diff -r e8445573c812 -r e6e160c7ea33 slides/slides03.tex --- a/slides/slides03.tex Mon Oct 06 02:44:23 2014 +0100 +++ b/slides/slides03.tex Mon Oct 06 20:52:53 2014 +0100 @@ -35,6 +35,295 @@ \end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{\begin{tabular}{c}Network Applications:\\[-1mm] Privilege Separation\end{tabular}} + +\begin{center} + \begin{tikzpicture}[scale=1] + + \draw[line width=1mm] (-.3, 0) rectangle (1.5,2); + \draw (4.7,1) node {Internet}; + \draw (-2.7,1.7) node {\footnotesize Application}; + \draw (0.6,1.7) node {\footnotesize Interface}; + \draw (0.6,-0.4) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] process\end{tabular}}; + \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}}; + + \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2); + + \draw[white] (1.7,1) node (X) {}; + \draw[white] (3.7,1) node (Y) {}; + \draw[red, <->, line width = 2mm] (X) -- (Y); + + \draw[red, <->, line width = 1mm] (-0.6,1) -- (-1.6,1); + \end{tikzpicture} +\end{center} + +\begin{itemize} +\item the idea is make the attack surface smaller and +mitigate the consequences of an attack +\item you need an OS that supports different roles (root vs.~users) +\end{itemize} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{Weaknesses of Unix AC} + +\begin{itemize} +\item if you have too many roles (for example too finegrained AC), then + hierarchy is too complex\medskip\\ \textcolor{gray}{you invite situations + like\ldots let's be root}\bigskip + +\item you can still abuse the system\ldots +\end{itemize} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{A ``Cron''-Attack} + +The idea is to trick a privileged person to do something on your +behalf: + +\begin{itemize} +\item root:\\\texttt{rm /tmp/*/*}\bigskip\bigskip\pause + +\small +\begin{minipage}{1.1\textwidth} +\textcolor{gray}{the shell behind the scenes:}\\ +\textcolor{gray}{\texttt{rm /tmp/dir$_1$/file$_1$ /tmp/dir$_1$/file$_2$ /tmp/dir$_2$/file$_1$ \ldots}}\bigskip\\ + +\textcolor{gray}{this takes time} +\end{minipage} +\end{itemize} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{A ``Cron''-Attack} + +\begin{enumerate} +\item attacker \textcolor{gray}{(creates a fake passwd file)}\\ +\texttt{mkdir /tmp/a; cat > /tmp/a/passwd}\medskip +\item root \textcolor{gray}{(does the daily cleaning)}\\ +\texttt{rm /tmp/*/*}\medskip\\ +\hspace{2cm}\textcolor{gray}{records that \texttt{/tmp/a/passwd}}\\ +\hspace{2cm}\textcolor{gray}{should be deleted, but does not do it yet}\medskip\\ + +\item attacker \textcolor{gray}{(meanwhile deletes the fake passwd file, and establishes a link to +the real passwd file)}\\ +\texttt{rm /tmp/a/passwd; rmdir /tmp/a;}\\\texttt{ln -s /etc /tmp/a}\\ +\item root now deletes the real passwd file +\end{enumerate} + +\only<2>{ +\begin{textblock}{11}(2,5) +\begin{tikzpicture} +\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] +{\normalsize\color{darkgray} +\begin{minipage}{9.5cm}\raggedright +To prevent this kind of attack, you need additional +policies (don't do such operations as root). +\end{minipage}}; +\end{tikzpicture} +\end{textblock}} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{\Large Buffer Overflow Attacks} + +\begin{center} +\begin{columns}[b] +\begin{column}{.4\textwidth} +\centering +\includegraphics[scale=1.2]{../pics/barrier.jpg}\\ +lectures so far +\end{column} +\begin{column}<2>{.4\textwidth} +\centering +\includegraphics[scale=0.32]{../pics/trainwreck.jpg}\\ +today +\end{column} +\end{columns} +\end{center} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{Smash the Stack for Fun\ldots} + +\begin{itemize} +\item {\bf Buffer Overflow Attacks} or\\ {\bf Smashing