# HG changeset patch # User Christian Urban # Date 1445476283 -3600 # Node ID ca9295851eb68b94427a0e46ab7e7fdf2fc4dbb0 # Parent 708b80c825af36395918f429fbef5c54a7d06a8c updated diff -r 708b80c825af -r ca9295851eb6 slides/slides05.pdf Binary file slides/slides05.pdf has changed diff -r 708b80c825af -r ca9295851eb6 slides/slides05.tex --- a/slides/slides05.tex Wed Oct 21 22:07:46 2015 +0100 +++ b/slides/slides05.tex Thu Oct 22 02:11:23 2015 +0100 @@ -1,9 +1,10 @@ \PassOptionsToPackage{bookmarks=false}{hyperref} \documentclass[dvipsnames,14pt,t,hyperref={bookmarks=false}]{beamer} +\usepackage{../style} \usepackage{../slides} \usepackage{../graphics} \usepackage{../langs} -\usepackage{../style} +\usepackage{../data} \usetikzlibrary{arrows} \usetikzlibrary{shapes} @@ -294,6 +295,7 @@ \item CA: ``I, the CA, have verified that public key \bl{$P^{pub}_{Bob}$} belongs to Bob''\bigskip \item CA must be trusted by everybody\medskip +\item certificates are time limited, and can be revoked \item What happens if CA issues a false certificate? Who pays in case of loss? (VeriSign explicitly limits liability to \$100.) @@ -302,79 +304,276 @@ \end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{PKI: Chains of Trust} + +\begin{center} + \begin{tikzpicture}[scale=1, + node/.style={ + rectangle,rounded corners=3mm, + very thick,draw=black!50,minimum height=18mm, minimum width=23mm, + top color=white,bottom color=black!20}] + + \node (A) at (0,0) [node] {}; + \node [below right] at (A.north west) + {\small\begin{tabular}{@{}l}CA\\Root Cert.\end{tabular}}; + + \node (B) at (4,0) [node] {}; + \node [below right=1mm] at (B.north west) + {\mbox{}\hspace{-1mm}\small + \begin{tabular}{@{}l}Subordinate\\ CA\end{tabular}}; + + \node (C) at (8,0) [node] {}; + \node [below right] at (C.north west) + {\small\begin{tabular}{@{}l}Server\\ Bank.com\end{tabular}}; + + \draw [->,line width=4mm] (A) -- (B); + \draw [->,line width=4mm] (B) -- (C); + + \node (D) at (6,-3) [node] {}; + \node [below right] at (D.north west) + {\small\begin{tabular}{@{}l}Browser\\ Root Store\end{tabular}}; + + \node (E) at (2,-3) [node] {}; + \node [below right] at (E.north west) + {\small\begin{tabular}{@{}l}Browser\\ Company\end{tabular}}; + + \draw [->,line width=4mm] (E) -- (D); + \end{tikzpicture} +\end{center} + +\begin{itemize} +\item CAs make almost no money anymore, because of competition +\item browser companies are not really interested in security, +rather than market share +\end{itemize} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{frame}[c] -\frametitle{Best Practices} +\frametitle{PKI: Weaknesses} + +CAs just cannot win (make any profit):\medskip + +\begin{itemize} +\item there are hundreds of CAs, which issue million of + certificates and the error rate is small + +\item users (servers) do not want to pay or pay as little as + possible\bigskip + +\item a CA can issue a certificate for any domain not needing + any permission (CAs are meant to be undergo audits, + but\ldots DigiNotar); if they have issued many + certificates, they ``become too big to fail'' + +\item Can we be sure CAs are not just front-ends of some + government organisation? + +\end{itemize} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{PKI: Weaknesses} + +\begin{itemize} + +\item many certificates are issued via whois\ldots if you + hijacked a domain, it is easy to obtain + certificates\medskip + +\item revocation does not work (Chrome has given up on + revocation lists)\medskip -{\bf Principle 1:} Every message should say what it means: the -interpretation of a message should not depend on the -context.\bigskip\pause +\item lax approach to validation of certificates + (Have you bypassed certification warnings?)