\documentclass[dvipsnames,14pt,t]{beamer}+ −
\usepackage{beamerthemeplaincu}+ −
%%\usepackage[T1]{fontenc}+ −
\usepackage[latin1]{inputenc}+ −
\usepackage{mathpartir}+ −
\usepackage[absolute,overlay]{textpos}+ −
\usepackage{ifthen}+ −
\usepackage{tikz}+ −
\usepackage{pgf}+ −
\usepackage{calc} + −
\usepackage{ulem}+ −
\usepackage{courier}+ −
\usepackage{listings}+ −
\renewcommand{\uline}[1]{#1}+ −
\usetikzlibrary{arrows}+ −
\usetikzlibrary{automata}+ −
\usetikzlibrary{shapes}+ −
\usetikzlibrary{shadows}+ −
\usetikzlibrary{positioning}+ −
\usetikzlibrary{calc}+ −
\usepackage{graphicx} + −
\setmonofont[Scale=MatchLowercase]{Consolas}+ −
\newfontfamily{\consolas}{Consolas}+ −
+ −
\definecolor{javared}{rgb}{0.6,0,0} % for strings+ −
\definecolor{javagreen}{rgb}{0.25,0.5,0.35} % comments+ −
\definecolor{javapurple}{rgb}{0.5,0,0.35} % keywords+ −
\definecolor{javadocblue}{rgb}{0.25,0.35,0.75} % javadoc+ −
+ −
\makeatletter+ −
\lst@CCPutMacro\lst@ProcessOther {"2D}{\lst@ttfamily{-{}}{-{}}}+ −
\@empty\z@\@empty+ −
\makeatother+ −
+ −
\lstset{language=Java,+ −
basicstyle=\consolas,+ −
keywordstyle=\color{javapurple}\bfseries,+ −
stringstyle=\color{javagreen},+ −
commentstyle=\color{javagreen},+ −
morecomment=[s][\color{javadocblue}]{/**}{*/},+ −
numbers=left,+ −
numberstyle=\tiny\color{black},+ −
stepnumber=1,+ −
numbersep=10pt,+ −
tabsize=2,+ −
showspaces=false,+ −
showstringspaces=false}+ −
+ −
\lstdefinelanguage{scala}{+ −
morekeywords={abstract,case,catch,class,def,%+ −
do,else,extends,false,final,finally,%+ −
for,if,implicit,import,match,mixin,%+ −
new,null,object,override,package,%+ −
private,protected,requires,return,sealed,%+ −
super,this,throw,trait,true,try,%+ −
type,val,var,while,with,yield},+ −
otherkeywords={=>,<-,<\%,<:,>:,\#,@,->},+ −
sensitive=true,+ −
morecomment=[l]{//},+ −
morecomment=[n]{/*}{*/},+ −
morestring=[b]",+ −
morestring=[b]',+ −
morestring=[b]"""+ −
}+ −
+ −
\lstset{language=Scala,+ −
basicstyle=\consolas,+ −
keywordstyle=\color{javapurple}\bfseries,+ −
stringstyle=\color{javagreen},+ −
commentstyle=\color{javagreen},+ −
morecomment=[s][\color{javadocblue}]{/**}{*/},+ −
numbers=left,+ −
numberstyle=\tiny\color{black},+ −
stepnumber=1,+ −
numbersep=10pt,+ −
tabsize=2,+ −
showspaces=false,+ −
showstringspaces=false}+ −
+ −
+ −
% beamer stuff + −
\renewcommand{\slidecaption}{APP 03, King's College London, 8 October 2013}+ −
+ −
+ −
\begin{document}+ −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\mode<presentation>{+ −
\begin{frame}<1>[t]+ −
\frametitle{%+ −
\begin{tabular}{@ {}c@ {}}+ −
\\+ −
\LARGE Access Control and \\[-3mm] + −
\LARGE Privacy Policies (3)\\[-6mm] + −
\end{tabular}}\bigskip\bigskip\bigskip+ −
+ −
%\begin{center}+ −
%\includegraphics[scale=1.3]{pics/barrier.jpg}+ −
%\end{center}+ −
+ −
\normalsize+ −
\begin{center}+ −
\begin{tabular}{ll}+ −
Email: & christian.urban at kcl.ac.uk\\+ −
Office: & S1.27 (1st floor Strand Building)\\+ −
Slides: & KEATS (also home work is there)+ −
\end{tabular}+ −
\end{center}+ −
+ −
+ −
\end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
+ −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\mode<presentation>{+ −
\begin{frame}[c]+ −
+ −
\begin{center}+ −
\begin{tabular}[t]{c}+ −
\includegraphics[scale=1.2]{pics/barrier.jpg}\\+ −
first lecture+ −
\end{tabular}\;\;\;+ −
\onslide<2>{+ −
\begin{tabular}[t]{c}+ −
\includegraphics[scale=0.32]{pics/trainwreck.jpg}\\+ −
today+ −
\end{tabular}+ −
}+ −
\end{center}+ −
+ −
+ −
\end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
+ −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\mode<presentation>{+ −
\begin{frame}[c]+ −
\frametitle{\begin{tabular}{c}Network Applications:\\[-1mm] Privilege Separation\end{tabular}}+ −
