\documentclass[dvipsnames,14pt,t]{beamer}\usepackage{beamerthemeplainculight}\usepackage[T1]{fontenc}\usepackage[latin1]{inputenc}\usepackage{mathpartir}\usepackage[absolute,overlay]{textpos}\usepackage{ifthen}\usepackage{tikz}\usepackage{pgf}\usepackage{calc} \usepackage{ulem}\usepackage{courier}\usepackage{listings}\renewcommand{\uline}[1]{#1}\usetikzlibrary{arrows}\usetikzlibrary{automata}\usetikzlibrary{shapes}\usetikzlibrary{shadows}\usetikzlibrary{positioning}\usetikzlibrary{calc}\usepackage{graphicx} \definecolor{javared}{rgb}{0.6,0,0} % for strings\definecolor{javagreen}{rgb}{0.25,0.5,0.35} % comments\definecolor{javapurple}{rgb}{0.5,0,0.35} % keywords\definecolor{javadocblue}{rgb}{0.25,0.35,0.75} % javadoc\lstset{language=Java, basicstyle=\ttfamily, keywordstyle=\color{javapurple}\bfseries, stringstyle=\color{javagreen}, commentstyle=\color{javagreen}, morecomment=[s][\color{javadocblue}]{/**}{*/}, numbers=left, numberstyle=\tiny\color{black}, stepnumber=1, numbersep=10pt, tabsize=2, showspaces=false, showstringspaces=false}\lstdefinelanguage{scala}{ morekeywords={abstract,case,catch,class,def,% do,else,extends,false,final,finally,% for,if,implicit,import,match,mixin,% new,null,object,override,package,% private,protected,requires,return,sealed,% super,this,throw,trait,true,try,% type,val,var,while,with,yield}, otherkeywords={=>,<-,<\%,<:,>:,\#,@}, sensitive=true, morecomment=[l]{//}, morecomment=[n]{/*}{*/}, morestring=[b]", morestring=[b]', morestring=[b]"""}\lstset{language=Scala, basicstyle=\ttfamily, keywordstyle=\color{javapurple}\bfseries, stringstyle=\color{javagreen}, commentstyle=\color{javagreen}, morecomment=[s][\color{javadocblue}]{/**}{*/}, numbers=left, numberstyle=\tiny\color{black}, stepnumber=1, numbersep=10pt, tabsize=2, showspaces=false, showstringspaces=false}% beamer stuff \renewcommand{\slidecaption}{APP 02, King's College London, 2 October 2012}\begin{document}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\mode<presentation>{\begin{frame}<1>[t]\frametitle{% \begin{tabular}{@ {}c@ {}} \\ \LARGE Access Control and \\[-3mm] \LARGE Privacy Policies (2)\\[-6mm] \end{tabular}}\bigskip\bigskip\bigskip %\begin{center} %\includegraphics[scale=1.3]{pics/barrier.jpg} %\end{center}\normalsize \begin{center} \begin{tabular}{ll} Email: & christian.urban at kcl.ac.uk\\ Of$\!$fice: & S1.27 (1st floor Strand Building)\\ Slides: & KEATS (also home work is there) \end{tabular} \end{center}\end{frame}} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\mode<presentation>{\begin{frame}[c]\frametitle{\begin{tabular}{c}Homework\end{tabular}}\ldots{} I have a question about the homework.\\[3mm] Is it required to submit the homework before\\ the next lecture?\\[5mm]Thank you!\\Anonymous\end{frame}}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\mode<presentation>{\begin{frame}[c]\frametitle{\begin{tabular}{@ {}c@ {}}SmartWater\end{tabular}}\begin{textblock}{1}(1,3)\begin{tabular}{c}\includegraphics[scale=0.15]{pics/SmartWater}\end{tabular}\end{textblock}\begin{textblock}{8.5}(7,3)\begin{itemize}\item seems helpful for preventing cable theft\medskip\item wouldn't be helpful to make your property safe, because of possible abuse\medskip\item security is always a tradeoff\end{itemize}\end{textblock}\end{frame}}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\mode<presentation>{\begin{frame}[c]\frametitle{\begin{tabular}{@ {}c@ {}}Plaintext Passwords from IEEE\end{tabular}}\small\textcolor{gray}{On 25 September 2012, a report on a data breach at IEEE:}\begin{itemize}\item IEEE is a standards organisation (not for profit) \item many standards in CS are by IEEE\medskip\item 100k plain-text passwords were recorded in logs\item the logs were openly accessible on their FTP server\end{itemize}\bigskip\begin{flushright}\small\textcolor{gray}{\url{http://ieeelog.com}}\end{flushright}\only<2>{\begin{textblock}{11}(3,2)\begin{tikzpicture}\draw (0,0) node[inner sep=2mm,fill=white, ultra thick, draw=red, rounded corners=2mm] {\normalsize\color{darkgray}\begin{minipage}{7.5cm}\raggedright\small\includegraphics[scale=0.6]{pics/IEEElog.jpg}\end{minipage}};\end{tikzpicture}\end{textblock}}\end{frame}}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\mode<presentation>{\begin{frame}[c]\frametitle{\begin{tabular}{@ {}c@ {}}Virgin Mobile (USA)\end{tabular}}\begin{flushright}\small\textcolor{gray}{\url{http://arstechnica.com/security/2012/09/virgin-mobile-password-crack-risk/}}\end{flushright}\begin{itemize}\item for online accounts passwords must be 6 digits\item you must cycle through 1M combinations (online)\pause\bigskip\item he limited the attack on his own account to 1 guess per second, \alert{\bf and}\item wrote a script that cleared the cookies set after each guess\end{itemize}\end{frame}}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\mode<presentation>{\begin{frame}[c]\frametitle{\begin{tabular}{@ {}c@ {}}Smash the Stack for Fun\ldots\end{tabular}}\begin{itemize}\item ``smashing the stack attacks'' or ``buffer overflow attacks''\item one of the most popular attacks\\ ($>$ 50\% of security incidents reported at CERT are related to buffer overflows)\medskip\item made popular in an article by Elias Levy\\ (also known as Aleph One):\\\begin{center}{\bf ``Smashing The Stack For Fun and Profit''}\end{center}\bigskip\begin{flushright}\small\textcolor{gray}{\url{http://www.phrack.org}, Issue 49, Article 14}\end{flushright} \end{itemize}\end{frame}}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\mode<presentation>{\begin{frame}[c]\frametitle{\begin{tabular}{c}The Problem\end{tabular}}\begin{itemize}\item The basic problem is that library routines look as follows:\begin{center}{\lstset{language=Java}\fontsize{8}{10}\selectfont%\texttt{\lstinputlisting{app5.c}}}\end{center}\item the resulting problems are often remotely exploitable \item can be used to circumvents all access control\end{itemize}\end{frame}}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\mode<presentation>{\begin{frame}[c]\small\texttt{my\_float} is printed twice:\bigskip{\lstset{language=Java}\fontsize{8}{10}\selectfont%\texttt{\lstinputlisting{C1.c}}}\end{frame}}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\mode<presentation>{\begin{frame}[c]\begin{center}\onslide<1->{\includegraphics[scale=0.5]{pics/stack1}\;\;}\onslide<2->{\includegraphics[scale=0.5]{pics/stack2}\;\;}\onslide<3->{\includegraphics[scale=0.5]{pics/stack3}\;\;}\end{center}\end{frame}}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\mode<presentation>{\begin{frame}[c]{\lstset{language=Java}\fontsize{8}{10}\selectfont%\texttt{\lstinputlisting{C2.c}}}\end{frame}}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\mode<presentation>{\begin{frame}[c]\smallA programmer might be careful, but still introducing vulnerabilities:\bigskip{\lstset{language=Java}\fontsize{8}{10}\selectfont%\texttt{\lstinputlisting{C2a.c}}}\end{frame}}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\mode<presentation>{\begin{frame}[c]\frametitle{\begin{tabular}{c}Payloads\end{tabular}}\begin{itemize}\item the idea is you store some code as part to the buffer\item you then override the return address to execute this payload\medskip\item normally you start a root-shell\pause\item difficulty is to guess the place where to ``jump''\end{itemize}\end{frame}}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\mode<presentation>{\begin{frame}[c]\frametitle{\begin{tabular}{c}Payloads (2)\end{tabular}}\begin{itemize}\item another difficulty is that the code is not allowed to contain \texttt{$\backslash$x00}:\begin{center}\texttt{xorl \%eax, \%eax}\end{center}\end{itemize}\bigskip\bigskip{\lstset{language=Java}\fontsize{8}{10}\selectfont%\texttt{\lstinputlisting{app5.c}}}\end{frame}}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\mode<presentation>{\begin{frame}[c]\frametitle{\begin{tabular}{c}Format String Vulnerability\end{tabular}}\small\texttt{string} is nowhere used:\bigskip{\lstset{language=Java}\fontsize{8}{10}\selectfont%\texttt{\lstinputlisting{C6.c}}}\bigskipthis vulnerability can be used to read out the stack\end{frame}}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\mode<presentation>{\begin{frame}[c]\frametitle{\begin{tabular}{c}Protections against BO Attacks\end{tabular}}\begin{itemize}\item use safe library functions\item ensure stack data is not executable (can be defeated)\item address space randomisation (makes one-size-fits-all more difficult)\item choice of programming language (one of the selling points of Java)\end{itemize}\end{frame}}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \end{document}%%% Local Variables: %%% mode: latex%%% TeX-master: t%%% End: