diff -r 03d5c3df745e -r 770b58a7d754 slides/slides04.tex --- a/slides/slides04.tex Mon Sep 28 00:16:15 2015 +0100 +++ b/slides/slides04.tex Mon Sep 28 21:02:01 2015 +0100 @@ -156,6 +156,152 @@ \end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{Unix-Style Access Control} + +How to do control access? In Unix you have + +\begin{itemize} +\item users and you have groups/roles: +\item some special roles: root +\end{itemize} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{Unix-Style Access Control} +\small + +\begin{itemize} +\item +Q: ``I am using Windows. Why should I care?'' \\ +A: In Windows you have similar AC: + +\begin{center} +\begin{tabular}{l} +administrators group\\ +\hspace{5mm}(has complete control over the machine)\\ +authenticated users\\ +server operators\\ +power users\\ +network configuration operators +\end{tabular} +\end{center}\medskip + +\item Modern versions of Windows have more fine-grained AC than Unix; + they do not have a setuid bit, but have \texttt{runas} (asks for a + password).\pause + +\item OS-provided access control can \alert{\bf add} to your security. + (defence in depth) +\end{itemize} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{\begin{tabular}{c}Network Applications:\\[-1mm] Privilege Separation\end{tabular}} + + +\begin{center} + \begin{tikzpicture}[scale=1] + + \draw[line width=1mm] (-.3, 0) rectangle (1.5,2); + \draw (4.7,1) node {Internet}; + \draw (-2.7,1.7) node {\footnotesize Application}; + \draw (0.6,1.7) node {\footnotesize Interface}; + \draw (0.6,-0.4) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] process\end{tabular}}; + \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}}; + + \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2); + + \draw[white] (1.7,1) node (X) {}; + \draw[white] (3.7,1) node (Y) {}; + \draw[red, <->, line width = 2mm] (X) -- (Y); + + \draw[red, <->, line width = 1mm] (-0.6,1) -- (-1.6,1); + \end{tikzpicture} +\end{center} + +\begin{itemize} +\item the idea is make the attack surface smaller and mitigate the + consequences of an attack +\end{itemize} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{Weaknesses of Unix AC} + +Not just restricted to Unix: + +\begin{itemize} +\item if you have too many roles (i.e.~too finegrained AC), then + hierarchy is too complex\\ \textcolor{gray}{you invite situations + like\ldots let's be root}\bigskip + +\item you can still abuse the system\ldots +\end{itemize} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{A ``Cron''-Attack} + +The idea is to trick a privileged person to do something on your +behalf: + +\begin{itemize} +\item root:\\\texttt{rm /tmp/*/*}\bigskip\bigskip\pause + +\footnotesize +\begin{minipage}{1.1\textwidth} +\textcolor{gray}{the shell behind the scenes:}\\ +\textcolor{gray}{\texttt{rm /tmp/dir$_1$/file$_1$ /tmp/dir$_1$/file$_2$ /tmp/dir$_2$/file$_1$ \ldots}}\bigskip\\ + +\textcolor{gray}{this takes time} +\end{minipage} +\end{itemize} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{A ``Cron''-Attack} + +\begin{enumerate} +\item attacker \textcolor{gray}{(creates a fake passwd file)}\\ +\texttt{mkdir /tmp/a; cat > /tmp/a/passwd}\medskip +\item root \textcolor{gray}{(does the daily cleaning)}\\ +\texttt{rm /tmp/*/*}\medskip\\ +\hspace{2cm}\textcolor{gray}{\small records that \texttt{/tmp/a/passwd}}\\ +\hspace{2cm}\textcolor{gray}{\small should be deleted, but does not do it yet}\medskip\\ + +\item attacker \textcolor{gray}{(meanwhile deletes the fake passwd file, and establishes a link to +the real passwd file)}\\ +\texttt{rm /tmp/a/passwd; rmdir /tmp/a;}\\\texttt{ln -s /etc /tmp/a}\\ +\item root now deletes the real passwd file +\end{enumerate} + +\only<2>{ +\begin{textblock}{11}(2,5) +\begin{bubble}[8cm] +\normalsize To prevent this kind of attack, you need additional +policies (don't do such operations as root). +\end{bubble} +\end{textblock}} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{frame}[c]