\medskip + +\item sometimes you want to install invalid certificates + (self-signed) + +\end{itemize} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{PKI: Attacks} + +\begin{itemize} -{\bf Principle 2:} If the identity of a principal is essential -to the meaning of a message, it is prudent to mention the -principal’s name explicitly in the message (though -difficult).\bigskip +\item Go directly after root certificates + \begin{itemize} + \item governments can demand private keys\smallskip + \item 10 years ago it was estimated to break a 1024 bit key + in one year using 10 -30 Mio \$; this is now reduced to 1 Mio \$ + \end{itemize} + +\item Go after buggy implementations of certificate + validation\smallskip + +\item Social Engineering + \begin{itemize} + \item in 2001 somebody pretended to be + from Microsoft and asked for two code-signing + certificates + \end{itemize}\bigskip +\end{itemize} + +\small The eco-system is completely broken (it relies on +thousands of entities doing the right thing). Maybe DNSSEC +where keys can be attached to domain names is a way out. \end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{frame}[c] -\frametitle{Best Practices} - -{\bf Principle 3:} Be clear about why encryption is being -done. Encryption is not wholly cheap, and not asking precisely -why it is being done can lead to redundancy. Encryption is not -synonymous with security. - -\small -\begin{center} -Possible Uses of Encryption +\frametitle{Real Attacks} \begin{itemize} -\item Preservation of confidentiality: \bl{$\{X\}_K$} only those that have \bl{$K$} may recover \bl{$X$}. \item Guarantee authenticity: The partner is indeed some particular principal. \item Guarantee confidentiality and authenticity: binds two parts of a message --- -\bl{$\{X,Y\}_K$} is not the same as \bl{$\{X\}_K$} and \bl{$\{Y\}_K$}. + +\item In 2011, DigiNotar (Dutch) was the first CA which got + compromised completely, and where many fraudulent + certificates were issued. It included approximately + 300,000 IP addresses, mostly located in Iran. The + attackers (in Iran?) were likely interested only in + collecting gmail passwords.\medskip + +\item The Flame malware piggy-bagged on this attack by + advertising malicious Windows updates to some targeted + systems (mostly in Iran, Israel, Sudan). + \end{itemize} -\end{center} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{PKI is Broken} + +\begin{itemize} + +\item PKI and certificates are meant to protect you against + MITM attacks, but if the attack occurs your are + presented with a warning and you need to decide whether + you are under attack.\medskip + +\item Webcontent gets often loaded from 3rd-party servers, + which might not be secured\medskip + +\item Misaligned incentives: browser vendors are not + interested in breaking webpages with invalid + certificates + +\end{itemize} \end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{frame}[c] -\frametitle{Best Practices} + +Why are there so many invalid certificates?\bigskip + +\begin{itemize} + +\item insufficient name coverage (www.example.com should +include example.com) -{\bf Principle 4:} The protocol designers should know which -trust relations their protocol depends on, and why the -dependence is necessary. The reasons for particular trust -relations being acceptable should be explicit though they will -be founded on judgment and policy rather than on -logic.