+ −
+ −
\begin{center}+ −
\begin{tikzpicture}[scale=1]+ −
+ −
\draw[line width=1mm] (-.3, 0) rectangle (1.5,2);+ −
\draw (4.7,1) node {Internet};+ −
\draw (-2.7,1.7) node {\footnotesize Application};+ −
\draw (0.6,1.7) node {\footnotesize Interface};+ −
\draw (0.6,-0.4) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] process\end{tabular}};+ −
\draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}};+ −
+ −
\draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2);+ −
+ −
\draw[white] (1.7,1) node (X) {};+ −
\draw[white] (3.7,1) node (Y) {};+ −
\draw[red, <->, line width = 2mm] (X) -- (Y);+ −
+ −
\draw[red, <->, line width = 1mm] (-0.6,1) -- (-1.6,1);+ −
\end{tikzpicture}+ −
\end{center}+ −
+ −
\begin{itemize}+ −
\item the idea is make the attack surface smaller and + −
mitigate the consequences of an attack+ −
\end{itemize}+ −
+ −
+ −
\end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\mode<presentation>{+ −
\begin{frame}[c]+ −
\frametitle{Access Control in Unix}+ −
+ −
\begin{itemize}+ −
\item access control provided by the OS+ −
\item authenticate principals (login)+ −
\item mediate access to files, ports, processes according to \alert{roles} (user ids)\\+ −
\item roles get attached with privileges\bigskip\\%+ −
\hspace{8mm}+ −
\begin{tikzpicture}+ −
\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] + −
{\begin{minipage}{8cm}+ −
\alert{The principle of least privilege:}\\+ −
programs should only have as much privilege as they need + −
\end{minipage}};+ −
\end{tikzpicture}+ −
\end{itemize}+ −
+ −
\end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\mode<presentation>{+ −
\begin{frame}[t]+ −
\frametitle{Process Ownership}+ −
+ −
\begin{itemize}+ −
\item access control in Unix is very coarse+ −
\end{itemize}\bigskip\bigskip\bigskip+ −
+ −
\begin{center}+ −
\begin{tabular}{c}+ −
root\\+ −
\hline+ −
+ −
user$_1$ user$_2$ \ldots www, mail, lp+ −
\end{tabular}+ −
\end{center}\bigskip\bigskip\bigskip+ −
+ −
+ −
\textcolor{gray}{\small root has UID $=$ 0}\\\pause+ −
\textcolor{gray}{\small you also have groups that can share access to a file}\\+ −
\textcolor{gray}{\small but it is difficult to exclude access selectively}\\+ −
\end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\mode<presentation>{+ −
\begin{frame}[c]+ −
\frametitle{Access Control in Unix (2)}+ −
+ −
+ −
\begin{itemize}+ −
\item privileges are specified by file access permissions (``everything is a file'') + −
\item there are 9 (plus 2) bits that specify the permissions of a file+ −
+ −
\begin{center}+ −
\begin{tabular}{l}+ −
\texttt{\$ ls - la}\\+ −
\texttt{-rwxrw-r-{}- \hspace{3mm} foo\_file.txt}+ −
\end{tabular}+ −
\end{center}+ −
\end{itemize}+ −
+ −
\end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\mode<presentation>{+ −
\begin{frame}[c]+ −
\frametitle{Login Process}+ −
+ −
+ −
\begin{itemize}+ −
\item login processes run under UID $=$ 0\medskip + −
\begin{center}+ −
\texttt{ps -axl | grep login}+ −
\end{center}\medskip+ −
+ −
\item after login, shells run under UID $=$ user (e.g.~501)\medskip+ −
\begin{center}+ −
\texttt{id cu}+ −
\end{center}\medskip\pause+ −
+ −
\item non-root users are not allowed to change the UID --- would break + −
access control+ −
\item but needed for example for \texttt{passwd}+ −
\end{itemize}+ −
+ −
\end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\mode<presentation>{+ −
\begin{frame}[c]+ −
\frametitle{Setuid and Setgid}+ −
+ −
The solution is that unix file permissions are 9 + \underline{2 Bits}:+ −
\alert{Setuid} and \alert{Setgid} Bits+ −
+ −
\begin{itemize}+ −
\item When a file with setuid is executed, the resulting process will assume the UID given to the owner of the file. + −
