diff -r ab31912a3b65 -r a7a7d6b0150b slides/slides04.tex --- a/slides/slides04.tex Mon Oct 17 13:40:45 2016 +0100 +++ b/slides/slides04.tex Wed Oct 19 00:32:38 2016 +0100 @@ -45,8 +45,10 @@ \end{center} \begin{itemize} -\item no ``cheating'' needed for format string attacks -\item the main point: no cheating to start with +%\item no ``cheating'' needed for format string attacks +\item required some cheating on modern OS +\item the main point: no cheating in practice\pause +\item one class of attacks not mentioned last week \end{itemize} \end{frame} @@ -54,19 +56,35 @@ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{frame}[c] +\frametitle{Format String Vulnerability} + +\small +\texttt{string} is nowhere used:\bigskip + +{\footnotesize\lstinputlisting[language=C]{../progs/C4.c}}\bigskip + +this vulnerability can be used to read out the stack and even +modify it + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] \frametitle{Case-In-Point: Android} \begin{itemize} \item a list of common Android vulnerabilities -(5 BOAs out of 35 vulnerabilities; all from 2013 and later) +(5 BOAs out of 35 vulnerabilities; all from 2013 and later): \begin{center} \url{http://androidvulnerabilities.org/} \end{center}\bigskip -\item a paper that attempts measures security of Android phones +\item a paper that attempts to measure the security of Android phones: -\begin{quote}\small\rm ``We find that on average 87.7\% of Android +\begin{quote}\small\it ``We find that on average 87.7\% of Android devices are exposed to at least one of 11 known critical vulnerabilities\ldots'' \end{quote} @@ -82,29 +100,27 @@ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\begin{frame}[c] - -A student asked: +%\begin{frame}[c] +% +%A student asked: +% +%\begin{bubble}[10cm]\small How do we implement BOAs? On a +%webpage login, for example Facebook, we can't do this. +%I am sure the script will stop us even before we reach the +%server. The +%script will not let us enter hexadecimal numbers where email +%or username is required and plus it will have a max length, +%like 32 characters only. In this case, what can we do, since +%the method you showed us wouldn't work? +%\end{bubble}\bigskip\bigskip\pause -\begin{bubble}[10cm]\small How do we implement BOAs? On a -webpage login, for example Facebook, we can't do this. -I am sure the script will stop us even before we reach the -server. The -script will not let us enter hexadecimal numbers where email -or username is required and plus it will have a max length, -like 32 characters only. In this case, what can we do, since -the method you showed us wouldn't work? -\end{bubble}\bigskip\bigskip\pause - -\begin{itemize} -\item Facebook no -\item printers, routers, cars, IoT etc likely\pause -\item I do not want to teach you hacking, rather defending -\end{itemize} - - - -\end{frame} +%\begin{itemize} +%\item Facebook no +%\item printers, routers, cars, IoT etc likely\pause +%\item I do not want to teach you hacking, rather defending +%\end{itemize} +% +%\end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% @@ -115,22 +131,22 @@ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\begin{frame}[c] - -\begin{center} -\includegraphics[scale=0.45]{../pics/trainwreck.jpg}\\ -last week: buffer overflow attacks -\end{center} - -\end{frame} +%\begin{frame}[c] +% +%\begin{center} +%\includegraphics[scale=0.45]{../pics/trainwreck.jpg}\\ +%last week: buffer overflow attacks +%\end{center} +% +%\end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{frame}[c] -\frametitle{\begin{tabular}{c}Two General Counter\\[-1mm] - Measures against BOAs etc\end{tabular}} +\frametitle{\begin{tabular}{c}\LARGE Two General Counter\\[-1mm] + \LARGE Measures against BOAs etc\end{tabular}} -Both try to reduce the attack surface:\bigskip +Both try to reduce the attack surface (trusted computing base):\bigskip \begin{itemize} \item \alert{\bf unikernels} -- the idea is to not have @@ -346,8 +362,8 @@ \begin{tikzpicture} \draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] {\begin{minipage}{8cm} -Only failure makes us experts. - -- Theo de Raadt (OpenBSD, OpenSSH) +Only failure makes us experts.\\ +\hfill\small-- Theo de Raadt (OpenBSD, OpenSSH) \end{minipage}}; \end{tikzpicture} \end{textblock}} @@ -831,9 +847,9 @@ \begin{itemize} \item good example of a bad protocol\\ (security by obscurity)\bigskip - \item<3-> ``Breaching security on Oyster cards should not + \item<3-> {\it``Breaching security on Oyster cards should not allow unauthorised use for more than a day, as TfL promises to turn - off any cloned cards within 24 hours\ldots'' + off any cloned cards within 24 hours\ldots''} \end{itemize} \only<2>{