the Stack Attacks}\medskip + +\item one of the most popular attacks, unfortunately\\ +($>$ 50\% of security incidents reported at CERT are related +to buffer overflows) +\begin{flushright} +\small\url{http://www.kb.cert.org/vuls} +\end{flushright} +\medskip +\item made popular in an article from 1996 by Elias Levy +(also known as Aleph One):\\ +\begin{center} +{\bf ``Smashing The Stack For Fun and Profit''} +\end{center}\medskip + +\begin{flushright} +\small\url{http://phrack.org/issues/49/14.html} +\end{flushright} + +\end{itemize} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{A Long Printed ``Twice''} +\mbox{}\\[-10mm] + +\footnotesize +\lstinputlisting[language=C,xleftmargin=4mm]{../progs/C0.c} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{``A Login Function'' (1)} +\mbox{}\\[-10mm] + +\footnotesize +\lstinputlisting[language=C,xleftmargin=4mm]{../progs/C2a.c} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{``A Login Function'' (2)} +\mbox{}\\[-10mm] + +\footnotesize +\lstinputlisting[language=C,xleftmargin=-3mm]{../progs/C2b.c} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{What the Hell Is Going On?} + +\lstinputlisting[language=C,xleftmargin=4mm]{../progs/example1.c} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{Memory} + +\begin{itemize} +\item each process will get a chunk of memory that is organised as +follows: +\end{itemize} + +\begin{center} + \begin{tikzpicture}[scale=0.8] + %\draw[step=1cm] (-3,-3) grid (3,3); + \draw[line width=1mm] (-2, -3) rectangle (2,3); + \draw[line width=1mm] (-2,1) -- (2,1); + \draw[line width=1mm] (-2,-1) -- (2,-1); + \draw (0,2) node {\large\tt text}; + \draw (0,0) node {\large\tt heap}; + \draw (0,-2) node {\large\tt stack}; + + \draw (-2.7,3) node[anchor=north east] {\tt\begin{tabular}{@{}l@{}}lower\\ address\end{tabular}}; + \draw (-2.7,-3) node[anchor=south east] {\tt\begin{tabular}{@{}l@{}}higher\\ address\end{tabular}}; + \draw[->, line width=1mm] (-2.5,3) -- (-2.5,-3); + + \draw (2.7,-2) node[anchor=west] {\tt grows}; + \draw (2.7,-3) node[anchor=south west] {\tt\footnotesize older}; + \draw (2.7,-1) node[anchor=north west] {\tt\footnotesize newer}; + \draw[|->, line width=1mm] (2.5,-3) -- (2.5,-1); + \end{tikzpicture} +\end{center} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{The Stack} + +\begin{textblock}{7}(1,1) + \begin{tikzpicture}[scale=0.8] + %\draw[step=1cm] (-3,-1) grid (3,8); + \draw[gray!20,fill=gray!20] (-1, 0) rectangle (1,-1); + \draw[line width=1mm] (-1,-1.2) -- (-1,7.4); + \draw[line width=1mm] ( 1,-1.2) -- ( 1,7.4); + \draw (0,-1) node[anchor=south] {\tt main}; + \draw[line width=1mm] (-1,0) -- (1,0); + \draw (0,0) node[anchor=south] {\tt arg$_3$=3}; + \draw[line width=1mm] (-1,1) -- (1,1); + \draw (0,1) node[anchor=south] {\tt arg$_2$=2}; + \draw[line width=1mm] (-1,2) -- (1,2); + \draw (0,2) node[anchor=south] {\tt arg$_1$=1}; + \draw[line width=1mm] (-1,3) -- (1,3); + \draw (0,3.1) node[anchor=south] {\tt ret}; + \draw[line width=1mm] (-1,4) -- (1,4); + \draw (0,4) node[anchor=south] {\small\tt last sp}; + \draw[line width=1mm] (-1,5) -- (1,5); + \draw (0,5) node[anchor=south] {\tt buf$_1$}; + \draw[line width=1mm] (-1,6) -- (1,6); + \draw (0,6) node[anchor=south] {\tt buf$_2$}; + \draw[line width=1mm] (-1,7) -- (1,7); + \draw (2,6.1) node[anchor=south] {\code{$esp}}; + \draw[<-,line width=0.5mm] (1.1,7) -- (2.5,7); + + \draw[->,line width=0.5mm] (1,4.5) -- (1.8,4.5) -- (1.8, 0) -- (1.1,0); + \draw[->,line width=0.5mm] (1,3.5) -- (2.5,3.5); + \draw (2.6,3.1) node[anchor=south west] {\tt back to main()}; + + \draw[->,red,line