\bigskip +\item IoT: manny appliances have web-based admin interfaces; + the manufacturer cannot know under which IP and domain name + the appliances are run (so cannot install a valid certificate) - Example Certification Authorities: CAs are trusted to certify -a key only after proper steps have been taken to identify the -principal that owns it. +\item expired certificates, or incomplete chains of trust + (servers are supposed to supply them) + +\end{itemize} \end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\begin{frame}[c] -\frametitle{Formal Methods} - -Ross Anderson about the use of Logic:\bigskip - -\begin{quote} -Formal methods can be an excellent way of finding -bugs in security protocol designs as they force the designer -to make everything explicit and thus confront difficult design -choices that might otherwise be fudged. -\end{quote} - -\end{frame} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - +% +% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%\begin{frame}[c] +%\frametitle{Best Practices} +% +%{\bf Principle 1:} Every message should say what it means: the +%interpretation of a message should not depend on the +%context.\bigskip\pause +% +%{\bf Principle 2:} If the identity of a principal is essential +%to the meaning of a message, it is prudent to mention the +%principal’s name explicitly in the message (though +%difficult).\bigskip +% +%\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%\begin{frame}[c] +%\frametitle{Best Practices} +% +%{\bf Principle 3:} Be clear about why encryption is being +%done. Encryption is not wholly cheap, and not asking precisely +%why it is being done can lead to redundancy. Encryption is not +%synonymous with security. % +% +%\small +%\begin{center} +%Possible Uses of Encryption % +% +%\begin{itemize} +%\item Preservation of confidentiality: \bl{$\{X\}_K$} only those that have \bl{$K$} may recover \bl{$X$}. %\item Guarantee authenticity: The partner is indeed some particular principal. %\item Guarantee confidentiality and authenticity: binds two parts of a message --- +%\bl{$\{X,Y\}_K$} is not the same as \bl{$\{X\}_K$} and \bl{$\{Y\}_K$}. +%\end{itemize} +%\end{center} +% +%\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%\begin{frame}[c] +%\frametitle{Best Practices} +% +%{\bf Principle 4:} The protocol designers should know which +%trust relations their protocol depends on, and why the +%dependence is necessary. The reasons for particular trust +%relations being acceptable should be explicit though they will +%be founded on judgment and policy rather than on +%logic.\bigskip +% +% %Example Certification Authorities: CAs are trusted to certify +%a key only after proper steps have been taken to identify the +%principal that owns it. +% +%\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%\begin{frame}[c] +%\frametitle{Formal Methods} +% +%Ross Anderson about the use of Logic:\bigskip +% +%\begin{quote} +%Formal methods can be an excellent way of finding +%bugs in security protocol designs as they force the designer +%to make everything explicit and thus confront difficult design +%choices that might otherwise be fudged. +%\end{quote} +% +%\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{frame}[c] \frametitle{Mid-Term} @@ -390,6 +589,384 @@ \end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{Security Engineering} + + \begin{center} + \begin{tabular}{cc} + \raisebox{-0.8mm}{\includegraphics[scale=0.28]{../pics/flight.jpg}} & + \includegraphics[scale=0.31]{../pics/airbus.jpg}\\ + \small Wright brothers, 1901 & \small Airbus, 2005 \\ + \end{tabular} + \end{center} + + \end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{1st Lecture} + +\begin{itemize} +\item chip-and-pin, banks vs.~customers +\begin{quote}\small\rm + the one who can improve security should also be + liable for the losses +\end{quote}\pause\bigskip + +\item hashes and salts to guarantee data integrity\medskip +\item storing passwords (you should know the difference between +brute force attacks and dictionary attacks; how do salts help?) +\end{itemize} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{1st Lecture: Cookies} + +\begin{itemize} +\item good uses of cookies?