# HG changeset patch # User Christian Urban # Date 1350330274 -3600 # Node ID b44341c0a7bb1ee704cb69de33fb9bc1acc99675 # Parent 11681bbf0e01eb009bf5750a12aedba289f53865 slides diff -r 11681bbf0e01 -r b44341c0a7bb pics/pointsplane.jpg Binary file pics/pointsplane.jpg has changed diff -r 11681bbf0e01 -r b44341c0a7bb slides04.pdf Binary file slides04.pdf has changed diff -r 11681bbf0e01 -r b44341c0a7bb slides04.tex --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/slides04.tex Mon Oct 15 20:44:34 2012 +0100 @@ -0,0 +1,502 @@ +\documentclass[dvipsnames,14pt,t]{beamer} +\usepackage{beamerthemeplainculight} +\usepackage[T1]{fontenc} +\usepackage[latin1]{inputenc} +\usepackage{mathpartir} +\usepackage[absolute,overlay]{textpos} +\usepackage{ifthen} +\usepackage{tikz} +\usepackage{pgf} +\usepackage{calc} +\usepackage{ulem} +\usepackage{courier} +\usepackage{listings} +\renewcommand{\uline}[1]{#1} +\usetikzlibrary{arrows} +\usetikzlibrary{automata} +\usetikzlibrary{shapes} +\usetikzlibrary{shadows} +\usetikzlibrary{positioning} +\usetikzlibrary{calc} +\usepackage{graphicx} + +\definecolor{javared}{rgb}{0.6,0,0} % for strings +\definecolor{javagreen}{rgb}{0.25,0.5,0.35} % comments +\definecolor{javapurple}{rgb}{0.5,0,0.35} % keywords +\definecolor{javadocblue}{rgb}{0.25,0.35,0.75} % javadoc + +\lstset{language=Java, + basicstyle=\ttfamily, + keywordstyle=\color{javapurple}\bfseries, + stringstyle=\color{javagreen}, + commentstyle=\color{javagreen}, + morecomment=[s][\color{javadocblue}]{/**}{*/}, + numbers=left, + numberstyle=\tiny\color{black}, + stepnumber=1, + numbersep=10pt, + tabsize=2, + showspaces=false, + showstringspaces=false} + +\lstdefinelanguage{scala}{ + morekeywords={abstract,case,catch,class,def,% + do,else,extends,false,final,finally,% + for,if,implicit,import,match,mixin,% + new,null,object,override,package,% + private,protected,requires,return,sealed,% + super,this,throw,trait,true,try,% + type,val,var,while,with,yield}, + otherkeywords={=>,<-,<\%,<:,>:,\#,@}, + sensitive=true, + morecomment=[l]{//}, + morecomment=[n]{/*}{*/}, + morestring=[b]", + morestring=[b]', + morestring=[b]""" +} + +\lstset{language=Scala, + basicstyle=\ttfamily, + keywordstyle=\color{javapurple}\bfseries, + stringstyle=\color{javagreen}, + commentstyle=\color{javagreen}, + morecomment=[s][\color{javadocblue}]{/**}{*/}, + numbers=left, + numberstyle=\tiny\color{black}, + stepnumber=1, + numbersep=10pt, + tabsize=2, + showspaces=false, + showstringspaces=false} + +% beamer stuff +\renewcommand{\slidecaption}{APP 04, King's College London, 16 October 2012} + + +\begin{document} + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}<1>[t] +\frametitle{% + \begin{tabular}{@ {}c@ {}} + \\ + \LARGE Access Control and \\[-3mm] + \LARGE Privacy Policies (4)\\[-6mm] + \end{tabular}}\bigskip\bigskip\bigskip + + %\begin{center} + %\includegraphics[scale=1.3]{pics/barrier.jpg} + %\end{center} + +\normalsize + \begin{center} + \begin{tabular}{ll} + Email: & christian.urban at kcl.ac.uk\\ + Of$\!$fice: & S1.27 (1st floor Strand Building)\\ + Slides: & KEATS (also homework is there)\\ + \end{tabular} + \end{center} + + +\end{frame}} + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{Unix-Style Access Control} + +\begin{itemize} +\item Q: ``I am using Windows. Why should I care?'' \\ A: In Windows you have: + +\begin{center} +\begin{tabular}{l} +administrators group\\ +\hspace{5mm}(has complete control over the machine)\\ +authenticated users\\ +server operators\\ +power users\\ +network configuration operators\\ +\end{tabular} +\end{center}\medskip + +\item Modern versions of Windows have more fine-grained AC; they do not have a setuid bit, but +have \texttt{runas} (asks for a password).