width=2mm] (2.5,0.1) -- (4.2,0.1); +\end{tikzpicture} +\end{textblock} + +\begin{textblock}{7}(6.4,8) +\begin{bubble}[6.8cm] +\footnotesize +\lstinputlisting[language=C,xleftmargin=5mm]{../progs/example1.c} +\end{bubble} +\end{textblock} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{Behind the Scenes} + +machine code + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{frame}[c] \frametitle{\begin{tabular}{c}Network Applications:\\[-1mm] Privilege Separation\end{tabular}} @@ -86,27 +375,6 @@ \end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\begin{frame}[c] -\frametitle{A ``Cron''-Attack} - -The idea is to trick a privileged person to do something on your -behalf: - -\begin{itemize} -\item root:\\\texttt{rm /tmp/*/*}\bigskip\bigskip\pause - -\small -\begin{minipage}{1.1\textwidth} -\textcolor{gray}{the shell behind the scenes:}\\ -\textcolor{gray}{\texttt{rm /tmp/dir$_1$/file$_1$ /tmp/dir$_1$/file$_2$ /tmp/dir$_2$/file$_1$ \ldots}}\bigskip\\ - -\textcolor{gray}{this takes time} -\end{minipage} -\end{itemize} - -\end{frame} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{frame}[c] @@ -137,60 +405,155 @@ \end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{frame}[c] -\frametitle{\Large Buffer Overflow Attacks} +\frametitle{The Problem} + +\begin{itemize} +\item The basic problem is that library routines in C look as follows: +\end{itemize} \begin{center} -\begin{columns}[b] -\begin{column}{.4\textwidth} -\centering -\includegraphics[scale=1.2]{../pics/barrier.jpg}\\ -lectures so far -\end{column} -\begin{column}<2>{.4\textwidth} -\centering -\includegraphics[scale=0.32]{../pics/trainwreck.jpg}\\ -today -\end{column} -\end{columns} +\small\lstinputlisting[language=C,numbers=none]{../progs/app5.c} \end{center} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{Variants} + +There are many variants: + +\begin{itemize} +\item return-to-lib-C attacks +\item heap-smashing attacks\\ +\textcolor{gray}{\small(Slammer Worm in 2003 infected 90\% of vulnerable systems within 10 minutes)}\bigskip + +\item ``zero-days-attacks'' (new unknown vulnerability) +\end{itemize} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] + +{\small\lstinputlisting[language=C]{../progs/C2.c}} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%\mode{ +%\begin{frame}[c] +% +%\small +%A programmer might be careful, but still introduce vulnerabilities:\bigskip +% +%{\lstset{language=Java}\footnotesize +%\texttt{\lstinputlisting{../progs/C2a.c}}} +% +% +%\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{Payloads} + +\begin{itemize} +\item the idea is you store some code to the buffer +\item you then override the return address to execute this payload\medskip +\item normally you start a root-shell\pause +\item difficulty is to guess the right place where to ``jump'' +\end{itemize} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{Payloads (2)} + +\begin{itemize} +\item another difficulty is that the code is not allowed to contain \texttt{$\backslash$x00}: + +\begin{center} +\texttt{xorl \%eax, \%eax} +\end{center} +\end{itemize}\bigskip\bigskip + +{\small +\lstinputlisting[language=C]{../progs/app5.c}} + \end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{frame}[c] -\frametitle{\begin{tabular}{c}Network Applications:\\[-1mm] Privilege Separation\end{tabular}} +\frametitle{Format String Vulnerability} -\begin{center} - \begin{tikzpicture}[scale=1] +\small +\texttt{string} is nowhere used:\bigskip + +{\footnotesize\lstinputlisting[language=C]{../progs/C4.c}}\bigskip + +this vulnerability can be used to read out the stack - \draw[line width=1mm] (-.3, 0) rectangle (1.5,2); - \draw (4.7,1) node {Internet}; - \draw (-2.7,1.7) node {\footnotesize