diff -r 10da75d5db5d -r 5d0f7da375da slides03.tex --- a/slides03.tex Mon Oct 08 10:34:12 2012 +0100 +++ b/slides03.tex Tue Oct 09 13:39:31 2012 +0100 @@ -95,7 +95,8 @@ \begin{tabular}{ll} Email: & christian.urban at kcl.ac.uk\\ Of$\!$fice: & S1.27 (1st floor Strand Building)\\ - Slides: & KEATS (also home work is there) + Slides: & KEATS (also home work is there)\\ + & \alert{\bf (I have put a temporary link in there.)}\\ \end{tabular} \end{center} @@ -125,6 +126,10 @@ \item \alt<1>{overlapping}{{\LARGE\bf overlapping}} systems designed to provide\\ security even if one of them fails. \end{itemize} +\only<2->{ +\begin{textblock}{11}(2,12) +\small otherwise your ``added security'' can become the point of failure +\end{textblock}} \end{frame}} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% @@ -176,7 +181,7 @@ \begin{center} \begin{tabular}[b]{c} \includegraphics[scale=1.05]{pics/britkeys1.jpg}\\ -\small nuclear weapon +\small nuclear weapon keys \end{tabular} \hspace{3mm} \begin{tabular}[b]{c} @@ -196,8 +201,22 @@ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \mode{ \begin{frame}[c] -\frametitle{} +\frametitle{Access Control in Unix} +\begin{itemize} +\item access control provided by the OS +\item authenticate principals (login) +\item mediate access to files, ports, processes according to \alert{roles} (user ids)\\ +\item roles get attached with privileges\bigskip\\% +\hspace{8mm} +\begin{tikzpicture} +\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] +{\begin{minipage}{8cm} +\alert{principle of least privilege:}\\ +programs should only have as much privilege as they need +\end{minipage}}; +\end{tikzpicture} +\end{itemize} \end{frame}} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% @@ -205,32 +224,77 @@ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \mode{ \begin{frame}[c] -\frametitle{\begin{tabular}{@ {}c@ {}}Plain-text Passwords at IEEE\end{tabular}} +\frametitle{Access Control in Unix (2)} + +\begin{itemize} +\item the idea is to restrict access to files and therefore lower the consequences of an attack\\[1cm]\mbox{} +\end{itemize} + +\begin{textblock}{1}(2.5,9.5) + \begin{tikzpicture}[scale=1] + + \draw[line width=1mm] (-.3, 0) rectangle (1.5,2); + \draw (4.7,1) node {Internet}; + \draw (0.6,1.7) node {\footnotesize Interface}; + \draw (0.6,-0.4) node {\footnotesize \begin{tabular}{c}unpriviledged\\[-1mm] process\end{tabular}}; + \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}priviledged\\[-1mm] process\end{tabular}}; + + \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2); + + \draw[white] (1.7,1) node (X) {}; + \draw[white] (3.7,1) node (Y) {}; + \draw[red, <->, line width = 2mm] (X) -- (Y); + + \draw[red, <->, line width = 1mm] (-0.6,1) -- (-1.6,1); + \end{tikzpicture} +\end{textblock} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + -\small\textcolor{gray}{On 25 September 2012, a report on a data breach at IEEE:} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[t] +\frametitle{Process Ownership} + +\begin{itemize} +\item access control in Unix is very coarse +\end{itemize}\bigskip\bigskip\bigskip + +\begin{center} +\begin{tabular}{c} +root\\ +\hline + +user$_1$ user$_2$ \ldots www, mail, lp +\end{tabular} +\end{center}\bigskip\bigskip\bigskip + + +\textcolor{gray}{\small root has UID $=$ 0}\\\pause +\textcolor{gray}{\small you also have groups that can share access to a file}\\ +\textcolor{gray}{\small but it is difficult to exclude access selectively}\\ +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{Access Control in Unix (2)} \begin{itemize} -\item IEEE is a standards organisation (not-for-profit) -\item many standards in CS are by IEEE\medskip -\item 100k plain-text passwords were recorded in logs -\item the logs were openly accessible on their FTP server -\end{itemize}\bigskip - -\begin{flushright}\small -\textcolor{gray}{\url{http://ieeelog.com}} -\end{flushright} +\item privileges are specified by file access permissions (``everything is a file'') +\item there are 9 (plus 2) bits that specify the permissions of a file -\only<2>{ -\begin{textblock}{11}(3,2) -\begin{tikzpicture} -\draw (0,0) node[inner sep=2mm,fill=white, ultra thick, draw=red, rounded corners=2mm] -{\normalsize\color{darkgray} -\begin{minipage}{7.5cm}\raggedright\small -\includegraphics[scale=0.6]{pics/IEEElog.jpg} -\end{minipage}}; -\end{tikzpicture} -\end{textblock}} +\begin{center} +\begin{tabular}{l} +\texttt{\$ ls - la}\\ +\texttt{-rwxrw-r-{}- \hspace{3mm} foo\_file.txt} +\end{tabular} +\end{center} +\end{itemize} \end{frame}} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% @@ -239,88 +303,25 @@ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \mode{ \begin{frame}[c] -\frametitle{\begin{tabular}{@ {}c@ {}}Virgin Mobile (USA)\end{tabular}} - -\begin{flushright}\small -\textcolor{gray}{\url{http://arstechnica.com/security/2012/09/virgin-mobile-password-crack-risk/}} -\end{flushright} - -\begin{itemize} -\item for online accounts passwords must be 6 digits -\item you must cycle through 1M combinations (online)\pause\bigskip - -\item he limited the attack on his own account to 1 guess per second, \alert{\bf and} -\item wrote a script that cleared the cookie set after each guess\pause -\item has been fixed now -\end{itemize} - +\frametitle{Login Process} -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{\begin{tabular}{@ {}c@ {}}Smash the Stack for Fun \ldots\end{tabular}} - \begin{itemize} -\item ``smashing the stack attacks'' or ``buffer overflow attacks'' -\item one of the most popular attacks;\\ attack of the (last) decade\\ ($>$ 50\% of security incidents reported at CERT are related to buffer overflows) -\begin{flushright}\small -\textcolor{gray}{\url{http://www.kb.cert.org/vuls}} -\end{flushright} -\medskip -\item made popular in an article by Elias Levy\\ (also known as Aleph One):\\ +\item login processes run under UID $=$ 0\medskip \begin{center} -{\bf ``Smashing The Stack For Fun and Profit''} +\texttt{ps -axl | grep login} \end{center}\medskip -\begin{flushright} -\small\textcolor{gray}{\url{http://www.phrack.org}, Issue 49, Article 14} -\end{flushright} - +\item after login, shells run under UID $=$ user (e.g.~501)\medskip +\begin{center} +\texttt{id cu} +\end{center}\medskip\pause + +\item non-root users are not allowed to change the UID --- would break +access control +\item but needed for example for \texttt{passwd} \end{itemize} - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{\begin{tabular}{c}The Problem\end{tabular}} - -\begin{itemize} -\item The basic problem is that library routines in C look as follows: -\begin{center} -{\lstset{language=Java}\fontsize{8}{10}\selectfont% -\texttt{\lstinputlisting{app5.c}}} -\end{center} -\item the resulting problems are often remotely exploitable -\item can be used to circumvents all access control -(botnets for further attacks) -\end{itemize} - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{\begin{tabular}{c}Variants\end{tabular}} - -There are many variants: - -\begin{itemize} -\item return-to-lib-C attacks -\item heap-smashing attacks\\ -\textcolor{gray}{\small(Slammer Worm in 2003 infected 90\% of vulnerable systems within 10 minutes)}\bigskip - -\item ``zero-days-attacks'' (new unknown vulnerability) -\end{itemize} - \end{frame}} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% @@ -329,87 +330,161 @@ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \mode{ \begin{frame}[c] +\frametitle{Setuid and Setgid} -\small -\texttt{my\_float} is printed twice:\bigskip +The solution is that unix file permissions are 9 + \underline{2 Bits}: +\alert{Setuid} and \alert{Setgid} Bits + +\begin{itemize} +\item When a file with setuid is executed, the resulting process will assume the UID given to the owner of the file. +\item This enables users to create processes as root (or another user).