\medskip + +\item bad uses of cookies: snooping, tracking, profiling\ldots + the ``disadvantage'' is that the user is in + \alert{control}, because you can delete them + + \begin{center} ``Please track me using cookies.'' + \end{center}\bigskip\pause + +\item fingerprinting beyond browser cookies + \begin{quote}\small\rm + Pixel Perfect: Fingerprinting Canvas in HTML5\\ + (a research paper from 2012)\\ + \footnotesize + \url{http://cseweb.ucsd.edu/~hovav/papers/ms12.html} + \end{quote} +\end{itemize} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{1st Lecture: Cookies} + +\begin{itemize} +\item a bit of JavaScript and HTML5 + canvas\medskip +\begin{center} +\begin{tabular}{cc} +Firefox & Safari\\ +\includegraphics[scale=0.31]{../pics/firefox1.png} & +\includegraphics[scale=0.31]{../pics/safari1.png} \\ +\tiny +\pcode{55b2257ad0f20ecbf927fb66a15c61981f7ed8fc} & +\tiny +\pcode{17bc79f8111e345f572a4f87d6cd780b445625d3} +\end{tabular} +\end{center}\bigskip + +\item\small no actual drawing needed\pause +\item\small in May 2014 a crawl of 100,000 popular +webpages revealed 5.5\% already use canvas +fingerprinting\smallskip +\begin{center}\scriptsize +\url{https://securehomes.esat.kuleuven.be/~gacar/persistent/the_web_never_forgets.pdf} +\end{center} +\end{itemize} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{1st Lecture: Cookies} + +Remember the small web-app I showed where a cookie +protected a counter\bigskip + +\begin{itemize} +\item NYT, the cookie looks the ``resource'' - harm\medskip +\item imaginary discount unlocked by cookie - no harm +\end{itemize} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[t] +\frametitle{2nd Lecture: E-Voting} + +Where are paper ballots better than voice voting?\bigskip + +\begin{itemize} +\item Integrity +\item \alert{Ballot Secrecy} +\item Voter Authentication +\item Enfranchisement +\item Availability +\end{itemize} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[t] +\frametitle{2nd Lecture: E-Voting} + +\begin{itemize} +\item (two weeks ago) an Australian parliamentary committee +found: e-voting is highly vulnerable to hacking and Australia +will not use it any time soon\bigskip\pause +\item Alex Halderman, Washington D.C.~hack +\begin{center} +\scriptsize +\url{https://jhalderm.com/pub/papers/dcvoting-fc12.pdf} +\end{center}\medskip + +\item PDF-ballot tampering at the wireless router (the modification +is nearly undetectable and leaves no traces; MITM attack with firmware +updating) +\begin{center} +\scriptsize +\url{http://galois.com/wp-content/uploads/2014/11/technical-hack-a-pdf.pdf} +\end{center} + +\end{itemize} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\tikzset{alt/.code args={<#1>#2#3#4}{% + \alt<#1>{\pgfkeysalso{#2}}{\pgfkeysalso{#3}} % \pgfkeysalso doesn't change the path +}} + +\begin{frame}[t] +\frametitle{\begin{tabular}{c}3rd Lecture:\\ Buffer Overflow Attacks\end{tabular}} + +\begin{itemize} +\item the problem arises from the way C/C++ organises its function calls\\[-8mm]\mbox{} +\end{itemize} + +\begin{center} +\begin{tikzpicture}[scale=1] +%\draw[black!10,step=2mm] (0,0) grid (9,4); +%\draw[black!10,thick,step=10mm] (0,0) grid (9,4); + +\node at (0.5,4.5) {\small\begin{tabular}{l}main\\[-2mm] prog.\end{tabular}}; +\draw[line width=0mm, white, alt=<2->{fill=red}{fill=blue}] (0,2.5) rectangle (1,3.8); +\draw[line width=0mm, white, alt=<9->{fill=red}{fill=blue}] (0,0.2) rectangle (1,0.5); +\draw[line width=1mm, alt=<3->{fill=yellow}{fill=blue}] (0,2.0) rectangle (1,2.5); +\draw[line width=1mm, alt=<6->{fill=red}{fill=blue}] (0,1.0) rectangle (1,2.0); +\draw[line width=1mm, alt=<7->{fill=yellow}{fill=blue}] (0,0.5) rectangle (1,1.0); +\draw[line width=1mm] (0,0) -- (0,4); +\draw[line width=1mm] (1,0) -- (1,4); + +\node at (3.5,3.5) {\small\begin{tabular}{l}fact(n)\end{tabular}}; +\draw[line width=1mm, alt=<{4-5,8}>{fill=red}{fill=blue}] (3,1.0) rectangle (4,3.0); + +\onslide<3-4>{\draw[->, line width=1mm,red] (1,2.3) to node [above,sloped,midway] {n=4} (3,3);} +\onslide<5>{\draw[<-, line