBSD) Unix provides a ``core dump'', but allowed to follow links \ldots\pause
\item \texttt{mkdir foo} is owned by root\medskip
\begin{center}
\texttt{-rwxr-xr-x 1 root wheel /bin/mkdir}
\end{center}\medskip
it first creates an i-node as root and then changes to ownership to the user's id\\ \textcolor{gray}{\small (race condition -- can be automated with a shell script)}
\end{itemize}
\only<5->{
\begin{textblock}{1}(3,7)
\begin{tikzpicture}
\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
{\begin{minipage}{8cm}
Only failure makes us experts.
-- Theo de Raadt (OpenBSD, OpenSSH)
\end{minipage}};
\end{tikzpicture}
\end{textblock}}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\end{document}
%%% Local Variables:
%%% mode: latex
%%% TeX-master: t
%%% End: