slides/slides02.tex
author Christian Urban <christian dot urban at kcl dot ac dot uk>
Mon, 29 Sep 2014 21:11:06 +0100
changeset 186 f7aa15984301
parent 185 f10d905e947f
child 187 0379bd6f3d21
permissions -rw-r--r--
updated

\documentclass[dvipsnames,14pt,t]{beamer}
\usepackage{../slides}
\usepackage{../graphics}
\usepackage{../langs}

\setmonofont[Scale=.88]{Consolas}
\newfontfamily{\consolas}{Consolas}

\hfuzz=220pt 

% beamer stuff 
\renewcommand{\slidecaption}{APP 02, King's College London}

%Bank vs Voting
%http://www.parliament.vic.gov.au/images/stories/committees/emc/2010_Election/submissions/13_VTeague_EMC_Inquiry_No.6.pdf

% first cyber attack
%http://investigations.nbcnews.com/_news/2013/03/18/17314818-cyberattack-on-florida-election-is-first-known-case-in-us-experts-say

\begin{document}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[t]
\frametitle{%
  \begin{tabular}{@ {}c@ {}}
  \\
  \LARGE Access Control and \\[-3mm] 
  \LARGE Privacy Policies (2)\\[-6mm] 
  \end{tabular}}\bigskip\bigskip\bigskip

\normalsize
  \begin{center}
  \begin{tabular}{ll}
  Email:  & christian.urban at kcl.ac.uk\\
  Office: & S1.27 (1st floor Strand Building)\\
  Slides: & KEATS (also homework is there)\\
  \end{tabular}
  \end{center}

\end{frame}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{\begin{tabular}{c}This Course is about\\[-2mm]  ``Satan's Computer''\end{tabular}}

Ross Anderson and Roger Needham wrote:\bigskip

\begin{bubble}[10cm]
\small
``In effect, our task is to program a computer which gives 
answers which are subtly and maliciously wrong at the most 
inconvenient possible moment\ldots{} we hope that the lessons 
learned from programming Satan's computer may be helpful 
in tackling the more common problem of programming Murphy's.''
\end{bubble}\\[30mm]

\only<2>{
\begin{textblock}{11}(3,12)
\begin{tabular}{c}
\includegraphics[scale=0.12]{pics/ariane.jpg}\\[-2mm]
\footnotesize Murphy's computer
\end{tabular}
\begin{tabular}{c}
\includegraphics[scale=0.15]{pics/mobile.jpg}\;
\includegraphics[scale=0.06]{pics/pinsentry.jpg}\\[-2mm]
\footnotesize Satan's computers
\end{tabular}
\end{textblock}}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Defence in Depth}

\bgein{center}
\pcode{urbanc:$6$3WWbKfr1$4vblknvGr6FcDeF92R5xFn3mskfdnEn...:...}
\end{center}

\begin{itemize}
\item hashes help when password databases are leaked
\item salts help with protecting against dictionary attacks

\end{itemize}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%  


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Today's Lecture}
\begin{center}
\begin{tabular}{cc}
\large online banking  & \hspace{6mm}\large e-voting\\
\textcolor{gray}{solved} & \hspace{6mm}\textcolor{gray}{unsolved}\\
\end{tabular}
\end{center}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%  


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[t]
\frametitle{\begin{tabular}{@ {}c@ {}}Voting as Security Problem\end{tabular}}

What are the security requirements of a voting system?\bigskip

\begin{itemize}
\item<2->Integrity 
\item<3->Ballot Secrecy
\item<5->Voter Authentication
\item<6->Enfranchisement
\item<7->Availability
\end{itemize}

\only<2>{
\begin{textblock}{5.5}(8,5)
\begin{tikzpicture}
\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm, text centered] 
{\small
\begin{minipage}{5cm}\raggedright
\begin{center}
\begin{minipage}{4.5cm}
\begin{itemize}
\item The outcome matches with the voters' intend.
\item There might be gigantic sums at stake and need to be defended against.
\end{itemize}
\end{minipage}
\end{center}
\end{minipage}};
\end{tikzpicture}
\end{textblock}}

\only<4>{
\begin{textblock}{5.5}(8,5)
\begin{tikzpicture}
\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm, text centered] 
{\small
\begin{minipage}{5cm}\raggedright
\begin{center}
\begin{minipage}{4.5cm}
\begin{itemize}
\item Nobody can find out how you voted.
\item (Stronger) Even if you try, you cannot prove how you voted.
\end{itemize}
\end{minipage}
\end{center}
\end{minipage}};
\end{tikzpicture}
\end{textblock}}

\only<5>{
\begin{textblock}{5.5}(8,5)
\begin{tikzpicture}
\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm, text centered] 
{\small
\begin{minipage}{5cm}\raggedright
\begin{center}
\begin{minipage}{4.5cm}
\begin{itemize}
\item Only authorised voters can vote up to the permitted number of votes.
\end{itemize}
\end{minipage}
\end{center}
\end{minipage}};
\end{tikzpicture}
\end{textblock}}

\only<6>{
\begin{textblock}{5.5}(8,5)
\begin{tikzpicture}
\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm, text centered] 
{\small
\begin{minipage}{5cm}\raggedright
\begin{center}
\begin{minipage}{4.5cm}
\begin{itemize}
\item Authorised voters should have the opportunity to vote.
\end{itemize}
\end{minipage}
\end{center}
\end{minipage}};
\end{tikzpicture}
\end{textblock}}

\only<7>{
\begin{textblock}{5.5}(8,5)
\begin{tikzpicture}
\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm, text centered] 
{\small
\begin{minipage}{5cm}\raggedright
\begin{center}
\begin{minipage}{4.5cm}
\begin{itemize}
\item The voting system should accept all authorised votes and produce results in a timely manner.
\end{itemize}
\end{minipage}
\end{center}
\end{minipage}};
\end{tikzpicture}
\end{textblock}}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[t]
\frametitle{\begin{tabular}{@ {}c@ {}}Problems with Voting\end{tabular}}


\begin{center}\large
\begin{tabular}{rcl}
Integrity & vs. & Ballot Secrecy\bigskip\\
Authentication & vs. &Enfranchisement   
\end{tabular}
\end{center}\bigskip\bigskip\pause

Further constraints:

\begin{itemize}
\item costs
\item accessibility
\item convenience
\item intelligibility 
\end{itemize}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[t]
\frametitle{\begin{tabular}{@ {}c@ {}}Traditional Ballot Boxes\end{tabular}}


\begin{center}
\includegraphics[scale=2.5]{pics/ballotbox.jpg}
\end{center}\pause\bigskip

they need a ``protocol''


\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[t]
\frametitle{\begin{tabular}{@ {}c@ {}}E-Voting\end{tabular}}


\begin{itemize}
\item The Netherlands between 1997 - 2006 had electronic voting machines\\
\textcolor{gray}{(hacktivists had found: they can be hacked and also emitted radio signals revealing how you voted)}

\item Germany had used them in pilot studies\\ 
\textcolor{gray}{(in 2007 a law suit has reached the highest court and it rejected electronic voting
on the grounds of not being understandable by the general public)}

\item UK used optical scan voting systems in a few polls
\end{itemize}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[t]
\frametitle{\begin{tabular}{@ {}c@ {}}E-Voting\end{tabular}}

\mbox{}\\[-12mm]
\begin{itemize}
\item US used mechanical machines since the 30s, later punch cards, now DREs and 
optical scan voting machines

\item Estonia used in 2007 the Internet for national elections 
\textcolor{gray}{(there were earlier pilot studies in other countries)}

\item India uses e-voting devices  since at least 2003\\
\textcolor{gray}{(``keep-it-simple'' machines produced by a government owned company)}

\item South Africa used software for its tallying in the 1993 elections (when Nelson Mandela was elected)
\textcolor{gray}{(they found the tallying software was rigged, but they were able to tally manually)}
\end{itemize}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[t]
\frametitle{\begin{tabular}{@ {}c@ {}}A Brief History of Voting\end{tabular}}


\begin{itemize}
\item Athenians
\begin{itemize}
\item show of hands
\item ballots on pieces of pottery
\item different colours of stones
\item ``facebook''-like authorisation 
\end{itemize}\bigskip

\textcolor{gray}{problems with vote buying / no ballot privacy}\bigskip


\item French Revolution and the US Constitution got things ``started'' with 
paper ballots (you first had to bring your own; later they were pre-printed by parties)
\end{itemize}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[t]
\frametitle{\begin{tabular}{@ {}c@ {}}Ballot Boxes\end{tabular}}

Security policies involved with paper ballots:

\begin{enumerate}
\item you need to check that the ballot box is empty at the start of the poll / no false bottom (to prevent ballot stuffing)
\item you need to guard the ballot box during the poll until counting
\item tallied by a team at the end of the poll (independent observers) 
\end{enumerate}

\begin{center}
\includegraphics[scale=1.5]{pics/ballotbox.jpg}
\end{center}


\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
\mode<presentation>{
\begin{frame}[c]

Which security requirements do paper ballots satisfy better than voice voting?\bigskip

\begin{itemize}
\item Integrity
\item Enfranchisement
\item Ballot secrecy
\item Voter authentication
\item Availability
\end{itemize}

\end{frame}}


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[t]
\frametitle{\begin{tabular}{@ {}c@ {}}Paper Ballots\end{tabular}}

What can go wrong with paper ballots?

\only<2>{
\begin{center}
\includegraphics[scale=0.8]{pics/tweet.jpg}\\
\footnotesize William M.~Tweed, US Politician in 1860's\\
``As long as I count the votes, what are you going to do about it?''
\end{center}}

\only<3>{
\medskip
\begin{center}
\begin{minipage}{10cm}
{\bf Chain Voting Attack}
\begin{enumerate}
\item you obtain a blank ballot and fill it out as you want
\item you give it to a voter outside the polling station
\item voter receives a new blank ballot
\item voter submits prefilled ballot
\item voter gives blank ballot to you, you give money
\item goto 1
\end{enumerate}
\end{minipage}
\end{center}
}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   



%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[t]
\frametitle{\begin{tabular}{@ {}c@ {}}Mechanical Voting Machines\end{tabular}}

\begin{itemize}
\item<1-> Lever Voting Machines (ca.~1930 - 1990)
\only<1>{
\begin{center}
\includegraphics[scale=0.56]{pics/leavermachine.jpg}
\end{center}
}
\item<2->Punch Cards (ca.~1950 - 2000)
\only<2>{
\begin{center}
\includegraphics[scale=0.5]{pics/punchcard1.jpg}\;\;
\includegraphics[scale=0.46]{pics/punchcard2.jpg}
\end{center}
}
\end{itemize}



\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[t]
\frametitle{\begin{tabular}{@ {}c@ {}}Electronic Voting Machines\end{tabular}}

\begin{center}
\begin{tabular}{c}
\includegraphics[scale=0.45]{pics/dre1.jpg}\; 
\includegraphics[scale=0.40]{pics/dre2.jpg}\\\hline\\
\includegraphics[scale=0.5]{pics/opticalscan.jpg} 
\end{tabular}
\end{center}

\only<1->{
\begin{textblock}{5.5}(1,4)
DREs
\end{textblock}}
\only<1->{
\begin{textblock}{5.5}(1,11)
Optical Scan
\end{textblock}}

\only<2>{
\begin{textblock}{5.5}(0.5,14.5)
all are computers
\end{textblock}}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{@ {}c@ {}}DREs\end{tabular}}

