# HG changeset patch # User Christian Urban # Date 1412379411 -3600 # Node ID 22f027da67ecafbcaea0be802ab89a24fc82e289 # Parent 78309f29a58f85ed69b740751cf3d6857b5a1ae1 updated diff -r 78309f29a58f -r 22f027da67ec handouts/ho03.pdf Binary file handouts/ho03.pdf has changed diff -r 78309f29a58f -r 22f027da67ec handouts/ho03.tex --- a/handouts/ho03.tex Fri Oct 03 16:10:50 2014 +0100 +++ b/handouts/ho03.tex Sat Oct 04 00:36:51 2014 +0100 @@ -23,6 +23,15 @@ free-riding script-kiddies who use this technology without knowing what are the underlying ideas. +\bigskip\bigskip \noindent If you want to know more about +buffer overflow attacks, the original Phrack article +``Smashing The Stack For Fun And Profit'' by Elias Levy (also +known as Aleph One) is an engaging read: + +\begin{center} +\url{http://phrack.org/issues/49/14.html} +\end{center} + \end{document} %%% Local Variables: diff -r 78309f29a58f -r 22f027da67ec slides/slides03.pdf Binary file slides/slides03.pdf has changed diff -r 78309f29a58f -r 22f027da67ec slides/slides03.tex --- a/slides/slides03.tex Fri Oct 03 16:10:50 2014 +0100 +++ b/slides/slides03.tex Sat Oct 04 00:36:51 2014 +0100 @@ -1,92 +1,21 @@ \documentclass[dvipsnames,14pt,t]{beamer} -\usepackage{beamerthemeplaincu} -%%\usepackage[T1]{fontenc} -\usepackage[latin1]{inputenc} -\usepackage{mathpartir} -\usepackage[absolute,overlay]{textpos} -\usepackage{ifthen} -\usepackage{tikz} -\usepackage{pgf} -\usepackage{calc} -\usepackage{ulem} -\usepackage{courier} -\usepackage{listings} -\renewcommand{\uline}[1]{#1} -\usetikzlibrary{arrows} -\usetikzlibrary{automata} -\usetikzlibrary{shapes} -\usetikzlibrary{shadows} -\usetikzlibrary{positioning} -\usetikzlibrary{calc} -\usepackage{graphicx} -\setmonofont[Scale=MatchLowercase]{Consolas} +\usepackage{../slides} +\usepackage{../graphics} +\usepackage{../langs} + +\setmonofont[Scale=.88]{Consolas} \newfontfamily{\consolas}{Consolas} -\definecolor{javared}{rgb}{0.6,0,0} % for strings -\definecolor{javagreen}{rgb}{0.25,0.5,0.35} % comments -\definecolor{javapurple}{rgb}{0.5,0,0.35} % keywords -\definecolor{javadocblue}{rgb}{0.25,0.35,0.75} % javadoc - -\makeatletter -\lst@CCPutMacro\lst@ProcessOther {"2D}{\lst@ttfamily{-{}}{-{}}} -\@empty\z@\@empty -\makeatother - -\lstset{language=Java, - basicstyle=\consolas, - keywordstyle=\color{javapurple}\bfseries, - stringstyle=\color{javagreen}, - commentstyle=\color{javagreen}, - morecomment=[s][\color{javadocblue}]{/**}{*/}, - numbers=left, - numberstyle=\tiny\color{black}, - stepnumber=1, - numbersep=10pt, - tabsize=2, - showspaces=false, - showstringspaces=false} - -\lstdefinelanguage{scala}{ - morekeywords={abstract,case,catch,class,def,% - do,else,extends,false,final,finally,% - for,if,implicit,import,match,mixin,% - new,null,object,override,package,% - private,protected,requires,return,sealed,% - super,this,throw,trait,true,try,% - type,val,var,while,with,yield}, - otherkeywords={=>,<-,<\%,<:,>:,\#,@,->}, - sensitive=true, - morecomment=[l]{//}, - morecomment=[n]{/*}{*/}, - morestring=[b]", - morestring=[b]', - morestring=[b]""" -} - -\lstset{language=Scala, - basicstyle=\consolas, - keywordstyle=\color{javapurple}\bfseries, - stringstyle=\color{javagreen}, - commentstyle=\color{javagreen}, - morecomment=[s][\color{javadocblue}]{/**}{*/}, - numbers=left, - numberstyle=\tiny\color{black}, - stepnumber=1, - numbersep=10pt, - tabsize=2, - showspaces=false, - showstringspaces=false} - +\hfuzz=220pt % beamer stuff -\renewcommand{\slidecaption}{APP 03, King's College London, 8 October 2013} +\renewcommand{\slidecaption}{APP 03, King's College London} \begin{document} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}<1>[t] +\begin{frame}[t] \frametitle{% \begin{tabular}{@ {}c@ {}} \\ @@ -94,11 +23,7 @@ \LARGE Privacy Policies (3)\\[-6mm] \end{tabular}}\bigskip\bigskip\bigskip - %\begin{center} - %\includegraphics[scale=1.3]{pics/barrier.jpg} - %\end{center} - -\normalsize + \normalsize \begin{center} \begin{tabular}{ll} Email: & christian.urban at kcl.ac.uk\\ @@ -107,41 +32,87 @@ \end{tabular} \end{center} +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\end{frame}} - %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{A ``Cron''-Attack} + +The idea is to trick a privileged person to do something on your +behalf: + +\begin{itemize} +\item root:\\\texttt{rm /tmp/*/*}\bigskip\bigskip\pause + +\footnotesize +\begin{minipage}{1.1\textwidth} +\textcolor{gray}{the shell behind the scenes:}\\ +\textcolor{gray}{\texttt{rm /tmp/dir$_1$/file$_1$ /tmp/dir$_1$/file$_2$ /tmp/dir$_2$/file$_1$ \ldots}}\bigskip\\ + +\textcolor{gray}{this takes time} +\end{minipage} +\end{itemize} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{A ``Cron''-Attack} + +\begin{enumerate} +\item attacker \textcolor{gray}{(creates a fake passwd file)}\\ +\texttt{mkdir /tmp/a; cat > /tmp/a/passwd}\medskip +\item root \textcolor{gray}{(does the daily cleaning)}\\ +\texttt{rm /tmp/*/*}\medskip\\ +\hspace{2cm}\textcolor{gray}{\small records that \texttt{/tmp/a/passwd}}\\ +\hspace{2cm}\textcolor{gray}{\small should be deleted, but does not do it yet}\medskip\\ +\item attacker \textcolor{gray}{(meanwhile deletes the fake passwd file, and establishes a link to +the real passwd file)}\\ +\texttt{rm /tmp/a/passwd; rmdir /tmp/a;}\\\texttt{ln -s /etc /tmp/a}\\ +\item root now deletes the real passwd file +\end{enumerate} + +\only<2>{ +\begin{textblock}{11}(2,5) +\begin{bubble}[8cm] +\normalsize To prevent this kind of attack, you need additional +policies (don't do such operations as root). +\end{bubble} +\end{textblock}} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{\Large Buffer Overflow Attacks} + +\begin{center} +\begin{columns}[b] +\begin{column}{.4\textwidth} +\centering +\includegraphics[scale=1.2]{pics/barrier.jpg}\\ +lectures so far +\end{column} +\begin{column}<2>{.4\textwidth} +\centering +\includegraphics[scale=0.32]{pics/trainwreck.jpg}\\ +today +\end{column} +\end{columns} +\end{center} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] - -\begin{center} -\begin{tabular}[t]{c} -\includegraphics[scale=1.2]{pics/barrier.jpg}\\ -first lecture -\end{tabular}\;\;\; -\onslide<2>{ -\begin{tabular}[t]{c} -\includegraphics[scale=0.32]{pics/trainwreck.jpg}\\ -today -\end{tabular} -} -\end{center} - - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - - - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ \begin{frame}[c] \frametitle{\begin{tabular}{c}Network Applications:\\[-1mm] Privilege Separation\end{tabular}} - \begin{center} \begin{tikzpicture}[scale=1] @@ -167,8 +138,7 @@ mitigate the consequences of an attack \end{itemize} - -\end{frame}} +\end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% @@ -434,9 +404,8 @@ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ \begin{frame}[c] -\frametitle{\begin{tabular}{@ {}c@ {}}Smash the Stack for Fun \ldots\end{tabular}} +\frametitle{Smash the Stack for Fun\ldots} \begin{itemize} \item ``smashing the stack attacks'' or\\ ``buffer overflow attacks''\medskip @@ -456,36 +425,30 @@ \end{itemize} - -\end{frame}} +\end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ \begin{frame}[c] \frametitle{A Float Printed ``Twice''} -{\lstset{language=Java} \footnotesize -\lstinputlisting{../progs/C1.c}} +\lstinputlisting[language=C]{../progs/C1.c} -\end{frame}} +\end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ \begin{frame}[c] -\frametitle{\begin{tabular}{c}The Problem\end{tabular}} +\frametitle{The Problem} \begin{itemize} \item The basic problem is that library routines in C look as follows: \begin{center} -{\lstset{language=Java} -\footnotesize -\lstinputlisting{../progs/app5.c}} +\footnotesize\lstinputlisting[language=C]{../progs/app5.c} \end{center} \item the resulting problems are often remotely exploitable @@ -493,13 +456,12 @@ (for grooming botnets for further attacks) \end{itemize} -\end{frame}} +\end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ \begin{frame}[c] -\frametitle{\begin{tabular}{c}Variants\end{tabular}} +\frametitle{Variants} There are many variants: @@ -511,11 +473,10 @@ \item ``zero-days-attacks'' (new unknown vulnerability) \end{itemize} -\end{frame}} +\end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ \begin{frame}[c] \begin{center} @@ -523,20 +484,16 @@ \only<2>{\includegraphics[scale=0.9]{pics/stack2}\;\;} \only<3>{\includegraphics[scale=0.9]{pics/stack3}\;\;} \end{center} - - -\end{frame}} + +\end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ \begin{frame}[c] -{\lstset{language=Java}\fontsize{8}{10}\selectfont% -\texttt{\lstinputlisting{../progs/C2.c}}} - +{\small\lstinputlisting[language=C]{../progs/C2.c}} -\end{frame}} +\end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% @@ -554,9 +511,8 @@ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ \begin{frame}[c] -\frametitle{\begin{tabular}{c}Payloads\end{tabular}} +\frametitle{Payloads} \begin{itemize} \item the idea is you store some code to the buffer @@ -565,13 +521,12 @@ \item difficulty is to guess the right place where to ``jump'' \end{itemize} -\end{frame}} +\end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ \begin{frame}[c] -\frametitle{\begin{tabular}{c}Payloads (2)\end{tabular}} +\frametitle{Payloads (2)} \begin{itemize} \item another difficulty is that the code is not allowed to contain \texttt{$\backslash$x00}: @@ -581,31 +536,28 @@ \end{center} \end{itemize}\bigskip\bigskip -{\lstset{language=Java}\small -\texttt{\lstinputlisting{../progs/app5.c}}} +{\small +\lstinputlisting[language=C]{../progs/app5.c}} -\end{frame}} +\end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ \begin{frame}[c] -\frametitle{\begin{tabular}{c}Format String Vulnerability\end{tabular}} +\frametitle{Format String Vulnerability} \small \texttt{string} is nowhere used:\bigskip -{\lstset{language=Java}\footnotesize -\texttt{\lstinputlisting{../progs/C4.c}}}\bigskip +{\footnotesize\lstinputlisting[language=C]{../progs/C4.c}}\bigskip this vulnerability can be used to read out the stack -\end{frame}} +\end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ \begin{frame}[c] \frametitle{\begin{tabular}{c}Protections against\\ Buffer Overflow Attacks\end{tabular}} @@ -618,13 +570,12 @@ \end{itemize} -\end{frame}} +\end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ \begin{frame}[c] -\frametitle{\begin{tabular}{c}Security Goals\end{tabular}} +\frametitle{Security Goals} \begin{itemize} \item Prevent common vulnerabilities from occurring (e.g. buffer overflows)\pause @@ -636,15 +587,12 @@ \item Availability and reliability (reduce the risk of DoS attacks) \end{itemize} -\end{frame}} +\end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - - %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ \begin{frame}[c] -\frametitle{\begin{tabular}{c}Homework\end{tabular}} +\frametitle{Homework} \begin{itemize} \item Assume format string attacks allow you to read out the stack. What can you do @@ -653,7 +601,7 @@ \item Assume you can crash a program remotely. Why is this a problem? \end{itemize} -\end{frame}} +\end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%