\pause + +\item OS provided access control can \alert{add} to your +security. +\end{itemize} + + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{\begin{tabular}{c}Network Applications:\\[-1mm] Privilege Separation\end{tabular}} + + +\begin{center} + \begin{tikzpicture}[scale=1] + + \draw[line width=1mm] (-.3, 0) rectangle (1.5,2); + \draw (4.7,1) node {Internet}; + \draw (0.6,1.7) node {\footnotesize Interface}; + \draw (0.6,-0.4) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] process\end{tabular}}; + \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}}; + + \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2); + + \draw[white] (1.7,1) node (X) {}; + \draw[white] (3.7,1) node (Y) {}; + \draw[red, <->, line width = 2mm] (X) -- (Y); + + \draw[red, <->, line width = 1mm] (-0.6,1) -- (-1.6,1); + \end{tikzpicture} +\end{center} + +\begin{itemize} +\item the idea is make the attack surface smaller and +mitigate the consequences of an attack +\end{itemize} + + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{Shared Access Control} + +\begin{center} +\includegraphics[scale=0.7]{pics/pointsplane.jpg} +\end{center} + +\begin{textblock}{11}(10.5,10.5) +\small +To take an action you\\[-1mm] +need either: +\begin{itemize} +\item 1 CEO\\[-5mm] +\item 2 MDs\\[-5mm] +\item 3 Ds +\end{itemize} +\end{textblock} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{Lessons from Access Control} + +\begin{itemize} +\item if you have too many roles (i.e.~too finegrained AC), then + hierarchy is too complex\\ + \textcolor{gray}{you invite situations like\ldots let's be root}\bigskip + +\item you can still abuse the system\ldots + +\end{itemize} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{\begin{tabular}{@ {}c@ {}}A ``Cron''-Attack\end{tabular}} + +The idea is to trick a privileged person to do something on your behalf: + +\begin{itemize} +\item root:\\\texttt{rm /tmp/*/*}\bigskip\bigskip\pause + +\footnotesize +\begin{minipage}{1.1\textwidth} +\textcolor{gray}{the shell behind the scenes:}\\ +\textcolor{gray}{\texttt{rm /tmp/dir$_1$/file$_1$ /tmp/dir$_1$/file$_2$ /tmp/dir$_2$/file$_1$ \ldots}}\bigskip\\ + +\textcolor{gray}{this takes time} +\end{minipage} +\end{itemize} + + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{\begin{tabular}{@ {}c@ {}}A ``Cron''-Attack\end{tabular}} + +\begin{enumerate} +\item attacker \textcolor{gray}{(creates a fake passwd file)}\\ +\texttt{mkdir /tmp/a; cat > /tmp/a/passwd}\medskip +\item root \textcolor{gray}{(does the daily cleaning)}\\ +\texttt{rm /tmp/*/*}\medskip\\ +\hspace{2cm}\textcolor{gray}{\small records that \texttt{/tmp/a/passwd}}\\ +\hspace{2cm}\textcolor{gray}{\small should be deleted, but does not do it yet}\medskip\\ + +\item attacker \textcolor{gray}{(meanwhile deletes the fake passwd file, and establishes a link to +the real passwd file)}\\ +\texttt{rm /tmp/a/passwd; rmdir /tmp/a;}\\\texttt{ln -s /etc /tmp/a}\\ +\item root now deletes the real passwd file +\end{enumerate} + +\only<2>{ +\begin{textblock}{11}(2,5) +\begin{tikzpicture} +\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] +{\normalsize\color{darkgray} +\begin{minipage}{9cm}\raggedright +To prevent this kind of attack, you need additional +policies. +\end{minipage}}; +\end{tikzpicture} +\end{textblock}} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{\begin{tabular}{@ {}c@ {}}Schneier Analysis\end{tabular}} + +\begin{itemize} +\item What assets are you trying to protect? +\item What are the risks to these assets? +\item How well does the security solution mitigate those risks? +\item What other risks does the security solution cause? +\item What costs and trade-offs does the security solution impose? +\end{itemize} + +\textcolor{gray}{There is no absolutely secure system and security almost never comes for free.} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[t] +\frametitle{\begin{tabular}{@ {}c@ {}}Example: Credit Cards\end{tabular}} + +You might have the policy of not typing in your credit card online. Worthwhile or not? +\begin{itemize} +\item<2->What assets are you trying to protect?\\ +\only<2>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}your credit card number\end{tabular}} +\item<3->What are the risks to these assets?\\ +\only<3>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright +With credit cards you loose a fixed amount \pounds{50}. Amazon \pounds{50}. \end{tabular}} +\item<4->How well does the security solution mitigate those risks?\\ +\only<4>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright +Well, hackers steal credit cards from databases. They usually do not attack you individually.\end{tabular}} +\item<5->What other risks does the security solution cause? +\only<5>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright None (?)\end{tabular}} +\item<6->What costs and trade-offs does the security solution impose? +\only<6>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright Internet shopping is convenient and sometimes cheaper.\end{tabular}} +\item<7>[]{\bf\large No!} +\end{itemize}\pause\pause + + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{\begin{tabular}{@ {}c@ {}}Example: Firewall\end{tabular}} + +\begin{center} +\includegraphics[scale=0.5]{pics/firewall.png} +\end{center} + +A firewall is a piece of software that controls incoming and outgoing traffic according to some rules. +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[t] +\frametitle{\begin{tabular}{@ {}c@ {}}Example: Firewall\end{tabular}} + +\begin{itemize} +\item<1->What assets are you trying to protect?\\ +\only<1>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}Whatever is behind the firewall +(credit cards, passwords, blueprints, \ldots)\end{tabular}} +\item<2->What are the risks to these assets?\\ +\only<2>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright +With a small online shop you are already at risk. Pentagon, definitely.\end{tabular}} +\item<3->How well does the security solution mitigate those risks?\\ +\only<3>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright +Well, at home so not much. Everywhere else, if properly configurated then it does.\end{tabular}} +\item<4->What other risks does the security solution cause? +\only<4>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright There might be backdoors or bugs in the firewall, +but generally they are secure. You choose to prevent certain traffic.\end{tabular}} +\item<5->What costs and trade-offs does the security solution impose? +\only<5>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright +Minimal to modest. Firewalls are part of free software. You need a knowledgeable +person to set them up.\end{tabular}} +\item<7>[]{\bf\large Yes!} +\end{itemize}\pause\pause + + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[t] +\frametitle{\begin{tabular}{@ {}c@ {}}Ex: Two-Factor Authentication\end{tabular}} + +Google uses nowadays two-factor authentication. But it is an old(er) +idea. It is used for example in Germany and Netherlands for online transactions. + +\begin{center} +\includegraphics[scale=0.6]{pics/tan1.jpg}\hspace{5mm} +\includegraphics[scale=0.2]{pics/tan2.jpg} +\end{center} + +\pause +Or nowadays by SMS (restricts the validity of the numbers) or with a secure generator + +\begin{center} +\includegraphics[scale=0.08]{pics/pinsentry.jpg} +\end{center} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[t] +\frametitle{\begin{tabular}{@ {}c@ {}}Ex: Two-Factor Authentication\end{tabular}} + +\begin{itemize} +\item<1->What assets are you trying to protect?\\ +\only<1>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}Your bank account.\end{tabular}} +\item<2->What are the risks to these assets?\\ +\only<2>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright +Nowadays pretty high risk.