\item This enables users to create processes as root (or another user).\bigskip+ −
+ −
\item Essential for changing passwords, for example.+ −
\end{itemize}+ −
+ −
\begin{center}+ −
\texttt{chmod 4755 fobar\_file}+ −
\end{center}+ −
+ −
\end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\mode<presentation>{+ −
\begin{frame}[c]+ −
\frametitle{\begin{tabular}{c}Privilege Separation in\\ OpenSSH\end{tabular}}+ −
+ −
\begin{center}+ −
\begin{tikzpicture}[scale=1]+ −
+ −
\draw[line width=1mm] (0, 1.1) rectangle (1.2,2);+ −
\draw (4.7,1) node {Internet};+ −
\draw (0.6,1.7) node {\footnotesize Slave};+ −
\draw[line width=1mm] (0, 0) rectangle (1.2,0.9);+ −
\draw (0.6,1.7) node {\footnotesize Slave};+ −
\draw (0.6,0.6) node {\footnotesize Slave};+ −
\draw (0.6,-0.5) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] processes\end{tabular}};+ −
\draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}};+ −
+ −
\draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2);+ −
\draw (-2.9,1.7) node {\footnotesize Monitor};+ −
+ −
\draw[white] (1.7,1) node (X) {};+ −
\draw[white] (3.7,1) node (Y) {};+ −
\draw[red, <->, line width = 2mm] (X) -- (Y);+ −
+ −
\draw[red, <->, line width = 1mm] (-0.4,1.4) -- (-1.4,1.1);+ −
\draw[red, <->, line width = 1mm] (-0.4,0.6) -- (-1.4,0.9);+ −
+ −
\end{tikzpicture}+ −
\end{center}+ −
+ −
\begin{itemize}+ −
\item pre-authorisation slave + −
\item post-authorisation\bigskip+ −
\item 25\% codebase is privileged, 75\% is unprivileged+ −
\end{itemize}+ −
\end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\mode<presentation>{+ −
\begin{frame}[c]+ −
\frametitle{Network Applications}+ −
+ −
ideally network application in Unix should be designed as follows:+ −
+ −
\begin{itemize}+ −
\item need two distinct processes+ −
\begin{itemize}+ −
\item one that listens to the network; has no privilege+ −
\item one that is privileged and listens to the latter only (but does not trust it)+ −
+ −
\end{itemize}+ −
+ −
\item to implement this you need a parent process, which forks a child process+ −
\item this child process drops privileges and listens to hostile data\medskip+ −
+ −
\item after authentication the parent forks again and the new child becomes the user+ −
\end{itemize}+ −
+ −
+ −
\end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\mode<presentation>{+ −
\begin{frame}[c]+ −
\frametitle{\begin{tabular}{@ {}c@ {}}Famous Security Flaws\\[-1mm] in Unix\end{tabular}}+ −
+ −
+ −
\begin{itemize}+ −
\item \texttt{lpr} unfortunately runs with root privileges; you had the option to delete files after printing \ldots\pause\pause+ −
\item for debugging purposes (FreeBSD) Unix provides a ``core dump'', but allowed to follow links \ldots\pause+ −
\item \texttt{mkdir foo} is owned by root\medskip+ −
\begin{center}+ −
\texttt{-rwxr-xr-x 1 root wheel /bin/mkdir}+ −
\end{center}\medskip+ −
it first creates an i-node as root and then changes to ownership to the user's id\\ \textcolor{gray}{\small (race condition -- can be automated with a shell script)}+ −
\end{itemize}+ −
+ −
\only<5->{+ −
\begin{textblock}{1}(3,7)+ −
\begin{tikzpicture}+ −
\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] + −
{\begin{minipage}{8cm}+ −
Only failure makes us experts.+ −
-- Theo de Raadt (OpenBSD, OpenSSH)+ −
\end{minipage}};+ −
\end{tikzpicture}+ −
\end{textblock}}+ −
+ −
+ −
+ −
\end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
+ −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\mode<presentation>{+ −
\begin{frame}[c]+ −
\frametitle{\begin{tabular}{@ {}c@ {}}A ``Cron''-Attack\end{tabular}}+ −
+ −
\begin{enumerate}+ −
\item attacker \textcolor{gray}{(creates a fake passwd file)}\\ + −
