diff -r be35ff24cccc -r d1d07f05325a slides02.tex --- a/slides02.tex Sun Dec 09 13:00:33 2012 +0000 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,454 +0,0 @@ -\documentclass[dvipsnames,14pt,t]{beamer} -\usepackage{beamerthemeplainculight} -\usepackage[T1]{fontenc} -\usepackage[latin1]{inputenc} -\usepackage{mathpartir} -\usepackage[absolute,overlay]{textpos} -\usepackage{ifthen} -\usepackage{tikz} -\usepackage{pgf} -\usepackage{calc} -\usepackage{ulem} -\usepackage{courier} -\usepackage{listings} -\renewcommand{\uline}[1]{#1} -\usetikzlibrary{arrows} -\usetikzlibrary{automata} -\usetikzlibrary{shapes} -\usetikzlibrary{shadows} -\usetikzlibrary{positioning} -\usetikzlibrary{calc} -\usepackage{graphicx} - -\definecolor{javared}{rgb}{0.6,0,0} % for strings -\definecolor{javagreen}{rgb}{0.25,0.5,0.35} % comments -\definecolor{javapurple}{rgb}{0.5,0,0.35} % keywords -\definecolor{javadocblue}{rgb}{0.25,0.35,0.75} % javadoc - -\lstset{language=Java, - basicstyle=\ttfamily, - keywordstyle=\color{javapurple}\bfseries, - stringstyle=\color{javagreen}, - commentstyle=\color{javagreen}, - morecomment=[s][\color{javadocblue}]{/**}{*/}, - numbers=left, - numberstyle=\tiny\color{black}, - stepnumber=1, - numbersep=10pt, - tabsize=2, - showspaces=false, - showstringspaces=false} - -\lstdefinelanguage{scala}{ - morekeywords={abstract,case,catch,class,def,% - do,else,extends,false,final,finally,% - for,if,implicit,import,match,mixin,% - new,null,object,override,package,% - private,protected,requires,return,sealed,% - super,this,throw,trait,true,try,% - type,val,var,while,with,yield}, - otherkeywords={=>,<-,<\%,<:,>:,\#,@}, - sensitive=true, - morecomment=[l]{//}, - morecomment=[n]{/*}{*/}, - morestring=[b]", - morestring=[b]', - morestring=[b]""" -} - -\lstset{language=Scala, - basicstyle=\ttfamily, - keywordstyle=\color{javapurple}\bfseries, - stringstyle=\color{javagreen}, - commentstyle=\color{javagreen}, - morecomment=[s][\color{javadocblue}]{/**}{*/}, - numbers=left, - numberstyle=\tiny\color{black}, - stepnumber=1, - numbersep=10pt, - tabsize=2, - showspaces=false, - showstringspaces=false} - -% beamer stuff -\renewcommand{\slidecaption}{APP 02, King's College London, 2 October 2012} - - -\begin{document} - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}<1>[t] -\frametitle{% - \begin{tabular}{@ {}c@ {}} - \\ - \LARGE Access Control and \\[-3mm] - \LARGE Privacy Policies (2)\\[-6mm] - \end{tabular}}\bigskip\bigskip\bigskip - - %\begin{center} - %\includegraphics[scale=1.3]{pics/barrier.jpg} - %\end{center} - -\normalsize - \begin{center} - \begin{tabular}{ll} - Email: & christian.urban at kcl.ac.uk\\ - Of$\!$fice: & S1.27 (1st floor Strand Building)\\ - Slides: & KEATS (also home work is there) - \end{tabular} - \end{center} - - -\end{frame}} - %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{\begin{tabular}{c}Homework\end{tabular}} - - -\ldots{} I have a question about the homework.\\[3mm] -Is it required to submit the homework before\\ -the next lecture?\\[5mm] - -Thank you!\\ -Anonymous - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] - -\begin{center} -\begin{tabular}[t]{c} -\includegraphics[scale=1.2]{pics/barrier.jpg}\\ -future lectures -\end{tabular}\;\;\; -\onslide<2>{ -\begin{tabular}[t]{c} -\includegraphics[scale=0.32]{pics/trainwreck.jpg}\\ -today -\end{tabular} -} -\end{center} - - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{\begin{tabular}{@ {}c@ {}}SmartWater\end{tabular}} - -\begin{textblock}{1}(1,3) -\begin{tabular}{c} -\includegraphics[scale=0.15]{pics/SmartWater} -\end{tabular} -\end{textblock} - - -\begin{textblock}{8.5}(7,3) -\begin{itemize} -\item seems helpful for preventing cable theft\medskip -\item wouldn't be helpful to make your property safe, because of possible abuse\medskip - -\item security is always a tradeoff -\end{itemize} -\end{textblock} - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{\begin{tabular}{@ {}c@ {}}Plain-text Passwords at IEEE\end{tabular}} - -\small\textcolor{gray}{On 25 September 2012, a report on a data breach at IEEE:} - - -\begin{itemize} -\item IEEE is a standards organisation (not-for-profit) -\item many standards in CS are by IEEE\medskip -\item 100k plain-text passwords were recorded in logs -\item the logs were openly accessible on their FTP server -\end{itemize}\bigskip - -\begin{flushright}\small -\textcolor{gray}{\url{http://ieeelog.com}} -\end{flushright} - -\only<2>{ -\begin{textblock}{11}(3,2) -\begin{tikzpicture} -\draw (0,0) node[inner sep=2mm,fill=white, ultra thick, draw=red, rounded corners=2mm] -{\normalsize\color{darkgray} -\begin{minipage}{7.5cm}\raggedright\small -\includegraphics[scale=0.6]{pics/IEEElog.jpg} -\end{minipage}}; -\end{tikzpicture} -\end{textblock}} - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{\begin{tabular}{@ {}c@ {}}Virgin Mobile (USA)\end{tabular}} - -\begin{flushright}\small -\textcolor{gray}{\url{http://arstechnica.com/security/2012/09/virgin-mobile-password-crack-risk/}} -\end{flushright} - -\begin{itemize} -\item for online accounts passwords must be 6 digits -\item you must cycle through 1M combinations (online)\pause\bigskip - -\item he limited the attack on his own account to 1 guess per second, \alert{\bf and} -\item wrote a script