\end{tabular}} +\item<3->How well does the security solution mitigate those risks?\\ +\only<3>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright +It prevents problems when passwords are stolen. Man-in-the-middle attacks +still possible.\end{tabular}} +\item<4->What other risks does the security solution cause? +\only<4>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright Your mobile phone or creditcard/pin might +be stolen. SIM card become valuable.\end{tabular}} +\item<5->What costs and trade-offs does the security solution impose? +\only<5>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright +Banks need to establish an infrastructure. For you it might be inconvenient.\end{tabular}} +\item<7>[]{\bf\large Yes!} +\end{itemize} + + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[t] +\frametitle{\begin{tabular}{@ {}c@ {}}Security Seals\end{tabular}} + +According to Ross Anderson: ``\ldots is a tamper-indicating device +designed to leave non-erasable, unambiguous evidence of unauthorized +entry or tampering.'' + +\begin{center} +\includegraphics[scale=0.45]{pics/seal.jpg} +\end{center}\mbox{}\\[-12mm] + +They also need some quite sophisticated policies (seal regiment). +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[t] +\frametitle{\begin{tabular}{@ {}c@ {}}Security Seals (2)\end{tabular}} + +\begin{itemize} +\item at the Argonne National Laboratory they tested 244 different security seals (including 19\% +that were used for safeguard of nuclear material) +\begin{itemize} +\item mean time to break the seals for a trained person: 100 s +\end{itemize}\bigskip + +\item Andrew Appel defeated all security seals which were supposed to keep +voting machines safe. +\end{itemize} + + +\only<2>{ +\begin{textblock}{11}(1,1) +\begin{tikzpicture} +\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] +{\normalsize +\begin{minipage}{11cm}\raggedright\small +\begin{center} +\includegraphics[scale=0.25]{pics/appelseals.jpg} +\end{center} +\begin{center} +\begin{minipage}{10.5cm} +\begin{itemize} +\item The tamper-indicating tape can be lifted using a heat gun. +\item The security screw cap can be removed using a screwdriver, then the +serial-numbered top can be replaced (undamaged) onto a fresh (unnumbered) base. +\item The wire seal can be defeated using a \#4 wood screw. +\item The plastic strap seal can be picked using a jeweler's screwdriver. +\end{itemize} +\end{minipage} +\end{center} +\end{minipage}}; +\end{tikzpicture} +\end{textblock}} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[t] +\frametitle{\begin{tabular}{@ {}c@ {}}Ex: Security Seals\end{tabular}} + +\begin{itemize} +\item<1->What assets are you trying to protect?\\ +\only<1>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}Voting machines, doors.\end{tabular}} +\item<2->What are the risks to these assets?\\ +\only<2>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright Casual thiefs, insider attacks.\end{tabular}} +\item<3->How well does the security solution mitigate those risks?\\ +\only<3>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright +Needs a quite complicated security regiment.\end{tabular}} +\item<4->What other risks does the security solution cause? +\only<4>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright You might not notice tampering.\end{tabular}} +\item<5->What costs and trade-offs does the security solution impose? +\only<5>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright +The ``hardware'' is cheap, but indirect costs can be quite high.\end{tabular}} +\item<7>[]{\bf\large No!} {\textcolor{gray}{Though in some areas they work: airport.}} +\end{itemize} + + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + +\end{document} + +%%% Local Variables: +%%% mode: latex +%%% TeX-master: t +%%% End: +