Application}; - \draw (0.6,1.7) node {\footnotesize Interface}; - \draw (0.6,-0.4) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] process\end{tabular}}; - \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}}; - - \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2); +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - \draw[white] (1.7,1) node (X) {}; - \draw[white] (3.7,1) node (Y) {}; - \draw[red, <->, line width = 2mm] (X) -- (Y); - - \draw[red, <->, line width = 1mm] (-0.6,1) -- (-1.6,1); - \end{tikzpicture} -\end{center} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{\begin{tabular}{c}Protections against\\ Buffer Overflow Attacks\end{tabular}} \begin{itemize} -\item the idea is make the attack surface smaller and -mitigate the consequences of an attack +\item use safe library functions +\item stack caneries +\item ensure stack data is not executable (can be defeated) +\item address space randomisation (makes one-size-fits-all more difficult) +\item choice of programming language (one of the selling points of Java) + \end{itemize} - + \end{frame} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{Security Goals} + +\begin{itemize} +\item Prevent common vulnerabilities from occurring (e.g. buffer overflows)\pause +\item Recover from attacks (traceability and auditing of security-relevant actions)\pause +\item Monitoring (detect attacks)\pause +\item Privacy, confidentiality, anonymity (to protect secrets)\pause +\item Authenticity (needed for access control)\pause +\item Integrity (prevent unwanted modification or tampering)\pause +\item Availability and reliability (reduce the risk of DoS attacks) +\end{itemize} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{Homework} + +\begin{itemize} +\item Assume format string attacks allow you to read out the stack. What can you do + with this information?\bigskip + +\item Assume you can crash a program remotely. Why is this a problem? +\end{itemize} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \mode{ @@ -406,333 +769,6 @@ -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{\begin{tabular}{@ {}c@ {}}A ``Cron''-Attack\end{tabular}} - -\begin{enumerate} -\item attacker \textcolor{gray}{(creates a fake passwd file)}\\ -\texttt{mkdir /tmp/a; cat > /tmp/a/passwd}\medskip -\item root \textcolor{gray}{(does the daily cleaning)}\\ -\texttt{rm /tmp/*/*}\medskip\\ -\hspace{2cm}\textcolor{gray}{\small records that \texttt{/tmp/a/passwd}}\\ -\hspace{2cm}\textcolor{gray}{\small should be deleted, but does not do it yet}\medskip\\ - -\item attacker \textcolor{gray}{(meanwhile deletes the fake passwd file, and establishes a link to -the real passwd file)}\\ -\texttt{rm /tmp/a/passwd; rmdir /tmp/a;}\\\texttt{ln -s /etc /tmp/a}\\ -\item root now deletes the real passwd file -\end{enumerate} - -\only<2>{ -\begin{textblock}{11}(2,5) -\begin{tikzpicture} -\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] -{\normalsize\color{darkgray} -\begin{minipage}{9cm}\raggedright -To prevent this kind of attack, you need additional -policies (don't do such operations as root). -\end{minipage}}; -\end{tikzpicture} -\end{textblock}} - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] - -\begin{center} -\includegraphics[scale=0.45]{../pics/trainwreck.jpg}\\ -one general defence mechanism is\\\alert{\bf defence in depth} -\end{center} - - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\begin{frame}[c] -\frametitle{Smash the Stack for Fun\ldots} - -\begin{itemize} -\item ``smashing the stack attacks'' or\\ ``buffer overflow attacks''\medskip -\item one of the most popular attacks\\ ($>$ 50\% of security incidents reported at CERT are related to buffer overflows) -\begin{flushright}\small -\textcolor{gray}{\url{http://www.kb.cert.org/vuls}} -\end{flushright} -\medskip -\item made popular in an article by Elias Levy\\ (also known as Aleph One):\\ -\begin{center} -{\bf ``Smashing The Stack For Fun and Profit''} -\end{center}\medskip - -\begin{flushright} -\small\textcolor{gray}{Issue 49, Article 14} -\end{flushright} - -\end{itemize} - -\end{frame} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\begin{frame}[c] -\frametitle{A Float Printed ``Twice''} - -\footnotesize -\lstinputlisting[language=C]{../progs/C1.c} - -\end{frame} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\begin{frame}[c] -\frametitle{Memory} - -\begin{itemize} -\item each process will get a chunk of memory that is organised as -follows: -\end{itemize} - -\begin{center} - \begin{tikzpicture}[scale=0.8] - %\draw[step=1cm] (-3,-3) grid (3,3); - \draw[line width=1mm] (-2, -3) rectangle (2,3); - \draw[line width=1mm] (-2,1) -- (2,1); - \draw[line width=1mm] (-2,-1) -- (2,-1); - \draw (0,2) node {\large\tt text}; - \draw (0,0) node {\large\tt heap}; - \draw (0,-2) node {\large\tt stack}; - - \draw (-2.7,3) node[anchor=north east] {\tt\begin{tabular}{@{}l@{}}lower\\ address\end{tabular}}; - \draw (-2.7,-3) node[anchor=south east] {\tt\begin{tabular}{@{}l@{}}higher\\ address\end{tabular}}; - \draw[->, line width=1mm] (-2.5,3) -- (-2.5,-3); - - \draw (2.7,-2) node[anchor=west] {\tt grows}; - \draw (2.7,-3) node[anchor=south west] {\tt\footnotesize older}; - \draw (2.7,-1) node[anchor=north west] {\tt\footnotesize newer}; - \draw[|->, line width=1mm] (2.5,-3) -- (2.5,-1); - \end{tikzpicture} -\end{center} - -\end{frame} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\begin{frame}[c] -\frametitle{The Stack} - -\begin{textblock}{7}(1,1) - \begin{tikzpicture}[scale=0.8] - %\draw[step=1cm] (-3,-1) grid (3,8); - \draw[gray!20,fill=gray!20] (-1, 0) rectangle (1,-1); - \draw[line width=1mm] (-1,-1.2) -- (-1,7.4); - \draw[line width=1mm] ( 1,-1.2) -- ( 1,7.4); - \draw (0,-1) node[anchor=south] {\tt main}; - \draw[line width=1mm] (-1,0) -- (1,0); - \draw (0,0) node[anchor=south] {\tt arg$_3$=3}; - \draw[line width=1mm] (-1,1) -- (1,1); - \draw (0,1) node[anchor=south] {\tt arg$_2$=2}; - \draw[line width=1mm] (-1,2) -- (1,2); - \draw (0,2) node[anchor=south] {\tt arg$_1$=1}; - \draw[line width=1mm] (-1,3) -- (1,3); - \draw (0,3.1) node[anchor=south] {\tt ret}; - \draw[line width=1mm] (-1,4) -- (1,4); - \draw (0,4) node[anchor=south] {\small\tt last sp}; - \draw[line width=1mm] (-1,5) -- (1,5); - \draw (0,5) node[anchor=south] {\tt buf$_1$}; - \draw[line width=1mm] (-1,6) -- (1,6); - \draw (0,6) node[anchor=south] {\tt buf$_2$}; - \draw[line width=1mm] (-1,7) -- (1,7); - \draw (2,6.1) node[anchor=south] {\code{$esp}}; - \draw[<-,line width=0.5mm] (1.1,7) -- (2.5,7); - - \draw[->,line width=0.5mm] (1,4.5) -- (1.8,4.5) -- (1.8, 0) -- (1.1,0); - \draw[->,line width=0.5mm] (1,3.5) -- (2.5,3.5); - \draw (2.6,3.1) node[anchor=south west] {\tt back to main()}; - - \draw[->,red,line width=2mm] (2.5,0.1) -- (4.2,0.1); -\end{tikzpicture} -\end{textblock} - -\begin{textblock}{7}(6.4,8) -\begin{bubble}[6.8cm] -\footnotesize -\lstinputlisting[language=C,xleftmargin=5mm]{../progs/example1.c} -\end{bubble} -\end{textblock} - - -\end{frame} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\begin{frame}[c] -\frametitle{The Problem} - -\begin{itemize} -\item The basic problem is that library routines in C look as follows: -\end{itemize} - -\begin{center} -\small\lstinputlisting[language=C,numbers=none]{../progs/app5.c} -\end{center} - - -\end{frame} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\begin{frame}[c] -\frametitle{Variants} - -There