diff -r 03d5c3df745e -r 770b58a7d754 slides/slides02.tex --- a/slides/slides02.tex Mon Sep 28 00:16:15 2015 +0100 +++ b/slides/slides02.tex Mon Sep 28 21:02:01 2015 +0100 @@ -857,152 +857,6 @@ \end{frame}} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\begin{frame}[c] -\frametitle{Unix-Style Access Control} - -How to do control access? In Unix you have - -\begin{itemize} -\item users and you have groups/roles: -\item some special roles: root -\end{itemize} - -\end{frame} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\begin{frame}[c] -\frametitle{Unix-Style Access Control} -\small - -\begin{itemize} -\item -Q: ``I am using Windows. Why should I care?'' \\ -A: In Windows you have similar AC: - -\begin{center} -\begin{tabular}{l} -administrators group\\ -\hspace{5mm}(has complete control over the machine)\\ -authenticated users\\ -server operators\\ -power users\\ -network configuration operators -\end{tabular} -\end{center}\medskip - -\item Modern versions of Windows have more fine-grained AC than Unix; - they do not have a setuid bit, but have \texttt{runas} (asks for a - password).\pause - -\item OS-provided access control can \alert{\bf add} to your security. - (defence in depth) -\end{itemize} - -\end{frame} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\begin{frame}[c] -\frametitle{\begin{tabular}{c}Network Applications:\\[-1mm] Privilege Separation\end{tabular}} - - -\begin{center} - \begin{tikzpicture}[scale=1] - - \draw[line width=1mm] (-.3, 0) rectangle (1.5,2); - \draw (4.7,1) node {Internet}; - \draw (-2.7,1.7) node {\footnotesize Application}; - \draw (0.6,1.7) node {\footnotesize Interface}; - \draw (0.6,-0.4) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] process\end{tabular}}; - \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}}; - - \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2); - - \draw[white] (1.7,1) node (X) {}; - \draw[white] (3.7,1) node (Y) {}; - \draw[red, <->, line width = 2mm] (X) -- (Y); - - \draw[red, <->, line width = 1mm] (-0.6,1) -- (-1.6,1); - \end{tikzpicture} -\end{center} - -\begin{itemize} -\item the idea is make the attack surface smaller and mitigate the - consequences of an attack -\end{itemize} - -\end{frame} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\begin{frame}[c] -\frametitle{Weaknesses of Unix AC} - -Not just restricted to Unix: - -\begin{itemize} -\item if you have too many roles (i.e.~too finegrained AC), then - hierarchy is too complex\\ \textcolor{gray}{you invite situations - like\ldots let's be root}\bigskip - -\item you can still abuse the system\ldots -\end{itemize} - -\end{frame} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\begin{frame}[c] -\frametitle{A ``Cron''-Attack} - -The idea is to trick a privileged person to do something on your -behalf: - -\begin{itemize} -\item root:\\\texttt{rm /tmp/*/*}\bigskip\bigskip\pause - -\footnotesize -\begin{minipage}{1.1\textwidth} -\textcolor{gray}{the shell behind the scenes:}\\ -\textcolor{gray}{\texttt{rm /tmp/dir$_1$/file$_1$ /tmp/dir$_1$/file$_2$ /tmp/dir$_2$/file$_1$ \ldots}}\bigskip\\ - -\textcolor{gray}{this takes time} -\end{minipage} -\end{itemize} - -\end{frame} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\begin{frame}[c] -\frametitle{A ``Cron''-Attack} - -\begin{enumerate} -\item attacker \textcolor{gray}{(creates a fake passwd file)}\\ -\texttt{mkdir /tmp/a; cat > /tmp/a/passwd}\medskip -\item root \textcolor{gray}{(does the daily cleaning)}\\ -\texttt{rm /tmp/*/*}\medskip\\ -\hspace{2cm}\textcolor{gray}{\small records that \texttt{/tmp/a/passwd}}\\ -\hspace{2cm}\textcolor{gray}{\small should be deleted, but does not do it yet}\medskip\\ - -\item attacker \textcolor{gray}{(meanwhile deletes the fake passwd file, and establishes a link to -the real passwd file)}\\ -\texttt{rm /tmp/a/passwd; rmdir /tmp/a;}\\\texttt{ln -s /etc /tmp/a}\\ -\item root now deletes the real passwd file -\end{enumerate} - -\only<2>{ -\begin{textblock}{11}(2,5) -\begin{bubble}[8cm] -\normalsize To prevent this kind of attack, you need additional -policies (don't do such operations as root). -\end{bubble} -\end{textblock}} - -\end{frame} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{frame}[c]