\bigskip -{\lstset{language=Java}\fontsize{8}{10}\selectfont% -\texttt{\lstinputlisting{C1.c}}} +\item Essential for changing passwords, for example. +\end{itemize} - +\begin{center} +\texttt{chmod 4755 fobar\_file} +\end{center} + \end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \mode{ \begin{frame}[c] +\frametitle{\begin{tabular}{c}Privilege Separation in\\ OpenSSH\end{tabular}} \begin{center} -\only<1>{\includegraphics[scale=0.9]{pics/stack1}\;\;} -\only<2>{\includegraphics[scale=0.9]{pics/stack2}\;\;} -\only<3>{\includegraphics[scale=0.9]{pics/stack3}\;\;} +\begin{tikzpicture}[scale=1] + + \draw[line width=1mm] (0, 1.1) rectangle (1.2,2); + \draw (4.7,1) node {Internet}; + \draw (0.6,1.7) node {\footnotesize Slave}; + \draw[line width=1mm] (0, 0) rectangle (1.2,0.9); + \draw (0.6,1.7) node {\footnotesize Slave}; + \draw (0.6,0.6) node {\footnotesize Slave}; + \draw (0.6,-0.5) node {\footnotesize \begin{tabular}{c}unpriviledged\\[-1mm] processes\end{tabular}}; + \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}priviledged\\[-1mm] process\end{tabular}}; + + \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2); + \draw (-2.9,1.7) node {\footnotesize Monitor}; + + \draw[white] (1.7,1) node (X) {}; + \draw[white] (3.7,1) node (Y) {}; + \draw[red, <->, line width = 2mm] (X) -- (Y); + + \draw[red, <->, line width = 1mm] (-0.4,1.4) -- (-1.4,1.1); + \draw[red, <->, line width = 1mm] (-0.4,0.6) -- (-1.4,0.9); + + \end{tikzpicture} \end{center} - - + +\begin{itemize} +\item pre-authorisation slave +\item post-authorisation\bigskip +\item 25\% codebase is privileged, 75\% is unprivileged +\end{itemize} \end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \mode{ \begin{frame}[c] +\frametitle{Network Applications} -{\lstset{language=Java}\fontsize{8}{10}\selectfont% -\texttt{\lstinputlisting{C2.c}}} +ideally network application in Unix should be designed as follows: + +\begin{itemize} +\item need two distinct processes +\begin{itemize} +\item one that listens to the network; has no privilege +\item one that is privileged and listens to the latter only (but does not trust it) + +\end{itemize} + +\item to implement this you need a parent process, which forks a child process +\item this child process drops privileges and listens to hostile data\medskip + +\item after authentication the parent forks again and the new child becomes the user +\end{itemize} + + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + - +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{\begin{tabular}{@ {}c@ {}}Famous Security Flaws in Unix\end{tabular}} + + +\begin{itemize} +\item \texttt{lpr} unfortunately runs with root privileges; you had the option to delete files after printing \ldots\pause\pause +\item for debugging purposes (FreeBSD) Unix provides a ``core dump'', but allowed to follow links \ldots\pause +\item \texttt{mkdir foo} is owned by root\medskip +\begin{center} +\texttt{-rwxr-xr-x 1 root wheel /bin/mkdir} +\end{center}\medskip +it first creates an i-node as root and then changes to ownership to the user's id\\ \textcolor{gray}{\small (automated with a shell script)} +\end{itemize} + +\only<1>{ +\begin{textblock}{1}(3,3) +\begin{tikzpicture} +\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] +{\begin{minipage}{8cm} +Only failure makes us experts. + -- Theo de Raadt (OpenBSD, OpenSSH) +\end{minipage}}; +\end{tikzpicture} +\end{textblock}} + + + \end{frame}} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \mode{ \begin{frame}[c] +\frametitle{\begin{tabular}{@ {}c@ {}}Other Problems\end{tabular}} -\small -A programmer might be careful, but still introduce vulnerabilities:\bigskip +There are thing's you just cannot solve on the programming side:\bigskip -{\lstset{language=Java}\fontsize{8}{10}\selectfont% -\texttt{\lstinputlisting{C2a.c}}} +\begin{itemize} +\item for system maintenance you often have \texttt{cron}-jobs cleaning \texttt{/tmp}\medskip +\begin{itemize} +\item attacker:\\ +\texttt{mkdir /tmp/a; cat > /tmp/a/passwd} +\item root:\\\texttt{rm /tmp/*/*}: +\item attacker:\\ +\texttt{rm /tmp/a/passwd; rmdir /tmp/a;}\\\texttt{ln -s /etc /tmp/a} +\end{itemize} +\end{itemize} - \end{frame}} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \mode{ \begin{frame}[c] -\frametitle{\begin{tabular}{c}Payloads\end{tabular}} +\frametitle{\begin{tabular}{@ {}c@ {}}Security Levels\end{tabular}} + +Unix essentially can only distinguish between two security levels (root and non-root). \begin{itemize} -\item the idea is you store some code as part to the buffer -\item you then override the return address to execute this payload\medskip -\item normally you start a root-shell\pause -\item difficulty is to guess the right place where to ``jump'' -\end{itemize} - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\item In military applications you often have many security levels (top-secret, secret, confidential, unclassified)\bigskip\pause -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{\begin{tabular}{c}Payloads (2)\end{tabular}} +\item Information flow: Bell --- La Pudela model \begin{itemize} -\item another difficulty is that the code is not allowed to contain \texttt{$\backslash$x00}: +\item read: your own level and below +\item write: your own level and above +\end{itemize} +\end{itemize} -\begin{center} -\texttt{xorl \%eax, \%eax} -\end{center} -\end{itemize}\bigskip\bigskip - -{\lstset{language=Java}\fontsize{8}{10}\selectfont% -\texttt{\lstinputlisting{app5.c}}} - \end{frame}} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% @@ -417,50 +492,86 @@ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \mode{ \begin{frame}[c] -\frametitle{\begin{tabular}{c}Format String Vulnerability\end{tabular}} +\frametitle{\begin{tabular}{@ {}c@ {}}Security Levels (2)\end{tabular}} -\small -\texttt{string} is nowhere used:\bigskip +\begin{itemize} +\item Bell --- La Pudela preserves data secrecy, but not data integrity\bigskip\pause + +\item Biba model is for data integrity -{\lstset{language=Java}\fontsize{8}{10}\selectfont% -\texttt{\lstinputlisting{C6.c}}}\bigskip +\begin{itemize} +\item read: your own level and above +\item write: your own level and below +\end{itemize} +\end{itemize} -this vulnerability can be used to read out the stack - \end{frame}} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \mode{ \begin{frame}[c] -\frametitle{\begin{tabular}{c}Protections against BO Attacks\end{tabular}} +\frametitle{\begin{tabular}{@ {}c@ {}}Access Control in 2000\end{tabular}} + +According to Ross Anderson (1st edition of his book), some senior Microsoft people held the +following view: + +\begin{center} +\begin{tikzpicture} +\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] +{\begin{minipage}{10.5cm} +\small Access control does not matter. Computers are becoming single-purpose +or single-user devices. Single-purpose devices, such as Web servers that deliver a single service, don't +need much in the way of access control as there's nothing for operating system access controls +to do; the job of separating users from each other is best left to application code. As for the PC +on your desk, if all the software on it comes from a single source, then again there's no need +for the operating system to provide separation. \hfill{}\textcolor{gray}{(in 2000)} +\end{minipage}}; +\end{tikzpicture} +\end{center} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[t] +\frametitle{\begin{tabular}{@ {}c@ {}}Research Problems\end{tabular}} \begin{itemize} -\item use safe library functions -\item ensure stack data is not executable (can be defeated) -\item address space randomisation (makes one-size-fits-all more difficult) -\item choice of programming language (one of the selling points of Java) +\item with access control we are back to 1970s\bigskip +\only<1>{ +\begin{tikzpicture} +\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] +{\begin{minipage}{10cm} +\small Going all the way back to early time-sharing systems we systems people regarded the users, and any code they wrote, as the mortal enemies of us and each other. We were like the police force in a violent slum.\\ +\mbox{}\hfill--- Roger Needham +\end{minipage}}; +\end{tikzpicture}}\pause + +\item the largest research area in access control in 2000-07 has been ``Trusted Computing'', but thankfully it +is dead now\bigskip +\item a useful research area is to not just have robust access control, but also usable access control --- by programmers and users\\ +(one possible answer is operating system virtualisation, e.g.~Xen, VMWare)\medskip\pause + +\item electronic voting \end{itemize} - \end{frame}} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \mode{ -\begin{frame}[c] -\frametitle{\begin{tabular}{c}Security Goals\end{tabular}} +\begin{frame}[t] +\frametitle{\begin{tabular}{@ {}c@ {}}Mobile OS\end{tabular}} \begin{itemize} -\item Prevent common vulnerabilities from occurring (e.g. buffer overflows)\pause -\item Recover from attacks (traceability and auditing of security-relevant actions)\pause -\item Monitoring (detect attacks)\pause -\item Privacy, confidentiality, anonymity (to protect secrets)\pause -\item Authenticity (eeded for access control)\pause -\item Integrity (prevent unwanted modification or tampering)\pause -\item Availability and reliability (reduce the risk of DoS attacks) +\item iOS and Android solve the defence-in-depth problem by \alert{sandboxing} applications\bigskip + +\item you as developer have to specify the resources an application needs +\item the OS provides a sandbox where access is restricted to only these resources \end{itemize} - \end{frame}} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% @@ -469,18 +580,42 @@ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \mode{ \begin{frame}[c] -\frametitle{\begin{tabular}{c}Homework\end{tabular}} +\frametitle{\begin{tabular}{@ {}c@ {}}Security Theater\end{tabular}} + -\begin{itemize} -\item Assume format string attacks allow you to read out the stack. What can you do - with this information?\bigskip +Security theater is the practice of investing in countermeasures intended to provide the +\underline{feeling} of improved security while doing little or nothing to actually achieve it.\hfill{}\textcolor{gray}{Bruce Schneier} -\item Assume you can crash a program remotely. Why is this a problem? -\end{itemize} - \end{frame}} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{\begin{tabular}{@ {}c@ {}}\end{tabular}} + + +Security theater is the practice of investing in countermeasures intended to provide the +\underline{feeling} of improved security while doing little or nothing to actually achieve it.\hfill{}\textcolor{gray}{Bruce Schneier} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + +From: Ross Anderson +Sender: cl-security-research-bounces@lists.cam.ac.uk +To: cl-security-research@lists.cam.ac.uk +Subject: Tip off +Date: Tue, 02 Oct 2012 13:12:50 +0100 + +I received the following tip off, and have removed the sender's +coordinates. I suspect it is one of many security vendors who +don't even get the basics right; if you ever go to the RSA +conference, there are a thousand such firms in the hall, each +with several eager but ignorant salesmen. A trying experience + +Ross + \end{document}