\texttt{mkdir /tmp/a; cat > /tmp/a/passwd}\medskip+ −
\item root \textcolor{gray}{(does the daily cleaning)}\\+ −
\texttt{rm /tmp/*/*}\medskip\\+ −
\hspace{2cm}\textcolor{gray}{\small records that \texttt{/tmp/a/passwd}}\\ + −
\hspace{2cm}\textcolor{gray}{\small should be deleted, but does not do it yet}\medskip\\+ −
+ −
\item attacker \textcolor{gray}{(meanwhile deletes the fake passwd file, and establishes a link to + −
the real passwd file)}\\+ −
\texttt{rm /tmp/a/passwd; rmdir /tmp/a;}\\\texttt{ln -s /etc /tmp/a}\\+ −
\item root now deletes the real passwd file+ −
\end{enumerate}+ −
+ −
\only<2>{+ −
\begin{textblock}{11}(2,5)+ −
\begin{tikzpicture}+ −
\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] + −
{\normalsize\color{darkgray}+ −
\begin{minipage}{9cm}\raggedright+ −
To prevent this kind of attack, you need additional+ −
policies (don't do such operations as root).+ −
\end{minipage}};+ −
\end{tikzpicture}+ −
\end{textblock}}+ −
+ −
\end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\mode<presentation>{+ −
\begin{frame}[c]+ −
+ −
\begin{center}+ −
\includegraphics[scale=0.45]{pics/trainwreck.jpg}\\+ −
one general defence mechanism is\\\alert{\bf defence in depth}+ −
\end{center}+ −
+ −
+ −
\end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\mode<presentation>{+ −
\begin{frame}[c]+ −
\frametitle{\begin{tabular}{@ {}c@ {}}Smash the Stack for Fun \ldots\end{tabular}}+ −
+ −
\begin{itemize}+ −
\item ``smashing the stack attacks'' or\\ ``buffer overflow attacks''\medskip+ −
\item one of the most popular attacks\\ ($>$ 50\% of security incidents reported at CERT are related to buffer overflows)+ −
\begin{flushright}\small+ −
\textcolor{gray}{\url{http://www.kb.cert.org/vuls}}+ −
\end{flushright}+ −
\medskip+ −
\item made popular in an article by Elias Levy\\ (also known as Aleph One):\\+ −
\begin{center}+ −
{\bf ``Smashing The Stack For Fun and Profit''}+ −
\end{center}\medskip+ −
+ −
\begin{flushright}+ −
\small\textcolor{gray}{Issue 49, Article 14}+ −
\end{flushright} + −
+ −
\end{itemize}+ −
+ −
+ −
\end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\mode<presentation>{+ −
\begin{frame}[c]+ −
\frametitle{A Float Printed ``Twice''}+ −
+ −
{\lstset{language=Java}+ −
\footnotesize+ −
\lstinputlisting{../progs/C1.c}}+ −
+ −
\end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
+ −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\mode<presentation>{+ −
\begin{frame}[c]+ −
\frametitle{\begin{tabular}{c}The Problem\end{tabular}}+ −
+ −
\begin{itemize}+ −
\item The basic problem is that library routines in C look as follows:+ −
+ −
\begin{center}+ −
{\lstset{language=Java}+ −
\footnotesize+ −
\lstinputlisting{../progs/app5.c}}+ −
\end{center}+ −
+ −
\item the resulting problems are often remotely exploitable + −
\item can be used to circumvents all access control\\+ −
(for grooming botnets for further attacks)+ −
\end{itemize}+ −
+ −
\end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\mode<presentation>{+ −
\begin{frame}[c]+ −
\frametitle{\begin{tabular}{c}Variants\end{tabular}}+ −
+ −
There are many variants:+ −
+ −
\begin{itemize}+ −
\item return-to-lib-C attacks+ −
\item heap-smashing attacks\\+ −
\textcolor{gray}{\small(Slammer Worm in 2003 infected 90\% of vulnerable systems within 10 minutes)}\bigskip+ −
+ −
\item ``zero-days-attacks'' (new unknown vulnerability)+ −
\end{itemize}+ −
+ −
\end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\mode<presentation>{+ −
\begin{frame}[c]+ −
+ −
\begin{center}+ −
\only<1>{\includegraphics[scale=0.9]{pics/stack1}\;\;}+ −
\only<2>{\includegraphics[scale=0.9]{pics/stack2}\;\;}+ −
\only<3>{\includegraphics[scale=0.9]{pics/stack3}\;\;}+ −
