# HG changeset patch # User Christian Urban # Date 1349688852 -3600 # Node ID 10da75d5db5dfacf722ab6d8e26ace312ca253cc # Parent 5bf1f248407c1423dbd98626beb52b693c810093 pushed diff -r 5bf1f248407c -r 10da75d5db5d programs/C2.c --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/programs/C2.c Mon Oct 08 10:34:12 2012 +0100 @@ -0,0 +1,54 @@ +#include +#include +#include + +// for installation notes see C0.c +// this program can be called with +// +// ./args2-good | ./C2 +// +// or +// +// ./args2-bad | ./C2 + + +int match(char *s1, char *s2) { + while( *s1 != '\0' && *s2 != 0 && *s1 == *s2 ){ + s1++; s2++; + } + return( *s1 - *s2 ); +} + +// since gets() is insecure and produces lots of warnings, +// I use my own input function instead ;o) +char ch; +int i; + +void get_line(char *dst) { + char buffer[8]; + i = 0; + while ((ch = getchar()) != '\n') { + buffer[i++] = ch; + } + buffer[i] = '\0'; + strcpy(dst, buffer); +} + +void welcome() { printf("Welcome to the Machine!\n"); exit(0); } +void goodbye() { printf("Invalid identity, exiting!\n"); exit(1); } + +main(){ + char name[8]; + char pw[8]; + + printf("login: "); + get_line(name); + printf("password: "); + get_line(pw); + + if(match(name, pw) == 0) + welcome(); + else + goodbye(); +} + diff -r 5bf1f248407c -r 10da75d5db5d programs/C4.c --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/programs/C4.c Mon Oct 08 10:34:12 2012 +0100 @@ -0,0 +1,15 @@ +#include +#include + +// a program that just prints the argument +// on the command line +// +// try and run it with %s + + +main(int argc, char **argv) +{ + char *string = "This is a secret string\n"; + + printf(argv[1]); +} diff -r 5bf1f248407c -r 10da75d5db5d slides03.pdf Binary file slides03.pdf has changed diff -r 5bf1f248407c -r 10da75d5db5d slides03.tex --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/slides03.tex Mon Oct 08 10:34:12 2012 +0100 @@ -0,0 +1,491 @@ +\documentclass[dvipsnames,14pt,t]{beamer} +\usepackage{beamerthemeplainculight} +\usepackage[T1]{fontenc} +\usepackage[latin1]{inputenc} +\usepackage{mathpartir} +\usepackage[absolute,overlay]{textpos} +\usepackage{ifthen} +\usepackage{tikz} +\usepackage{pgf} +\usepackage{calc} +\usepackage{ulem} +\usepackage{courier} +\usepackage{listings} +\renewcommand{\uline}[1]{#1} +\usetikzlibrary{arrows} +\usetikzlibrary{automata} +\usetikzlibrary{shapes} +\usetikzlibrary{shadows} +\usetikzlibrary{positioning} +\usetikzlibrary{calc} +\usepackage{graphicx} + +\definecolor{javared}{rgb}{0.6,0,0} % for strings +\definecolor{javagreen}{rgb}{0.25,0.5,0.35} % comments +\definecolor{javapurple}{rgb}{0.5,0,0.35} % keywords +\definecolor{javadocblue}{rgb}{0.25,0.35,0.75} % javadoc + +\lstset{language=Java, + basicstyle=\ttfamily, + keywordstyle=\color{javapurple}\bfseries, + stringstyle=\color{javagreen}, + commentstyle=\color{javagreen}, + morecomment=[s][\color{javadocblue}]{/**}{*/}, + numbers=left, + numberstyle=\tiny\color{black}, + stepnumber=1, + numbersep=10pt, + tabsize=2, + showspaces=false, + showstringspaces=false} + +\lstdefinelanguage{scala}{ + morekeywords={abstract,case,catch,class,def,% + do,else,extends,false,final,finally,% + for,if,implicit,import,match,mixin,% + new,null,object,override,package,% + private,protected,requires,return,sealed,% + super,this,throw,trait,true,try,% + type,val,var,while,with,yield}, + otherkeywords={=>,<-,<\%,<:,>:,\#,@}, + sensitive=true, + morecomment=[l]{//}, + morecomment=[n]{/*}{*/}, + morestring=[b]", + morestring=[b]', + morestring=[b]""" +} + +\lstset{language=Scala, + basicstyle=\ttfamily, + keywordstyle=\color{javapurple}\bfseries, + stringstyle=\color{javagreen}, + commentstyle=\color{javagreen}, + morecomment=[s][\color{javadocblue}]{/**}{*/}, + numbers=left, + numberstyle=\tiny\color{black}, + stepnumber=1, + numbersep=10pt, + tabsize=2, + showspaces=false, + showstringspaces=false} + +% beamer stuff +\renewcommand{\slidecaption}{APP 02, King's College London, 9 October 2012} + + +\begin{document} + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}<1>[t] +\frametitle{% + \begin{tabular}{@ {}c@ {}} + \\ + \LARGE Access Control and \\[-3mm] + \LARGE Privacy Policies (3)\\[-6mm] + \end{tabular}}\bigskip\bigskip\bigskip + + %\begin{center} + %\includegraphics[scale=1.3]{pics/barrier.jpg} + %\end{center} + +\normalsize + \begin{center} + \begin{tabular}{ll} + Email: & christian.urban at kcl.ac.uk\\ + Of$\!$fice: & S1.27 (1st floor Strand Building)\\ + Slides: & KEATS (also home work is there) + \end{tabular} + \end{center} + + +\end{frame}} + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] + +\begin{center} +\includegraphics[scale=0.45]{pics/trainwreck.jpg}\\ +one general defence mechanism is\\\alert{\bf defence in depth} +\end{center} + + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}<1-2>[c] +\frametitle{Defence in Depth} + +\begin{itemize} +\item \alt<1>{overlapping}{{\LARGE\bf overlapping}} systems designed to provide\\ security even if one of them fails. +\end{itemize} + + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{PALs} + +\begin{itemize} +\item \alert{Permissive Action Links} prevent unauthorised use of nuclear weapons (so the theory) +\end{itemize} + +\begin{center} +\includegraphics[scale=0.25]{pics/nuclear1.jpg}\hspace{3mm} +\includegraphics[scale=0.25]{pics/nuclear2.jpg} +\end{center} + + +\onslide<3->{ +modern PALs also include a 2-person rule +} + + \only<2->{ +\begin{textblock}{11}(3,2) +\begin{tikzpicture} +\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] +{\begin{minipage}{8cm} +US Air Force's Strategic Air Command worried that in times of need the +codes would not be available, so until 1977 quietly decided to set them +to 00000000\ldots +\end{minipage}}; +\end{tikzpicture} +\end{textblock}} + + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] + +\begin{itemize} +\item until 1998, Britain had nuclear weapons that could be launched from airplanes\bigskip\pause + +\item these weapons were armed with a bicycle key + +\begin{center} +\begin{tabular}[b]{c} +\includegraphics[scale=1.05]{pics/britkeys1.jpg}\\ +\small nuclear weapon +\end{tabular} +\hspace{3mm} +\begin{tabular}[b]{c} +\includegraphics[scale=0.35]{pics/britkeys2.jpg}\\ +\small bicycle lock +\end{tabular} +\end{center}\bigskip\pause + +\item the current Trident nuclear weapons can be launched from a submarine without any code being transmitted +\end{itemize} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{} + + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{\begin{tabular}{@ {}c@ {}}Plain-text Passwords at IEEE\end{tabular}} + +\small\textcolor{gray}{On 25 September 2012, a report on a data breach at IEEE:} + + +\begin{itemize} +\item IEEE is a standards organisation (not-for-profit) +\item many standards in CS are by IEEE\medskip +\item 100k plain-text passwords were recorded in logs +\item the logs were openly accessible on their FTP server +\end{itemize}\bigskip + +\begin{flushright}\small +\textcolor{gray}{\url{http://ieeelog.com}} +\end{flushright} + +\only<2>{ +\begin{textblock}{11}(3,2) +\begin{tikzpicture} +\draw (0,0) node[inner sep=2mm,fill=white, ultra thick, draw=red, rounded corners=2mm] +{\normalsize\color{darkgray} +\begin{minipage}{7.5cm}\raggedright\small +\includegraphics[scale=0.6]{pics/IEEElog.jpg} +\end{minipage}}; +\end{tikzpicture} +\end{textblock}} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{\begin{tabular}{@ {}c@ {}}Virgin Mobile (USA)\end{tabular}} + +\begin{flushright}\small +\textcolor{gray}{\url{http://arstechnica.com/security/2012/09/virgin-mobile-password-crack-risk/}} +\end{flushright} + +\begin{itemize} +\item for online accounts passwords must be 6 digits +\item you must cycle through 1M combinations (online)\pause\bigskip + +\item he limited the attack on his own account to 1 guess per second, \alert{\bf and} +\item wrote a script that cleared the cookie set after each guess\pause +\item has been fixed now +\end{itemize} + + + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{\begin{tabular}{@ {}c@ {}}Smash the Stack for Fun \ldots\end{tabular}} + +\begin{itemize} +\item ``smashing the stack attacks'' or ``buffer overflow attacks'' +\item one of the most popular attacks;\\ attack of the (last) decade\\ ($>$ 50\% of security incidents reported at CERT are related to buffer overflows) +\begin{flushright}\small +\textcolor{gray}{\url{http://www.kb.cert.org/vuls}} +\end{flushright} +\medskip +\item made popular in an article by Elias Levy\\ (also known as Aleph One):\\ +\begin{center} +{\bf ``Smashing The Stack For Fun and Profit''} +\end{center}\medskip + +\begin{flushright} +\small\textcolor{gray}{\url{http://www.phrack.org}, Issue 