\documentclass[dvipsnames,14pt,t]{beamer}+ −
\usepackage{beamerthemeplainculight}+ −
\usepackage[T1]{fontenc}+ −
\usepackage[latin1]{inputenc}+ −
\usepackage{mathpartir}+ −
\usepackage[absolute,overlay]{textpos}+ −
\usepackage{ifthen}+ −
\usepackage{tikz}+ −
\usepackage{pgf}+ −
\usepackage{calc} + −
\usepackage{ulem}+ −
\usepackage{courier}+ −
\usepackage{listings}+ −
\renewcommand{\uline}[1]{#1}+ −
\usetikzlibrary{arrows}+ −
\usetikzlibrary{automata}+ −
\usetikzlibrary{shapes}+ −
\usetikzlibrary{shadows}+ −
\usetikzlibrary{positioning}+ −
\usetikzlibrary{calc}+ −
\usepackage{graphicx} + −
+ − \definecolor{javared}{rgb}{0.6,0,0} % for strings+ −
\definecolor{javagreen}{rgb}{0.25,0.5,0.35} % comments+ −
\definecolor{javapurple}{rgb}{0.5,0,0.35} % keywords+ −
\definecolor{javadocblue}{rgb}{0.25,0.35,0.75} % javadoc+ −
+ − \lstset{language=Java,+ −
basicstyle=\ttfamily,+ −
keywordstyle=\color{javapurple}\bfseries,+ −
stringstyle=\color{javagreen},+ −
commentstyle=\color{javagreen},+ −
morecomment=[s][\color{javadocblue}]{/**}{*/},+ −
numbers=left,+ −
numberstyle=\tiny\color{black},+ −
stepnumber=1,+ −
numbersep=10pt,+ −
tabsize=2,+ −
showspaces=false,+ −
showstringspaces=false}+ −
+ − \lstdefinelanguage{scala}{+ −
morekeywords={abstract,case,catch,class,def,%+ −
do,else,extends,false,final,finally,%+ −
for,if,implicit,import,match,mixin,%+ −
new,null,object,override,package,%+ −
private,protected,requires,return,sealed,%+ −
super,this,throw,trait,true,try,%+ −
type,val,var,while,with,yield},+ −
otherkeywords={=>,<-,<\%,<:,>:,\#,@},+ −
sensitive=true,+ −
morecomment=[l]{//},+ −
morecomment=[n]{/*}{*/},+ −
morestring=[b]",+ −
morestring=[b]',+ −
morestring=[b]"""+ −
}+ −
+ − \lstset{language=Scala,+ −
basicstyle=\ttfamily,+ −
keywordstyle=\color{javapurple}\bfseries,+ −
stringstyle=\color{javagreen},+ −
commentstyle=\color{javagreen},+ −
morecomment=[s][\color{javadocblue}]{/**}{*/},+ −
numbers=left,+ −
numberstyle=\tiny\color{black},+ −
stepnumber=1,+ −
numbersep=10pt,+ −
tabsize=2,+ −
showspaces=false,+ −
showstringspaces=false}+ −
+ − % beamer stuff + −
\renewcommand{\slidecaption}{APP 02, King's College London, 2 October 2012}+ −
+ − + − \begin{document}+ −
+ − %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\mode<presentation>{+ −
\begin{frame}<1>[t]+ −
\frametitle{%+ −
\begin{tabular}{@ {}c@ {}}+ −
\\+ −
\LARGE Access Control and \\[-3mm] + −
\LARGE Privacy Policies (2)\\[-6mm] + −
\end{tabular}}\bigskip\bigskip\bigskip+ −
+ − %\begin{center}+ −
%\includegraphics[scale=1.3]{pics/barrier.jpg}+ −
%\end{center}+ −
+ − \normalsize+ −
\begin{center}+ −
\begin{tabular}{ll}+ −
Email: & christian.urban at kcl.ac.uk\\+ −
Of$\!$fice: & S1.27 (1st floor Strand Building)\\+ −
Slides: & KEATS (also home work is there)+ −
\end{tabular}+ −
\end{center}+ −
+ − + − \end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ − %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\mode<presentation>{+ −
\begin{frame}[c]+ −
\frametitle{\begin{tabular}{c}Homework\end{tabular}}+ −
+ − + − \ldots{} I have a question about the homework.\\[3mm] + −
Is it required to submit the homework before\\ + −
the next lecture?\\[5mm]+ −
+ − Thank you!\\+ −
Anonymous+ −
+ −
\end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ − %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\mode<presentation>{+ −
\begin{frame}[c]+ −
+ − \begin{center}+ −
\begin{tabular}[t]{c}+ −
\includegraphics[scale=1.2]{pics/barrier.jpg}\\+ −
future lectures+ −
\end{tabular}\;\;\;+ −
\onslide<2>{+ −
\begin{tabular}[t]{c}+ −
\includegraphics[scale=0.32]{pics/trainwreck.jpg}\\+ −
today+ −
\end{tabular}+ −
}+ −
\end{center}+ −
+ − + −
\end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ − + − %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\mode<presentation>{+ −
\begin{frame}[c]+ −
\frametitle{\begin{tabular}{@ {}c@ {}}SmartWater\end{tabular}}+ −
+ − \begin{textblock}{1}(1,3)+ −
\begin{tabular}{c}+ −
\includegraphics[scale=0.15]{pics/SmartWater}+ −
\end{tabular}+ −
\end{textblock}+ −
+ − + − \begin{textblock}{8.5}(7,3)+ −
\begin{itemize}+ −
\item seems helpful for preventing cable theft\medskip+ −
\item wouldn't be helpful to make your property safe, because of possible abuse\medskip+ −
+ − \item security is always a tradeoff+ −
\end{itemize}+ −
\end{textblock}+ −
+ − \end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ − %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\mode<presentation>{+ −
\begin{frame}[c]+ −
\frametitle{\begin{tabular}{@ {}c@ {}}Plain-text Passwords at IEEE\end{tabular}}+ −
+ − \small\textcolor{gray}{On 25 September 2012, a report on a data breach at IEEE:}+ −
+ − + − \begin{itemize}+ −
\item IEEE is a standards organisation (not-for-profit) + −
\item many standards in CS are by IEEE\medskip+ −
\item 100k plain-text passwords were recorded in logs+ −
\item the logs were openly accessible on their FTP server+ −
\end{itemize}\bigskip+ −
+ − \begin{flushright}\small+ −
\textcolor{gray}{\url{http://ieeelog.com}}+ −
\end{flushright}+ −
+ − \only<2>{+ −
\begin{textblock}{11}(3,2)+ −
\begin{tikzpicture}+ −
\draw (0,0) node[inner sep=2mm,fill=white, ultra thick, draw=red, rounded corners=2mm] + −
{\normalsize\color{darkgray}+ −
\begin{minipage}{7.5cm}\raggedright\small+ −
\includegraphics[scale=0.6]{pics/IEEElog.jpg}+ −
\end{minipage}};+ −
\end{tikzpicture}+ −
\end{textblock}}+ −
+ − \end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ − + − %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\mode<presentation>{+ −
\begin{frame}[c]+ −
\frametitle{\begin{tabular}{@ {}c@ {}}Virgin Mobile (USA)\end{tabular}}+ −
+ − \begin{flushright}\small+ −
\textcolor{gray}{\url{http://arstechnica.com/security/2012/09/virgin-mobile-password-crack-risk/}}+ −
\end{flushright}+ −
+ − \begin{itemize}+ −
\item for online accounts passwords must be 6 digits+ −
\item you must cycle through 1M combinations (online)\pause\bigskip+ −
+ − \item he limited the attack on his own account to 1 guess per second, \alert{\bf and}+ −
\item wrote a script that cleared the cookie set after each guess\pause+ −
\item has been fixed now+ −
\end{itemize}+ −
+ − + − + − \end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ − + − %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\mode<presentation>{+ −
\begin{frame}[c]+ −
\frametitle{\begin{tabular}{@ {}c@ {}}Smash the Stack for Fun \ldots\end{tabular}}+ −
+ − \begin{itemize}+ −
\item ``smashing the stack attacks'' or ``buffer overflow attacks''+ −
\item one of the most popular attacks;\\ attack of the (last) decade\\ ($>$ 50\% of security incidents reported at CERT are related to buffer overflows)+ −
\begin{flushright}\small+ −
\textcolor{gray}{\url{http://www.kb.cert.org/vuls}}+ −
\end{flushright}+ −
\medskip+ −
\item made popular in an article by Elias Levy\\ (also known as Aleph One):\\+ −
\begin{center}+ −
{\bf ``Smashing The Stack For Fun and Profit''}+ −
\end{center}\medskip+ −
+ − \begin{flushright}+ −
\small\textcolor{gray}{\url{http://www.phrack.org}, Issue 49, Article 14}+ −
\end{flushright} + −
+ −
\end{itemize}+ −
+ − + − \end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ − %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\mode<presentation>{+ −
\begin{frame}[c]+ −
\frametitle{\begin{tabular}{c}The Problem\end{tabular}}+ −
+ − \begin{itemize}+ −
\item The basic problem is that library routines in C look as follows:+ −
\begin{center}+ −
{\lstset{language=Java}\fontsize{8}{10}\selectfont%+ −
\texttt{\lstinputlisting{app5.c}}}+ −
\end{center}+ −
\item the resulting problems are often remotely exploitable + −
\item can be used to circumvents all access control+ −
(botnets for further attacks)+ −
\end{itemize}+ −
+ −
\end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ − %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\mode<presentation>{+ −
\begin{frame}[c]+ −
\frametitle{\begin{tabular}{c}Variants\end{tabular}}+ −
+ − There are many variants:+ −
+ − \begin{itemize}+ −
\item return-to-lib-C attacks+ −
\item heap-smashing attacks\\+ −
\textcolor{gray}{\small(Slammer Worm in 2003 infected 90\% of vulnerable systems within 10 minutes)}\bigskip+ −
+ − \item ``zero-days-attacks'' (new unknown vulnerability)+ −
\end{itemize}+ −
+ −
\end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ − + − + − %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\mode<presentation>{+ −
\begin{frame}[c]+ −
+ − \small+ −
\texttt{my\_float} is printed twice:\bigskip+ −
+ − {\lstset{language=Java}\fontsize{8}{10}\selectfont%+ −
\texttt{\lstinputlisting{C1.c}}}+ −
+ − + −
\end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ − %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\mode<presentation>{+ −