Direct-recording electronic voting machines\\ 
(votes are recorded for example on memory cards)

typically touchscreen machines

usually no papertrail

\begin{center}
\includegraphics[scale=0.56]{pics/dre1.jpg}
\end{center}


\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{@ {}c@ {}}Diebold Machines\end{tabular}}

The work by J.~Alex Halderman:

\begin{itemize}
\item acquired a machine from an anonymous source\medskip
\item they try to keep secret the source code running the machine\medskip\pause

\item first reversed-engineered the machine (extremely tedious)
\item could completely reboot the machine and even install a virus that infects other Diebold machines
\item obtained also the source code for other machines
\end{itemize}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{@ {}c@ {}}Diebold Machines\end{tabular}}

What could go wrong?\pause \;\;Failure-in-depth.\bigskip\pause

A non-obvious problem:

\begin{itemize}
\item you can nowadays get old machines, which still store old polls

\item the paper ballot box needed to be secured during the voting until counting;
e-voting machines need to be secured during the entire life-time  
\end{itemize}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{@ {}c@ {}}Paper Trail\end{tabular}}

Conclusion:\\ Any electronic solution should have a paper trail.

\begin{center}
\begin{tabular}{c}
\includegraphics[scale=0.5]{pics/opticalscan.jpg} 
\end{tabular}
\end{center}\pause

You still have to solve problems about
voter registration, voter authentication, guarding against tampering

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{@ {}c@ {}}E-Voting in India\end{tabular}}

Their underlying engineering principle is ``keep-it-simple'':

\begin{center}
\begin{tabular}{c}
\includegraphics[scale=1.05]{pics/indiaellection.jpg}\;\;
\includegraphics[scale=0.40]{pics/india1.jpg}
\end{tabular}
\end{center}\medskip\pause

Official claims: ``perfect'', ``tamperproof'', ``no need for technical improvements'' , ``infallible'' 
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}<1-3>[c]
\frametitle{\begin{tabular}{@ {}c@ {}}Lessons Learned\end{tabular}}

\begin{itemize}
\item keep a paper trail and design your system to keep this secure\medskip
\item make the software open source (avoid security-by-obscurity)\\
{\small\mbox{}\hfill source code for Estonian e-vote included\\ 
\mbox{}\hfill\textcolor{blue}{\url{http://goo.gl/oRMHAI}}}\medskip
\item have a simple design in order to minimise the attack surface
\end{itemize}

\only<2>{
\begin{textblock}{9}(3.4,7)
\begin{tikzpicture}
\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] 
{\normalsize\color{darkgray}
\begin{minipage}{9cm}\consolas\small
def analyze(ik, vote, votebox):\\
\\
    \#   TODO: implement security checks\\
    \#   such as verifying the correct size\\
    \#   of the encrypted vote\\
\\
    return []
\end{minipage}};
\end{tikzpicture}
\end{textblock}}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Online Banking vs.~E-Voting}

\begin{itemize}
\item online banking: if fraud occurred you try to identify who did what (somebody's account got zero)\bigskip
\item e-voting: some parts can be done electronically, but not the actual voting (final year project: online voting)
\end{itemize}


\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%  



%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]

\begin{center}
\includegraphics[scale=0.56]{pics/Voting1.png}
\end{center}


\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]

\begin{center}
\includegraphics[scale=0.56]{pics/Voting2.png}
\end{center}


\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]

\begin{center}
\includegraphics[scale=0.56]{pics/Voting3.png}
\end{center}


\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]

\begin{center}
\includegraphics[scale=0.56]{pics/Voting4.png}
\end{center}


\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Unix-Style Access Control}

How to do access control? In Unix you have

\begin{itemize}
\item you have users and you have groups/roles:

