diff -r be35ff24cccc -r d1d07f05325a slides/slides02.tex --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/slides/slides02.tex Sun Sep 22 15:22:11 2013 +0100 @@ -0,0 +1,454 @@ +\documentclass[dvipsnames,14pt,t]{beamer} +\usepackage{beamerthemeplainculight} +\usepackage[T1]{fontenc} +\usepackage[latin1]{inputenc} +\usepackage{mathpartir} +\usepackage[absolute,overlay]{textpos} +\usepackage{ifthen} +\usepackage{tikz} +\usepackage{pgf} +\usepackage{calc} +\usepackage{ulem} +\usepackage{courier} +\usepackage{listings} +\renewcommand{\uline}[1]{#1} +\usetikzlibrary{arrows} +\usetikzlibrary{automata} +\usetikzlibrary{shapes} +\usetikzlibrary{shadows} +\usetikzlibrary{positioning} +\usetikzlibrary{calc} +\usepackage{graphicx} + +\definecolor{javared}{rgb}{0.6,0,0} % for strings +\definecolor{javagreen}{rgb}{0.25,0.5,0.35} % comments +\definecolor{javapurple}{rgb}{0.5,0,0.35} % keywords +\definecolor{javadocblue}{rgb}{0.25,0.35,0.75} % javadoc + +\lstset{language=Java, + basicstyle=\ttfamily, + keywordstyle=\color{javapurple}\bfseries, + stringstyle=\color{javagreen}, + commentstyle=\color{javagreen}, + morecomment=[s][\color{javadocblue}]{/**}{*/}, + numbers=left, + numberstyle=\tiny\color{black}, + stepnumber=1, + numbersep=10pt, + tabsize=2, + showspaces=false, + showstringspaces=false} + +\lstdefinelanguage{scala}{ + morekeywords={abstract,case,catch,class,def,% + do,else,extends,false,final,finally,% + for,if,implicit,import,match,mixin,% + new,null,object,override,package,% + private,protected,requires,return,sealed,% + super,this,throw,trait,true,try,% + type,val,var,while,with,yield}, + otherkeywords={=>,<-,<\%,<:,>:,\#,@}, + sensitive=true, + morecomment=[l]{//}, + morecomment=[n]{/*}{*/}, + morestring=[b]", + morestring=[b]', + morestring=[b]""" +} + +\lstset{language=Scala, + basicstyle=\ttfamily, + keywordstyle=\color{javapurple}\bfseries, + stringstyle=\color{javagreen}, + commentstyle=\color{javagreen}, + morecomment=[s][\color{javadocblue}]{/**}{*/}, + numbers=left, + numberstyle=\tiny\color{black}, + stepnumber=1, + numbersep=10pt, + tabsize=2, + showspaces=false, + showstringspaces=false} + +% beamer stuff +\renewcommand{\slidecaption}{APP 02, King's College London, 2 October 2012} + + +\begin{document} + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}<1>[t] +\frametitle{% + \begin{tabular}{@ {}c@ {}} + \\ + \LARGE Access Control and \\[-3mm] + \LARGE Privacy Policies (2)\\[-6mm] + \end{tabular}}\bigskip\bigskip\bigskip + + %\begin{center} + %\includegraphics[scale=1.3]{pics/barrier.jpg} + %\end{center} + +\normalsize + \begin{center} + \begin{tabular}{ll} + Email: & christian.urban at kcl.ac.uk\\ + Of$\!$fice: & S1.27 (1st floor Strand Building)\\ + Slides: & KEATS (also home work is there) + \end{tabular} + \end{center} + + +\end{frame}} + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{\begin{tabular}{c}Homework\end{tabular}} + + +\ldots{} I have a question about the homework.\\[3mm] +Is it required to submit the homework before\\ +the next lecture?\\[5mm] + +Thank you!\\ +Anonymous + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] + +\begin{center} +\begin{tabular}[t]{c} +\includegraphics[scale=1.2]{pics/barrier.jpg}\\ +future lectures +\end{tabular}\;\;\; +\onslide<2>{ +\begin{tabular}[t]{c} +\includegraphics[scale=0.32]{pics/trainwreck.jpg}\\ +today +\end{tabular} +} +\end{center} + + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{\begin{tabular}{@ {}c@ {}}SmartWater\end{tabular}} + +\begin{textblock}{1}(1,3) +\begin{tabular}{c} +\includegraphics[scale=0.15]{pics/SmartWater} +\end{tabular} +\end{textblock} + + +\begin{textblock}{8.5}(7,3) +\begin{itemize} +\item seems helpful for preventing cable theft\medskip +\item wouldn't be helpful to make your property safe, because of possible abuse\medskip + +\item security is always a tradeoff +\end{itemize} +\end{textblock} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{\begin{tabular}{@ {}c@ {}}Plain-text Passwords at IEEE\end{tabular}} + +\small\textcolor{gray}{On 25 September 2012, a report on a data breach at IEEE:} + + +\begin{itemize} +\item IEEE is a standards organisation (not-for-profit) +\item many standards in CS are by IEEE\medskip +\item 100k plain-text passwords were recorded in logs +\item the logs were openly accessible on their FTP server +\end{itemize}\bigskip + +\begin{flushright}\small +\textcolor{gray}{\url{http://ieeelog.com}} +\end{flushright} + +\only<2>{ +\begin{textblock}{11}(3,2) +\begin{tikzpicture} +\draw (0,0) node[inner sep=2mm,fill=white, ultra thick, draw=red, rounded corners=2mm] +{\normalsize\color{darkgray} +\begin{minipage}{7.5cm}\raggedright\small +\includegraphics[scale=0.6]{pics/IEEElog.jpg} +\end{minipage}}; +\end{tikzpicture} +\end{textblock}} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{\begin{tabular}{@ {}c@ {}}Virgin Mobile (USA)\end{tabular}} + +\begin{flushright}\small +\textcolor{gray}{\url{http://arstechnica.com/security/2012/09/virgin-mobile-password-crack-risk/}} +\end{flushright} + +\begin{itemize} +\item for online accounts passwords must be 6 digits +\item you must cycle through 1M combinations (online)\pause\bigskip + +\item he limited the attack on his