\begin{frame}[c]+ −
+ − \begin{center}+ −
\only<1>{\includegraphics[scale=0.9]{pics/stack1}\;\;}+ −
\only<2>{\includegraphics[scale=0.9]{pics/stack2}\;\;}+ −
\only<3>{\includegraphics[scale=0.9]{pics/stack3}\;\;}+ −
\end{center}+ −
+ −
+ −
\end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ − %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\mode<presentation>{+ −
\begin{frame}[c]+ −
+ − {\lstset{language=Java}\fontsize{8}{10}\selectfont%+ −
\texttt{\lstinputlisting{C2.c}}}+ −
+ − + −
\end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ − %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\mode<presentation>{+ −
\begin{frame}[c]+ −
+ − \small+ −
A programmer might be careful, but still introduce vulnerabilities:\bigskip+ −
+ − {\lstset{language=Java}\fontsize{8}{10}\selectfont%+ −
\texttt{\lstinputlisting{C2a.c}}}+ −
+ − + −
\end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ − %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\mode<presentation>{+ −
\begin{frame}[c]+ −
\frametitle{\begin{tabular}{c}Payloads\end{tabular}}+ −
+ − \begin{itemize}+ −
\item the idea is you store some code as part to the buffer+ −
\item you then override the return address to execute this payload\medskip+ −
\item normally you start a root-shell\pause+ −
\item difficulty is to guess the right place where to ``jump''+ −
\end{itemize}+ −
+ −
\end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ − %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\mode<presentation>{+ −
\begin{frame}[c]+ −
\frametitle{\begin{tabular}{c}Payloads (2)\end{tabular}}+ −
+ − \begin{itemize}+ −
\item another difficulty is that the code is not allowed to contain \texttt{$\backslash$x00}:+ −
+ − \begin{center}+ −
\texttt{xorl \%eax, \%eax}+ −
\end{center}+ −
\end{itemize}\bigskip\bigskip+ −
+ −
{\lstset{language=Java}\fontsize{8}{10}\selectfont%+ −
\texttt{\lstinputlisting{app5.c}}}+ −
+ −
\end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ − + − %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\mode<presentation>{+ −
\begin{frame}[c]+ −
\frametitle{\begin{tabular}{c}Format String Vulnerability\end{tabular}}+ −
+ − \small+ −
\texttt{string} is nowhere used:\bigskip+ −
+ − {\lstset{language=Java}\fontsize{8}{10}\selectfont%+ −
\texttt{\lstinputlisting{programs/C4.c}}}\bigskip+ −
+ − this vulnerability can be used to read out the stack+ −
+ −
\end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ − %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\mode<presentation>{+ −
\begin{frame}[c]+ −
\frametitle{\begin{tabular}{c}Protections against BO Attacks\end{tabular}}+ −
+ − \begin{itemize}+ −
\item use safe library functions+ −
\item ensure stack data is not executable (can be defeated)+ −
\item address space randomisation (makes one-size-fits-all more difficult)+ −
\item choice of programming language (one of the selling points of Java)+ −
+ − \end{itemize}+ −
+ −
\end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ − %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\mode<presentation>{+ −
\begin{frame}[c]+ −
\frametitle{\begin{tabular}{c}Security Goals\end{tabular}}+ −
+ − \begin{itemize}+ −
\item Prevent common vulnerabilities from occurring (e.g. buffer overflows)\pause+ −
\item Recover from attacks (traceability and auditing of security-relevant actions)\pause+ −
\item Monitoring (detect attacks)\pause+ −
\item Privacy, confidentiality, anonymity (to protect secrets)\pause+ −
\item Authenticity (needed for access control)\pause+ −
\item Integrity (prevent unwanted modification or tampering)\pause+ −
\item Availability and reliability (reduce the risk of DoS attacks)+ −
\end{itemize}+ −
+ −
\end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ − + − + − %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\mode<presentation>{+ −
\begin{frame}[c]+ −
\frametitle{\begin{tabular}{c}Homework\end{tabular}}+ −
+ − \begin{itemize}+ −
\item Assume format string attacks allow you to read out the stack. What can you do+ −
with this information?\bigskip+ −
+ − \item Assume you can crash a program remotely. Why is this a problem?+ −
\end{itemize}+ −
+ −
\end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ − + − \end{document}+ −
+ − %%% Local Variables: + −
%%% mode: latex+ −
%%% TeX-master: t+ −
%%% End: + −
+ −