\item some special roles: root
\end{itemize}

  
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Unix-Style Access Control}

\begin{itemize}
\item Q: ``I am using Windows. Why should I care?'' \\ A: In Windows you have similar AC:

\begin{center}
\begin{tabular}{l}
administrators group\\ 
\hspace{5mm}(has complete control over the machine)\\
authenticated users\\
server operators\\
power users\\
network configuration operators\\
\end{tabular}
\end{center}\medskip

\item Modern versions of Windows have more fine-grained AC than Unix; they do not have a setuid bit, but
have \texttt{runas} (asks for a password).\pause

\item OS-provided access control can \alert{\bf add} to your
security.
\end{itemize}

  
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{c}Network Applications:\\[-1mm] Privilege Separation\end{tabular}}


\begin{center}
  \begin{tikzpicture}[scale=1]
  
  \draw[line width=1mm] (-.3, 0) rectangle (1.5,2);
  \draw (4.7,1) node {Internet};
  \draw (-2.7,1.7) node {\footnotesize Application};
  \draw (0.6,1.7) node {\footnotesize Interface};
  \draw (0.6,-0.4) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] process\end{tabular}};
  \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}};
  
  \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2);

  \draw[white] (1.7,1) node (X) {};
  \draw[white] (3.7,1) node (Y) {};
  \draw[red, <->, line width = 2mm] (X) -- (Y);
 
  \draw[red, <->, line width = 1mm] (-0.6,1) -- (-1.6,1);
  \end{tikzpicture}
\end{center}

\begin{itemize}
\item the idea is make the attack surface smaller and 
mitigate the consequences of an attack
\end{itemize}


\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Lessons from Access Control}

Not just restricted to Unix:

\begin{itemize}
\item if you have too many roles (i.e.~too finegrained AC), then 
	hierarchy is too complex\\
	\textcolor{gray}{you invite situations like\ldots let's be root}\bigskip

\item you can still abuse the system\ldots

\end{itemize}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{@ {}c@ {}}A ``Cron''-Attack\end{tabular}}

The idea is to trick a privileged person to do something on your behalf:

\begin{itemize}
\item root:\\\texttt{rm /tmp/*/*}\bigskip\bigskip\pause

\footnotesize
\begin{minipage}{1.1\textwidth}
\textcolor{gray}{the shell behind the scenes:}\\
\textcolor{gray}{\texttt{rm /tmp/dir$_1$/file$_1$ /tmp/dir$_1$/file$_2$ /tmp/dir$_2$/file$_1$ \ldots}}\bigskip\\

\textcolor{gray}{this takes time}
\end{minipage}
\end{itemize}


\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{@ {}c@ {}}A ``Cron''-Attack\end{tabular}}

\begin{enumerate}
\item attacker \textcolor{gray}{(creates a fake passwd file)}\\ 
\texttt{mkdir /tmp/a; cat > /tmp/a/passwd}\medskip
\item root \textcolor{gray}{(does the daily cleaning)}\\
\texttt{rm /tmp/*/*}\medskip\\
\hspace{2cm}\textcolor{gray}{\small records that \texttt{/tmp/a/passwd}}\\ 
\hspace{2cm}\textcolor{gray}{\small should be deleted, but does not do it yet}\medskip\\

\item attacker \textcolor{gray}{(meanwhile deletes the fake passwd file, and establishes a link to 
the real passwd file)}\\
\texttt{rm /tmp/a/passwd; rmdir /tmp/a;}\\\texttt{ln -s /etc /tmp/a}\\
\item root now deletes  the real passwd file
\end{enumerate}

\only<2>{
\begin{textblock}{11}(2,5)
\begin{tikzpicture}
\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] 
{\normalsize\color{darkgray}
\begin{minipage}{9cm}\raggedright
To prevent this kind of attack, you need additional
policies (don't do such operations as root).
\end{minipage}};
\end{tikzpicture}
\end{textblock}}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   


\end{document}

%%% Local Variables:  
%%% mode: latex
%%% TeX-master: t
%%% End: