# HG changeset patch # User Christian Urban # Date 1382394483 -3600 # Node ID 59d3bf386a6d9296dcf388278d4f96086c13fcbf # Parent be57673022d3e1ffc6c217c436f1b7ccf0b7b4ed added diff -r be57673022d3 -r 59d3bf386a6d hws/hw04.pdf Binary file hws/hw04.pdf has changed diff -r be57673022d3 -r 59d3bf386a6d hws/hw04.tex --- a/hws/hw04.tex Wed Oct 09 15:52:17 2013 +0100 +++ b/hws/hw04.tex Mon Oct 21 23:28:03 2013 +0100 @@ -8,33 +8,9 @@ \section*{Homework 4} \begin{enumerate} -\item Voice voting is the method of casting a vote in the `open air' for everyone -present to hear. Which of the following security requirements do paper ballots -satisfy better than voice voting? Check all that apply and give a brief explanation -for your decision. - -\begin{itemize} -\item[$\Box$] Integrity\bigskip\bigskip -\item[$\Box$] Enfranchisement\bigskip\bigskip -\item[$\Box$] Ballot secrecy\bigskip\bigskip -\item[$\Box$] Voter authentication\bigskip\bigskip -\item[$\Box$] Availability\bigskip\bigskip -\end{itemize} +\item Explain what is meant by \emph{Kerckhoffs' principle}. -\item Explain how an attacker can use chain voting in order to influence the outcome of a -poll using paper ballots. - -\item Which of the following mechanisms help with defending against chain voting? Check all -that apply. Give a brief reason for each defence that mitigates chain voting attacks. - -\begin{itemize} -\item[$\Box$] Using a glass ballot box to make it clear there are no ballots in the box before the start of the election. -\item[$\Box$] Distributing ballots publicly before the election. -\item[$\Box$] Checking that a voter's ID (drivers license, passport) matches the voter. -\item[$\Box$] Each ballot has a unique ID. When a voter is given a ballot, the ID is recorded. When the voter submits his or her ballot, this ID is checked against the record. -\end{itemize} - \end{enumerate} diff -r be57673022d3 -r 59d3bf386a6d slides/slides01.pdf Binary file slides/slides01.pdf has changed diff -r be57673022d3 -r 59d3bf386a6d slides/slides04.pdf Binary file slides/slides04.pdf has changed diff -r be57673022d3 -r 59d3bf386a6d slides/slides04.tex --- a/slides/slides04.tex Wed Oct 09 15:52:17 2013 +0100 +++ b/slides/slides04.tex Mon Oct 21 23:28:03 2013 +0100 @@ -71,8 +71,10 @@ showstringspaces=false} % beamer stuff -\renewcommand{\slidecaption}{APP 03, King's College London, 1 October 2013} - +\renewcommand{\slidecaption}{APP 03, King's College London, 22 October 2014} +\makeatletter +\def\verbatim@font{\consolas\footnotesize} +\makeatother \begin{document} @@ -83,14 +85,14 @@ \begin{tabular}{@ {}c@ {}} \\ \LARGE Access Control and \\[-3mm] - \LARGE Privacy Policies (2)\\[-6mm] + \LARGE Privacy Policies (4)\\[-6mm] \end{tabular}}\bigskip\bigskip\bigskip \normalsize \begin{center} \begin{tabular}{ll} Email: & christian.urban at kcl.ac.uk\\ - Of$\!$fice: & S1.27 (1st floor Strand Building)\\ + Office: & S1.27 (1st floor Strand Building)\\ Slides: & KEATS (also home work is there)\\ \end{tabular} \end{center} @@ -105,7 +107,7 @@ \begin{center} \includegraphics[scale=0.45]{pics/trainwreck.jpg}\\ -one general defence mechanism is\\\alert{\bf defence in depth} +two weeks ago: buffer overflow attacks \end{center} @@ -113,87 +115,57 @@ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}<1-2>[c] -\frametitle{Defence in Depth} - -\begin{itemize} -\item \alt<1>{overlapping}{{\LARGE\bf overlapping}} systems designed to provide\\ security even if one of them fails. -\end{itemize} +\begin{frame}[fragile] +\frametitle{Buffer Overflows} -\only<2->{ -\begin{textblock}{11}(2,12) -\small otherwise your ``added security'' can become the point of failure -\end{textblock}} - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{verbatim} +As a proof-of-concept, the following URL allows +attackers to control the return value saved on +the stack (the vulnerability is triggered when +executing "/usr/sbin/widget"): -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{PALs} - -\begin{itemize} -\item \alert{Permissive Action Links} prevent unauthorised use of nuclear weapons (so the theory) -\end{itemize} + curl http:///post_login.xml?hash=AAA...AAABBBB -\begin{center} -\includegraphics[scale=0.25]{pics/nuclear1.jpg}\hspace{3mm} -\includegraphics[scale=0.25]{pics/nuclear2.jpg} -\end{center} - - -\onslide<3->{ -modern PALs also include a 2-person rule -} - - \only<2->{ -\begin{textblock}{11}(3,2) -\begin{tikzpicture} -\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] -{\begin{minipage}{8cm} -US Air Force's Strategic Air Command worried that in times of need the -codes would not be available, so until 1977 quietly decided to set them -to 00000000\ldots -\end{minipage}}; -\end{tikzpicture} -\end{textblock}} - - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +The value of the "hash" HTTP GET parameter consists in +292 occurrences of the 'A' character, followed by four +occurrences of character 'B'. In our lab setup, characters +'B' overwrite the saved program counter (%ra). -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] - -\begin{itemize} -\item until 1998, Britain had nuclear weapons that could be launched from airplanes\bigskip\pause - -\item these weapons were armed with a bicycle key +Discovery date: 06/03/2013 +Release date: 02/08/2013 +\end{verbatim} -\begin{center} -\begin{tabular}[b]{c} -\includegraphics[scale=1.05]{pics/britkeys1.jpg}\\ -\small nuclear weapon keys -\end{tabular} -\hspace{3mm} -\begin{tabular}[b]{c} -\includegraphics[scale=0.35]{pics/britkeys2.jpg}\\ -\small bicycle lock -\end{tabular} -\end{center}\bigskip\pause - -\item the current Trident nuclear weapons can be launched from a submarine without any code being transmitted -\end{itemize} - -\end{frame}} +\mbox{}\footnotesize\hfill\url{http://pastebin.com/vbiG42VD} +\end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[fragile] +\frametitle{Backdoors} + +D-Link router flaw lets anyone login through "Joel's Backdoor":\medskip + +If you tell your browser to identify itself as Joel's backdoor, instead of (say) +as Mozilla/5.0 AppleWebKit/536.30.1 Version/6.0.5, you're in without authentication.\medskip + +"What is this string," I hear you ask? + +You will laugh: it is + +\begin{verbatim} +xmlset_roodkcableoj28840ybtide +\end{verbatim} + + +\hfill\footnotesize October 15, 2013\\ +\hfill\tiny\url{http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \mode{ \begin{frame}[c] \frametitle{Access Control in Unix} @@ -246,82 +218,90 @@ \end{frame}} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - +\newcommand{\bl}[1]{\textcolor{blue}{#1}} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[t] -\frametitle{Process Ownership} +\begin{frame}[c] +\frametitle{Access Control} \begin{itemize} -\item access control in Unix is very coarse -\end{itemize}\bigskip\bigskip\bigskip +\item \bl{Discretionary Access Control:}\mbox{}\medskip\\ \small Access to objects (files, directories, devices, etc.) is permitted +based on user identity. Each object is owned by a user. Owners can +specify freely (at their discretion) how they want to share their objects +with other users, by specifying which other users can have which +form of access to their objects.\medskip + Discretionary access control is implemented on any multi-user OS +(Unix, Windows NT, etc.). +\end{itemize} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\begin{center} -\begin{tabular}{c} -root\\ -\hline +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{Access Control} -user$_1$ user$_2$ \ldots www, mail, lp -\end{tabular} -\end{center}\bigskip\bigskip\bigskip +\begin{itemize} +\item \bl{Mandatory Access Control:}\mbox{}\medskip\\ \small Access to objects is controlled by a system-wide policy, for example +to prevent certain flows of information. In some forms, the system maintains +security labels for both objects and subjects (processes, users), based on +which access is granted or denied. Labels can change as the result of an +access. Security policies are enforced without the cooperation of users or +application programs.\medskip + +This is implemented today in special military operating system versions +(SELinux). +\end{itemize} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\textcolor{gray}{\small root has UID $=$ 0}\\\pause -\textcolor{gray}{\small you also have groups that can share access to a file}\\ -\textcolor{gray}{\small but it is difficult to exclude access selectively}\\ -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{Access Control in Unix (2)} - - -\begin{itemize} -\item privileges are specified by file access permissions (``everything is a file'') -\item there are 9 (plus 2) bits that specify the permissions of a file - -\begin{center} -\begin{tabular}{l} -\texttt{\$ ls - la}\\ -\texttt{-rwxrw-r-{}- \hspace{3mm} foo\_file.txt} -\end{tabular} -\end{center} -\end{itemize} - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \mode{ \begin{frame}[c] -\frametitle{Login Process} +\frametitle{Discretionary Access Control} + +In its most generic form usually given by an Access Control Matrix +of the form +\begin{center} +\begin{tabular}{r|c|c|c} + & /mail/jane & edit.exe & sendmail \\\hline +jane & r, w & r, x & r, x\\\hline +john & $\varnothing$ & r, w, x& r, x\\\hline +sendmail & a & $\varnothing$ & r, x\\ +\end{tabular} +\end{center} + + +access privileges: {\bf r}ead, {\bf w}rite, e{\bf x}ecute, {\bf a}ppend +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{Mandatory Access Control} \begin{itemize} -\item login processes run under UID $=$ 0\medskip -\begin{center} -\texttt{ps -axl | grep login} -\end{center}\medskip +\item Restrictions to allowed information flows are not decided at the user’s +discretion (as with Unix chmod), but instead enforced by system policies. -\item after login, shells run under UID $=$ user (e.g.~501)\medskip -\begin{center} -\texttt{id cu} -\end{center}\medskip\pause +\item Mandatory access control mechanisms are aimed in particular at +preventing policy violations by untrusted application software, which +typically have at least the same access privileges as the invoking user.\medskip -\item non-root users are not allowed to change the UID --- would break -access control -\item but needed for example for \texttt{passwd} +Simple example: Air Gap Security. Uses completely separate network and computer hardware for different application classes. \end{itemize} -\end{frame}} +\end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \mode{ \begin{frame}[c] @@ -408,39 +388,6 @@ \end{frame}} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{\begin{tabular}{@ {}c@ {}}Famous Security Flaws in Unix\end{tabular}} - - -\begin{itemize} -\item \texttt{lpr} unfortunately runs with root privileges; you had the option to delete files after printing \ldots\pause\pause -\item for debugging purposes (FreeBSD) Unix provides a ``core dump'', but allowed to follow links \ldots\pause -\item \texttt{mkdir foo} is owned by root\medskip -\begin{center} -\texttt{-rwxr-xr-x 1 root wheel /bin/mkdir} -\end{center}\medskip -it first creates an i-node as root and then changes to ownership to the user's id\\ \textcolor{gray}{\small (automated with a shell script)} -\end{itemize} - -\only<1>{ -\begin{textblock}{1}(3,3) -\begin{tikzpicture} -\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] -{\begin{minipage}{8cm} -Only failure makes us experts. - -- Theo de Raadt (OpenBSD, OpenSSH) -\end{minipage}}; -\end{tikzpicture} -\end{textblock}} - - - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \mode{ \begin{frame}[c]