own account to 1 guess per second, \alert{\bf and} +\item wrote a script that cleared the cookie set after each guess\pause +\item has been fixed now +\end{itemize} + + + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{\begin{tabular}{@ {}c@ {}}Smash the Stack for Fun \ldots\end{tabular}} + +\begin{itemize} +\item ``smashing the stack attacks'' or ``buffer overflow attacks'' +\item one of the most popular attacks;\\ attack of the (last) decade\\ ($>$ 50\% of security incidents reported at CERT are related to buffer overflows) +\begin{flushright}\small +\textcolor{gray}{\url{http://www.kb.cert.org/vuls}} +\end{flushright} +\medskip +\item made popular in an article by Elias Levy\\ (also known as Aleph One):\\ +\begin{center} +{\bf ``Smashing The Stack For Fun and Profit''} +\end{center}\medskip + +\begin{flushright} +\small\textcolor{gray}{\url{http://www.phrack.org}, Issue 49, Article 14} +\end{flushright} + +\end{itemize} + + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{\begin{tabular}{c}The Problem\end{tabular}} + +\begin{itemize} +\item The basic problem is that library routines in C look as follows: +\begin{center} +{\lstset{language=Java}\fontsize{8}{10}\selectfont% +\texttt{\lstinputlisting{app5.c}}} +\end{center} +\item the resulting problems are often remotely exploitable +\item can be used to circumvents all access control +(botnets for further attacks) +\end{itemize} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{\begin{tabular}{c}Variants\end{tabular}} + +There are many variants: + +\begin{itemize} +\item return-to-lib-C attacks +\item heap-smashing attacks\\ +\textcolor{gray}{\small(Slammer Worm in 2003 infected 90\% of vulnerable systems within 10 minutes)}\bigskip + +\item ``zero-days-attacks'' (new unknown vulnerability) +\end{itemize} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] + +\small +\texttt{my\_float} is printed twice:\bigskip + +{\lstset{language=Java}\fontsize{8}{10}\selectfont% +\texttt{\lstinputlisting{C1.c}}} + + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] + +\begin{center} +\only<1>{\includegraphics[scale=0.9]{pics/stack1}\;\;} +\only<2>{\includegraphics[scale=0.9]{pics/stack2}\;\;} +\only<3>{\includegraphics[scale=0.9]{pics/stack3}\;\;} +\end{center} + + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] + +{\lstset{language=Java}\fontsize{8}{10}\selectfont% +\texttt{\lstinputlisting{C2.c}}} + + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] + +\small +A programmer might be careful, but still introduce vulnerabilities:\bigskip + +{\lstset{language=Java}\fontsize{8}{10}\selectfont% +\texttt{\lstinputlisting{C2a.c}}} + + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{\begin{tabular}{c}Payloads\end{tabular}} + +\begin{itemize} +\item the idea is you store some code as part to the buffer +\item you then override the return address to execute this payload\medskip +\item normally you start a root-shell\pause +\item difficulty is to guess the right place where to ``jump'' +\end{itemize} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{\begin{tabular}{c}Payloads (2)\end{tabular}} + +\begin{itemize} +\item another difficulty is that the code is not allowed to contain \texttt{$\backslash$x00}: + +\begin{center} +\texttt{xorl \%eax, \%eax} +\end{center} +\end{itemize}\bigskip\bigskip + +{\lstset{language=Java}\fontsize{8}{10}\selectfont% +\texttt{\lstinputlisting{app5.c}}} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{\begin{tabular}{c}Format String Vulnerability\end{tabular}} + +\small +\texttt{string} is nowhere used:\bigskip + +{\lstset{language=Java}\fontsize{8}{10}\selectfont% +\texttt{\lstinputlisting{programs/C4.c}}}\bigskip + +this vulnerability can be used to read out the stack + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{\begin{tabular}{c}Protections against BO Attacks\end{tabular}} + +\begin{itemize} +\item use safe library functions +\item ensure stack data is not executable (can be defeated) +\item address space randomisation (makes one-size-fits-all more difficult) +\item choice of programming language (one of the selling points of Java) + +\end{itemize} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{\begin{tabular}{c}Security Goals\end{tabular}} + +\begin{itemize} +\item Prevent common vulnerabilities from occurring (e.g. buffer overflows)\pause +\item Recover from attacks (traceability and auditing of security-relevant actions)\pause +\item Monitoring (detect attacks)\pause +\item Privacy, confidentiality, anonymity (to protect secrets)\pause +\item Authenticity (needed for access control)\pause +\item Integrity (prevent unwanted modification or tampering)\pause +\item Availability and reliability (reduce the risk of DoS attacks) +\end{itemize} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{\begin{tabular}{c}Homework\end{tabular}} + +\begin{itemize} +\item Assume format string attacks allow you to read out the stack. What can you do + with this information?\bigskip + +\item Assume you can crash a program remotely. Why is this a problem? +\end{itemize} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + +\end{document} + +%%% Local Variables: +%%% mode: latex +%%% TeX-master: t +%%% End: +