49, Article 14} +\end{flushright} + +\end{itemize} + + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{\begin{tabular}{c}The Problem\end{tabular}} + +\begin{itemize} +\item The basic problem is that library routines in C look as follows: +\begin{center} +{\lstset{language=Java}\fontsize{8}{10}\selectfont% +\texttt{\lstinputlisting{app5.c}}} +\end{center} +\item the resulting problems are often remotely exploitable +\item can be used to circumvents all access control +(botnets for further attacks) +\end{itemize} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{\begin{tabular}{c}Variants\end{tabular}} + +There are many variants: + +\begin{itemize} +\item return-to-lib-C attacks +\item heap-smashing attacks\\ +\textcolor{gray}{\small(Slammer Worm in 2003 infected 90\% of vulnerable systems within 10 minutes)}\bigskip + +\item ``zero-days-attacks'' (new unknown vulnerability) +\end{itemize} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] + +\small +\texttt{my\_float} is printed twice:\bigskip + +{\lstset{language=Java}\fontsize{8}{10}\selectfont% +\texttt{\lstinputlisting{C1.c}}} + + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] + +\begin{center} +\only<1>{\includegraphics[scale=0.9]{pics/stack1}\;\;} +\only<2>{\includegraphics[scale=0.9]{pics/stack2}\;\;} +\only<3>{\includegraphics[scale=0.9]{pics/stack3}\;\;} +\end{center} + + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] + +{\lstset{language=Java}\fontsize{8}{10}\selectfont% +\texttt{\lstinputlisting{C2.c}}} + + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] + +\small +A programmer might be careful, but still introduce vulnerabilities:\bigskip + +{\lstset{language=Java}\fontsize{8}{10}\selectfont% +\texttt{\lstinputlisting{C2a.c}}} + + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{\begin{tabular}{c}Payloads\end{tabular}} + +\begin{itemize} +\item the idea is you store some code as part to the buffer +\item you then override the return address to execute this payload\medskip +\item normally you start a root-shell\pause +\item difficulty is to guess the right place where to ``jump'' +\end{itemize} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{\begin{tabular}{c}Payloads (2)\end{tabular}} + +\begin{itemize} +\item another difficulty is that the code is not allowed to contain \texttt{$\backslash$x00}: + +\begin{center} +\texttt{xorl \%eax, \%eax} +\end{center} +\end{itemize}\bigskip\bigskip + +{\lstset{language=Java}\fontsize{8}{10}\selectfont% +\texttt{\lstinputlisting{app5.c}}} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{\begin{tabular}{c}Format String Vulnerability\end{tabular}} + +\small +\texttt{string} is nowhere used:\bigskip + +{\lstset{language=Java}\fontsize{8}{10}\selectfont% +\texttt{\lstinputlisting{C6.c}}}\bigskip + +this vulnerability can be used to read out the stack + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{\begin{tabular}{c}Protections against BO Attacks\end{tabular}} + +\begin{itemize} +\item use safe library functions +\item ensure stack data is not executable (can be defeated) +\item address space randomisation (makes one-size-fits-all more difficult) +\item choice of programming language (one of the selling points of Java) + +\end{itemize} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{\begin{tabular}{c}Security Goals\end{tabular}} + +\begin{itemize} +\item Prevent common vulnerabilities from occurring (e.g. buffer overflows)\pause +\item Recover from attacks (traceability and auditing of security-relevant actions)\pause +\item Monitoring (detect attacks)\pause +\item Privacy, confidentiality, anonymity (to protect secrets)\pause +\item Authenticity (eeded for access control)\pause +\item Integrity (prevent unwanted modification or tampering)\pause +\item Availability and reliability (reduce the risk of DoS attacks) +\end{itemize} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{\begin{tabular}{c}Homework\end{tabular}} + +\begin{itemize} +\item Assume format string attacks allow you to read out the stack. What can you do + with this information?\bigskip + +\item Assume you can crash a program remotely. Why is this a problem? +\end{itemize} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + +\end{document} + +%%% Local Variables: +%%% mode: latex +%%% TeX-master: t +%%% End: +