diff -r ae6074cc446a -r 81f9f0eb1180 slides/slides03.tex --- a/slides/slides03.tex Tue Oct 07 01:43:46 2014 +0100 +++ b/slides/slides03.tex Tue Oct 07 02:10:22 2014 +0100 @@ -432,8 +432,10 @@ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{frame}[c] \frametitle{Overflow.c} +\mbox{}\\[-10mm] -\lstinputlisting[language=C,numbers=none]{../progs/overflow.c} +\small +\lstinputlisting[language=C,xleftmargin=-4mm,numbers=none]{../progs/overflow.c} \end{frame} @@ -518,285 +520,8 @@ \begin{itemize} \item the idea is make the attack surface smaller and mitigate the consequences of an attack -\item you need an OS that supports different roles (root vs.~users) \end{itemize} - -\end{frame} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\begin{frame}[c] -\frametitle{Weaknesses of Unix AC} - -Not just restricted to Unix: - -\begin{itemize} -\item if you have too many roles (i.e.~too finegrained AC), then - hierarchy is too complex\\ \textcolor{gray}{you invite situations - like\ldots let's be root}\bigskip - -\item you can still abuse the system\ldots -\end{itemize} - -\end{frame} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\begin{frame}[c] -\frametitle{A ``Cron''-Attack} - -\begin{enumerate} -\item attacker \textcolor{gray}{(creates a fake passwd file)}\\ -\texttt{mkdir /tmp/a; cat > /tmp/a/passwd}\medskip -\item root \textcolor{gray}{(does the daily cleaning)}\\ -\texttt{rm /tmp/*/*}\medskip\\ -\hspace{2cm}\textcolor{gray}{\small records that \texttt{/tmp/a/passwd}}\\ -\hspace{2cm}\textcolor{gray}{\small should be deleted, but does not do it yet}\medskip\\ - -\item attacker \textcolor{gray}{(meanwhile deletes the fake passwd file, and establishes a link to -the real passwd file)}\\ -\texttt{rm /tmp/a/passwd; rmdir /tmp/a;}\\\texttt{ln -s /etc /tmp/a}\\ -\item root now deletes the real passwd file -\end{enumerate} - -\only<2>{ -\begin{textblock}{11}(2,5) -\begin{bubble}[8cm] -\normalsize To prevent this kind of attack, you need additional -policies (don't do such operations as root). -\end{bubble} -\end{textblock}} - -\end{frame} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\begin{frame}[c] -\frametitle{The Problem} - -\begin{itemize} -\item The basic problem is that library routines in C look as follows: -\end{itemize} - -\begin{center} -\small\lstinputlisting[language=C,numbers=none]{../progs/app5.c} -\end{center} - - -\end{frame} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\begin{frame}[c] -\frametitle{Security Goals} - -\begin{itemize} -\item Prevent common vulnerabilities from occurring (e.g. buffer overflows)\pause -\item Recover from attacks (traceability and auditing of security-relevant actions)\pause -\item Monitoring (detect attacks)\pause -\item Privacy, confidentiality, anonymity (to protect secrets)\pause -\item Authenticity (needed for access control)\pause -\item Integrity (prevent unwanted modification or tampering)\pause -\item Availability and reliability (reduce the risk of DoS attacks) -\end{itemize} - -\end{frame} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\begin{frame}[c] -\frametitle{Homework} - -\begin{itemize} -\item Assume format string attacks allow you to read out the stack. What can you do - with this information?\bigskip - -\item Assume you can crash a program remotely. Why is this a problem? -\end{itemize} - \end{frame} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{Access Control in Unix} - -\begin{itemize} -\item access control provided by the OS -\item authenticate principals (login) -\item mediate access to files, ports, processes according to \alert{roles} (user ids)\\ -\item roles get attached with privileges\bigskip\\% -\hspace{8mm} -\begin{tikzpicture} -\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] -{\begin{minipage}{8cm} -\alert{The principle of least privilege:}\\ -programs should only have as much privilege as they need -\end{minipage}}; -\end{tikzpicture} -\end{itemize} - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[t] -\frametitle{Process