are many variants: - -\begin{itemize} -\item return-to-lib-C attacks -\item heap-smashing attacks\\ -\textcolor{gray}{\small(Slammer Worm in 2003 infected 90\% of vulnerable systems within 10 minutes)}\bigskip - -\item ``zero-days-attacks'' (new unknown vulnerability) -\end{itemize} - -\end{frame} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\begin{frame}[c] - -\begin{center} -\only<1>{\includegraphics[scale=0.9]{../pics/stack1}\;\;} -\only<2>{\includegraphics[scale=0.9]{../pics/stack2}\;\;} -\only<3>{\includegraphics[scale=0.9]{../pics/stack3}\;\;} -\end{center} - -\end{frame} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\begin{frame}[c] - -{\small\lstinputlisting[language=C]{../progs/C2.c}} - -\end{frame} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -%\mode{ -%\begin{frame}[c] -% -%\small -%A programmer might be careful, but still introduce vulnerabilities:\bigskip -% -%{\lstset{language=Java}\footnotesize -%\texttt{\lstinputlisting{../progs/C2a.c}}} -% -% -%\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\begin{frame}[c] -\frametitle{Payloads} - -\begin{itemize} -\item the idea is you store some code to the buffer -\item you then override the return address to execute this payload\medskip -\item normally you start a root-shell\pause -\item difficulty is to guess the right place where to ``jump'' -\end{itemize} - -\end{frame} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\begin{frame}[c] -\frametitle{Payloads (2)} - -\begin{itemize} -\item another difficulty is that the code is not allowed to contain \texttt{$\backslash$x00}: - -\begin{center} -\texttt{xorl \%eax, \%eax} -\end{center} -\end{itemize}\bigskip\bigskip - -{\small -\lstinputlisting[language=C]{../progs/app5.c}} - -\end{frame} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\begin{frame}[c] -\frametitle{Format String Vulnerability} - -\small -\texttt{string} is nowhere used:\bigskip - -{\footnotesize\lstinputlisting[language=C]{../progs/C4.c}}\bigskip - -this vulnerability can be used to read out the stack - -\end{frame} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\begin{frame}[c] -\frametitle{\begin{tabular}{c}Protections against\\ Buffer Overflow Attacks\end{tabular}} - -\begin{itemize} -\item use safe library functions -\item stack caneries -\item ensure stack data is not executable (can be defeated) -\item address space randomisation (makes one-size-fits-all more difficult) -\item choice of programming language (one of the selling points of Java) - -\end{itemize} - -\end{frame} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\begin{frame}[c] -\frametitle{Security Goals} - -\begin{itemize} -\item Prevent common vulnerabilities from occurring (e.g. buffer overflows)\pause -\item Recover from attacks (traceability and auditing of security-relevant actions)\pause -\item Monitoring (detect attacks)\pause -\item Privacy, confidentiality, anonymity (to protect secrets)\pause -\item Authenticity (needed for access control)\pause -\item Integrity (prevent unwanted modification or tampering)\pause -\item Availability and reliability (reduce the risk of DoS attacks) -\end{itemize} - -\end{frame} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\begin{frame}[c] -\frametitle{Homework} - -\begin{itemize} -\item Assume format string attacks allow you to read out the stack. What can you do - with this information?\bigskip - -\item Assume you can crash a program remotely. Why is this a problem? -\end{itemize} - -\end{frame} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - - \end{document} %%% Local Variables: