diff -r ced8b6208e36 -r dd94cbf9eba7 slides/slides04.tex --- a/slides/slides04.tex Tue Oct 14 06:21:07 2014 +0100 +++ b/slides/slides04.tex Tue Oct 14 12:21:10 2014 +0100 @@ -39,6 +39,28 @@ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{frame}[c] +\frametitle{Survey: Thanks!} +\small + +\begin{itemize} +\item ``Would be good, if you provide more detailed explanations. I feel +your slides are not as structured as they could be.'' +\item Please consider reference book chapters to cover core subject +areas.''\pause +\item ``The homework questions don't come directly from the +slides. So must go look things up.'' +\item ``Could you please put the homework answers online, perhaps +just before the exam. That's late enough where we should have done +it and if not, we're screwed already then.'' +\item ``Could you provide a brief basic answers to sheets for reference +and not to be relied on.'' +\end{itemize} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] \begin{center} \includegraphics[scale=0.45]{../pics/trainwreck.jpg}\\ @@ -56,7 +78,7 @@ As a proof-of-concept, the following URL allows attackers to control the return value saved on the stack (the vulnerability is triggered when -executing "/usr/sbin/widget"): +executing \pcode{"/usr/sbin/widget"}): \begin{center}\footnotesize \pcode{curl http:///post_login.xml?hash=AAA...AAABBBB} @@ -71,10 +93,10 @@ \begin{tabular}{@{}ll} Discovery date: & 06/03/2013\\ Release date: & 02/08/2013 -\end{tabular} +\end{tabular}\bigskip - +\footnotesize \hfill\url{http://roberto.greyhats.it/advisories/20130801-dlink-dir645.txt} \end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% @@ -93,7 +115,7 @@ You will laugh: it is -\begin{center} +\begin{center}\large \pcode{xmlset_roodkcableoj28840ybtide} \end{center} \end{quote}\bigskip\bigskip @@ -119,7 +141,7 @@ \begin{itemize} \item Put an executable file named \pcode{update} with non-root owner in /tmp (not mounted noexec, obviously) -\item Run chkrootkit (as uid 0) +\item Run chkrootkit (as uid \pcode{0}) \end{itemize} Result: The file \pcode{/tmp/update} will be executed as root, thus effectively @@ -142,13 +164,16 @@ \begin{itemize} \item access control provided by the OS -\item authenticate principals (login) -\item mediate access to files, ports, processes according to \alert{roles} (user ids)\\ -\item roles get attached with privileges\bigskip\\% +\item authenticate principals +\item mediate access to files, ports, processes etc according to + \alert{roles} (user ids)\\ +\item roles get attached with privileges\bigskip\\ + \hspace{8mm} \begin{bubble}[8cm] \alert{principle of least privilege:}\\ -users and programs should only have as much privilege as they need +users and programs should only have as much privilege as they need to +accomplish a task \end{bubble} \end{itemize} @@ -194,7 +219,7 @@ \item non-root users are not allowed to change the UID --- would break access control -\item but needed for example for \texttt{passwd} +\item but needed for example for accessing \texttt{passwd} \end{itemize} \end{frame} @@ -205,11 +230,11 @@ \frametitle{Setuid and Setgid} The solution is that Unix file permissions are 9 + \underline{2 Bits}: -\alert{Setuid} and \alert{Setgid} Bits +\alert{Setuid} and \alert{Setgid} bits \begin{itemize} \item When a file with setuid is executed, the resulting process will - assume the UID given to the owner of the file. + assume the UID given to the \underline{owner} of the file. \item This enables users to create processes as root (or another user).\bigskip @@ -225,19 +250,17 @@ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{frame}[c] -\frametitle{Access Control} +\frametitle{\Large Discretionary Access Control} \begin{itemize} -\item \bl{Discretionary Access Control:}\mbox{}\medskip\\ +\item Access to objects (files, directories, devices, etc.) is +permitted based on user identity. Each object is owned by a +user. Owners can specify freely (at their discretion) how they want to +share their objects with other users, by specifying which other users +can have which form of access to their objects.