Ownership} - -\begin{itemize} -\item access control in Unix is very coarse -\end{itemize}\bigskip\bigskip\bigskip - -\begin{center} -\begin{tabular}{c} -root\\ -\hline - -user$_1$ user$_2$ \ldots www, mail, lp -\end{tabular} -\end{center}\bigskip\bigskip\bigskip - - -\textcolor{gray}{\small root has UID $=$ 0}\\\pause -\textcolor{gray}{\small you also have groups that can share access to a file}\\ -\textcolor{gray}{\small but it is difficult to exclude access selectively}\\ -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{Access Control in Unix (2)} - - -\begin{itemize} -\item privileges are specified by file access permissions (``everything is a file'') -\item there are 9 (plus 2) bits that specify the permissions of a file - -\begin{center} -\begin{tabular}{l} -\texttt{\$ ls - la}\\ -\texttt{-rwxrw-r-{}- \hspace{3mm} foo\_file.txt} -\end{tabular} -\end{center} -\end{itemize} - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{Login Process} - - -\begin{itemize} -\item login processes run under UID $=$ 0\medskip -\begin{center} -\texttt{ps -axl | grep login} -\end{center}\medskip - -\item after login, shells run under UID $=$ user (e.g.~501)\medskip -\begin{center} -\texttt{id cu} -\end{center}\medskip\pause - -\item non-root users are not allowed to change the UID --- would break -access control -\item but needed for example for \texttt{passwd} -\end{itemize} - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{Setuid and Setgid} - -The solution is that unix file permissions are 9 + \underline{2 Bits}: -\alert{Setuid} and \alert{Setgid} Bits - -\begin{itemize} -\item When a file with setuid is executed, the resulting process will assume the UID given to the owner of the file. -\item This enables users to create processes as root (or another user).\bigskip - -\item Essential for changing passwords, for example. -\end{itemize} - -\begin{center} -\texttt{chmod 4755 fobar\_file} -\end{center} - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{\begin{tabular}{c}Privilege Separation in\\ OpenSSH\end{tabular}} - -\begin{center} -\begin{tikzpicture}[scale=1] - - \draw[line width=1mm] (0, 1.1) rectangle (1.2,2); - \draw (4.7,1) node {Internet}; - \draw (0.6,1.7) node {\footnotesize Slave}; - \draw[line width=1mm] (0, 0) rectangle (1.2,0.9); - \draw (0.6,1.7) node {\footnotesize Slave}; - \draw (0.6,0.6) node {\footnotesize Slave}; - \draw (0.6,-0.5) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] processes\end{tabular}}; - \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}}; - - \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2); - \draw (-2.9,1.7) node {\footnotesize Monitor}; - - \draw[white] (1.7,1) node (X) {}; - \draw[white] (3.7,1) node (Y) {}; - \draw[red, <->, line width = 2mm] (X) -- (Y); - - \draw[red, <->, line width = 1mm] (-0.4,1.4) -- (-1.4,1.1); - \draw[red, <->, line width = 1mm] (-0.4,0.6) -- (-1.4,0.9); - - \end{tikzpicture} -\end{center} - -\begin{itemize} -\item pre-authorisation slave -\item post-authorisation\bigskip -\item 25\% codebase is privileged, 75\% is unprivileged -\end{itemize} -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{Network Applications} - -ideally network application in Unix should be designed as follows: - -\begin{itemize} -\item need two distinct processes -\begin{itemize} -\item one that listens to the network; has no privilege -\item one that is privileged and listens to the latter only (but does not trust it) - -\end{itemize} - -\item to implement this you need a parent process, which forks a child process -\item this child process drops privileges and listens to hostile data\medskip - -\item after authentication the parent forks again and the new child becomes the user -\end{itemize} - - -\end{frame}} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% @@ -827,8 +552,6 @@ \end{tikzpicture} \end{textblock}} - - \end{frame}} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%