that cleared the cookie set after each guess\pause -\item has been fixed now -\end{itemize} - - - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{\begin{tabular}{@ {}c@ {}}Smash the Stack for Fun \ldots\end{tabular}} - -\begin{itemize} -\item ``smashing the stack attacks'' or ``buffer overflow attacks'' -\item one of the most popular attacks;\\ attack of the (last) decade\\ ($>$ 50\% of security incidents reported at CERT are related to buffer overflows) -\begin{flushright}\small -\textcolor{gray}{\url{http://www.kb.cert.org/vuls}} -\end{flushright} -\medskip -\item made popular in an article by Elias Levy\\ (also known as Aleph One):\\ -\begin{center} -{\bf ``Smashing The Stack For Fun and Profit''} -\end{center}\medskip - -\begin{flushright} -\small\textcolor{gray}{\url{http://www.phrack.org}, Issue 49, Article 14} -\end{flushright} - -\end{itemize} - - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{\begin{tabular}{c}The Problem\end{tabular}} - -\begin{itemize} -\item The basic problem is that library routines in C look as follows: -\begin{center} -{\lstset{language=Java}\fontsize{8}{10}\selectfont% -\texttt{\lstinputlisting{app5.c}}} -\end{center} -\item the resulting problems are often remotely exploitable -\item can be used to circumvents all access control -(botnets for further attacks) -\end{itemize} - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{\begin{tabular}{c}Variants\end{tabular}} - -There are many variants: - -\begin{itemize} -\item return-to-lib-C attacks -\item heap-smashing attacks\\ -\textcolor{gray}{\small(Slammer Worm in 2003 infected 90\% of vulnerable systems within 10 minutes)}\bigskip - -\item ``zero-days-attacks'' (new unknown vulnerability) -\end{itemize} - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - - - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] - -\small -\texttt{my\_float} is printed twice:\bigskip - -{\lstset{language=Java}\fontsize{8}{10}\selectfont% -\texttt{\lstinputlisting{C1.c}}} - - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] - -\begin{center} -\only<1>{\includegraphics[scale=0.9]{pics/stack1}\;\;} -\only<2>{\includegraphics[scale=0.9]{pics/stack2}\;\;} -\only<3>{\includegraphics[scale=0.9]{pics/stack3}\;\;} -\end{center} - - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] - -{\lstset{language=Java}\fontsize{8}{10}\selectfont% -\texttt{\lstinputlisting{C2.c}}} - - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] - -\small -A programmer might be careful, but still introduce vulnerabilities:\bigskip - -{\lstset{language=Java}\fontsize{8}{10}\selectfont% -\texttt{\lstinputlisting{C2a.c}}} - - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{\begin{tabular}{c}Payloads\end{tabular}} - -\begin{itemize} -\item the idea is you store some code as part to the buffer -\item you then override the return address to execute this payload\medskip -\item normally you start a root-shell\pause -\item difficulty is to guess the right place where to ``jump'' -\end{itemize} - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{\begin{tabular}{c}Payloads (2)\end{tabular}} - -\begin{itemize} -\item another difficulty is that the code is not allowed to contain \texttt{$\backslash$x00}: - -\begin{center} -\texttt{xorl \%eax, \%eax} -\end{center} -\end{itemize}\bigskip\bigskip - -{\lstset{language=Java}\fontsize{8}{10}\selectfont% -\texttt{\lstinputlisting{app5.c}}} - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{\begin{tabular}{c}Format String Vulnerability\end{tabular}} - -\small -\texttt{string} is nowhere used:\bigskip - -{\lstset{language=Java}\fontsize{8}{10}\selectfont% -\texttt{\lstinputlisting{programs/C4.c}}}\bigskip - -this vulnerability can be used to read out the stack - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{\begin{tabular}{c}Protections against BO Attacks\end{tabular}} - -\begin{itemize} -\item use safe library functions -\item ensure stack data is not executable (can be defeated) -\item address space randomisation (makes one-size-fits-all more difficult) -\item choice of programming language (one of the selling points of Java) - -\end{itemize} - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{\begin{tabular}{c}Security Goals\end{tabular}} - -\begin{itemize} -\item Prevent common vulnerabilities from occurring (e.g. buffer overflows)\pause -\item Recover from attacks (traceability and auditing of security-relevant actions)\pause -\item Monitoring (detect attacks)\pause -\item Privacy, confidentiality, anonymity (to protect secrets)\pause -\item Authenticity (needed for access control)\pause -\item Integrity (prevent unwanted modification or tampering)\pause -\item Availability and reliability (reduce the risk of DoS attacks) -\end{itemize} - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - - - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{\begin{tabular}{c}Homework\end{tabular}} - -\begin{itemize} -\item Assume format string attacks allow you to read out the stack. What can you do - with this information?\bigskip - -\item Assume you can crash a program remotely. Why is this a problem? -\end{itemize} - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - - -\end{document} - -%%% Local Variables: -%%% mode: latex -%%% TeX-master: t -%%% End: -