\medskip -\small Access to objects (files, directories, devices, etc.) is permitted -based on user identity. Each object is owned by a user. Owners can -specify freely (at their discretion) how they want to share their objects -with other users, by specifying which other users can have which -form of access to their objects.\medskip - -Discretionary access control is implemented on any multi-user OS -(Unix, Windows NT, etc.). +\item Discretionary access control is implemented on any modern multi-user +OS (Unix, Windows NT, etc.). \end{itemize} \end{frame} @@ -245,20 +268,19 @@ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{frame}[c] -\frametitle{Access Control} +\frametitle{\Large Mandatory Access Control} \begin{itemize} -\item \bl{Mandatory Access Control:}\mbox{}\medskip\\ +\item Access to objects is controlled by a system-wide policy, for + example to prevent certain flows of information. In some forms, the + system maintains security labels for both objects and subjects + (processes, users) based on which access is granted or + denied. Labels can change as the result of an access. Security + policies are enforced without the cooperation of users or + programs.\medskip -\small Access to objects is controlled by a system-wide policy, for example -to prevent certain flows of information. In some forms, the system maintains -security labels for both objects and subjects (processes, users), based on -which access is granted or denied. Labels can change as the result of an -access. Security policies are enforced without the cooperation of users or -application programs.\medskip - -This is implemented today in special military operating system versions -(SELinux). +\item This is implemented in banking or military operating system + versions (SELinux). \end{itemize} \end{frame} @@ -268,15 +290,15 @@ \begin{frame}[c] \frametitle{\Large Discretionary Access Control} -In its most generic form usually given by an Access Control Matrix -of the form +In its most generic form usually given by an \alert{Access Control + Matrix} of the form \begin{center} \begin{tabular}{r|c|c|c} - & /mail/jane & edit.exe & sendmail \\\hline + & /mail/jane & edit.exe & postfix \\\hline jane & r, w & r, x & r, x\\\hline john & $\varnothing$ & r, w, x& r, x\\\hline -sendmail & a & $\varnothing$ & r, x\\ +postfix & a & $\varnothing$ & r, x\\ \end{tabular} \end{center} @@ -288,13 +310,13 @@ \begin{frame}[c] \small -\lstinputlisting[numbers=none,xleftmargin=-6mm]{lst} +\lstinputlisting[language={},numbers=none,xleftmargin=-6mm]{lst} \begin{center} -\begin{tabular}{ll} -Members of group staff: & ping, bob, emma\\ -Members of group students: & emma\\ +\begin{tabular}{@{\hspace{-24mm}}ll} +members of group staff: & ping, bob, emma\\ +members of group students: & emma\\ \end{tabular} \end{center} @@ -321,11 +343,11 @@ by system policies. \item Mandatory access control mechanisms are aimed in particular at - preventing policy violations by untrusted application software, - which typically have at least the same access privileges as the - invoking user.\medskip + preventing policy violations by untrusted programs, which typically + have at least the same access privileges as the invoking + user.\medskip\pause -Simple example: Air Gap Security. Uses completely separate network +Simple example: Air Gap Security. Uses a completely separate network and computer hardware for different application classes. \end{itemize} @@ -335,7 +357,8 @@ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{frame}[c] -\frametitle{The Bell/LaPadula Model} +\frametitle{The Bell-LaPadula Model} +\small \begin{itemize} \item Formal policy model for mandatory access control in a military @@ -617,6 +640,25 @@ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{\Large Cryptographic Protocol Failures} + +Ross Anderson and Roger Needham wrote:\bigskip + +\begin{quote}\rm +A lot of the recorded frauds were the result of this kind of blunder, +or from management negligence pure and simple. \alert{However, there + have been a significant number of cases where the designers + protected the right things, used cryptographic algorithms which were + not broken, and yet found that their systems were still successfully + attacked.} +\end{quote} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \mode{ \begin{frame}[c] \frametitle{Authentication Protocols}