\end{center}+ −
+ −
+ −
\end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\mode<presentation>{+ −
\begin{frame}[c]+ −
+ −
{\lstset{language=Java}\fontsize{8}{10}\selectfont%+ −
\texttt{\lstinputlisting{../progs/C2.c}}}+ −
+ −
+ −
\end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
%\mode<presentation>{+ −
%\begin{frame}[c]+ −
%+ −
%\small+ −
%A programmer might be careful, but still introduce vulnerabilities:\bigskip+ −
%+ −
%{\lstset{language=Java}\footnotesize+ −
%\texttt{\lstinputlisting{../progs/C2a.c}}}+ −
%+ −
% + −
%\end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\mode<presentation>{+ −
\begin{frame}[c]+ −
\frametitle{\begin{tabular}{c}Payloads\end{tabular}}+ −
+ −
\begin{itemize}+ −
\item the idea is you store some code to the buffer+ −
\item you then override the return address to execute this payload\medskip+ −
\item normally you start a root-shell\pause+ −
\item difficulty is to guess the right place where to ``jump''+ −
\end{itemize}+ −
+ −
\end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\mode<presentation>{+ −
\begin{frame}[c]+ −
\frametitle{\begin{tabular}{c}Payloads (2)\end{tabular}}+ −
+ −
\begin{itemize}+ −
\item another difficulty is that the code is not allowed to contain \texttt{$\backslash$x00}:+ −
+ −
\begin{center}+ −
\texttt{xorl \%eax, \%eax}+ −
\end{center}+ −
\end{itemize}\bigskip\bigskip+ −
+ −
{\lstset{language=Java}\small+ −
\texttt{\lstinputlisting{../progs/app5.c}}}+ −
+ −
\end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\mode<presentation>{+ −
\begin{frame}[c]+ −
\frametitle{\begin{tabular}{c}Format String Vulnerability\end{tabular}}+ −
+ −
\small+ −
\texttt{string} is nowhere used:\bigskip+ −
+ −
{\lstset{language=Java}\footnotesize+ −
\texttt{\lstinputlisting{../progs/C4.c}}}\bigskip+ −
+ −
this vulnerability can be used to read out the stack+ −
+ −
\end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\mode<presentation>{+ −
\begin{frame}[c]+ −
\frametitle{\begin{tabular}{c}Protections against\\ Buffer Overflow Attacks\end{tabular}}+ −
+ −
\begin{itemize}+ −
\item use safe library functions+ −
\item stack caneries+ −
\item ensure stack data is not executable (can be defeated)+ −
\item address space randomisation (makes one-size-fits-all more difficult)+ −
\item choice of programming language (one of the selling points of Java)+ −
+ −
\end{itemize}+ −
+ −
\end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\mode<presentation>{+ −
\begin{frame}[c]+ −
\frametitle{\begin{tabular}{c}Security Goals\end{tabular}}+ −
+ −
\begin{itemize}+ −
\item Prevent common vulnerabilities from occurring (e.g. buffer overflows)\pause+ −
\item Recover from attacks (traceability and auditing of security-relevant actions)\pause+ −
\item Monitoring (detect attacks)\pause+ −
\item Privacy, confidentiality, anonymity (to protect secrets)\pause+ −
\item Authenticity (needed for access control)\pause+ −
\item Integrity (prevent unwanted modification or tampering)\pause+ −
\item Availability and reliability (reduce the risk of DoS attacks)+ −
\end{itemize}+ −
+ −
\end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
+ −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\mode<presentation>{+ −
\begin{frame}[c]+ −
\frametitle{\begin{tabular}{c}Homework\end{tabular}}+ −
+ −
\begin{itemize}+ −
\item Assume format string attacks allow you to read out the stack. What can you do+ −
with this information?\bigskip+ −
+ −
\item Assume you can crash a program remotely. Why is this a problem?+ −
\end{itemize}+ −
+ −
\end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
+ −
\end{document}+ −
+ −
%%% Local Variables: + −
%%% mode: latex+ −
%%% TeX-master: t+ −
%%% End: + −
+ −