width=1mm,red] (1,2.3) to node [above,sloped,midway] {res=24} (3,1);} + +\onslide<7-8>{\draw[->, line width=1mm,red] (1,0.8) to node [above,sloped,midway] {n=3} (3,3);} +\onslide<9>{\draw[<-, line width=1mm,red] (1,0.8) to node [above,sloped,midway] {res=6} (3,1);} + + +\node at (7.75,3.9) {\small\begin{tabular}{l}stack\end{tabular}}; +\draw[line width=1mm] (7,3.5) -- (7,0.5) -- (8.5,0.5) -- (8.5,3.5); + +\onslide<3,4,7,8>{ +\node at (7.75, 1.4) {ret}; +\draw[line width=1mm] (7,1.1) -- (8.5,1.1); +\node at (7.75, 2.0) {sp}; +\draw[line width=1mm] (7,2.3) -- (8.5,2.3); +} +\onslide<3,4>{ +\node at (7.75, 0.8) {4}; +\draw[line width=1mm] (7,1.7) -- (8.5,1.7); +} +\onslide<7,8>{ +\node at (7.75, 0.8) {3}; +\draw[line width=1mm] (7,1.7) -- (8.5,1.7); +} + + +\end{tikzpicture} +\end{center} + +\end{frame} + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[t] + +\begin{center} +\begin{tikzpicture}[scale=1] +%\draw[black!10,step=2mm] (0,0) grid (9,4); +%\draw[black!10,thick,step=10mm] (0,0) grid (9,4); + +\node at (0.5,4.5) {\small\begin{tabular}{l}main\\[-2mm] prog.\end{tabular}}; +\draw[line width=0mm, white, alt=<2->{fill=red}{fill=blue}] (0,2.5) rectangle (1,3.8); +\draw[line width=1mm, white, fill=blue] (0,1.0) rectangle (1,2.0); +\draw[line width=1mm, alt=<3->{fill=yellow}{fill=blue}] (0,2.0) rectangle (1,2.5); +\draw[line width=1mm] (0,0) -- (0,4); +\draw[line width=1mm] (1,0) -- (1,4); + +\node at (3.5,3.5) {\small\begin{tabular}{l}fact(n)\end{tabular}}; +\draw[line width=0mm, alt=<{4-}>{red, fill=red}{blue, fill=blue}] (3,2.8) rectangle (4,3.0); +\draw[line width=0mm, alt=<{5-}>{red, fill=red}{blue, fill=blue}] (3,2.8) rectangle (4,2.0); +\draw[line width=0mm, alt=<{7-}>{red, fill=red}{blue, fill=blue}] (3,2.0) rectangle (4,1.0); +\draw[line width=1mm] (3,1.0) rectangle (4,3.0); + +\onslide<3->{\draw[->, line width=1mm,red] (1,2.3) to node [above,sloped,midway] {n=4} (3,3);} +\onslide<5->{\draw[<-, line width=2mm,red] (4,2) to node [above,sloped,midway] +{\begin{tabular}{l}user\\[-1mm] input\end{tabular}} (6,2);} +\onslide<8->{\draw[<-, line width=1mm,red] (1,-2) to (3,1);} + +\node at (7.75,3.9) {\small\begin{tabular}{l}stack\end{tabular}}; +\draw[line width=1mm] (7,3.5) -- (7,-0.1) -- (8.5,-0.1) -- (8.5,3.5); + +\onslide<3->{ +\node at (7.75, 0.2) {4}; +\draw[line width=1mm,alt=<6->{fill=red}{fill=white}] (7,0.5) rectangle (8.5,1.1); +\node at (7.75, 0.8) {\alt<6->{@a\#}{ret}}; +\draw[line width=1mm,alt=<6->{fill=red}{fill=white}] (7,1.1) rectangle (8.5,1.7); +\node at (7.75, 1.4) {\alt<6->{!?w;}sp}; +} + +\onslide<4->{ +\draw[line width=1mm,fill=red] (7,1.7) rectangle (8.5,3.0); +\node[white] at (7.75, 2.4) {buffer}; +} + +\end{tikzpicture} +\end{center} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[t] +\frametitle{\begin{tabular}{c}3rd Lecture:\\[-3mm] +Buffer Overflow Attacks\end{tabular}} + +US National Vulnerability Database\\ +\small(636 out of 6675 in 2014) + +\begin{center} +\begin{tikzpicture} +\begin{axis}[ + xlabel={year}, + ylabel={\% of total attacks}, + ylabel style={yshift=0em}, + enlargelimits=false, + xtick={1997,1998,2000,...,2014}, + xmin=1996.5, + xmax=2015, + ymax=21, + ytick={0,5,...,20}, + scaled ticks=false, + axis lines=left, + width=11cm, + height=5cm, + ybar, + nodes near coords= + {\footnotesize + $\pgfmathprintnumber[fixed,fixed zerofill,precision=1,use comma]{\pgfkeysvalueof{/data point/y}}$}, + x tick label style={font=\scriptsize,/pgf/number format/1000 sep={}}] +\addplot + table [x=Year,y=Percentage] {bufferoverflows.data}; +\end{axis} +\end{tikzpicture} +\end{center} + +\scriptsize +\url{http://web.nvd.nist.gov/view/vuln/statistics} +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[t] +\frametitle{\begin{tabular}{c}4th Lecture:\\ Unix Access Control\end{tabular}} + +\begin{itemize} +\item privileges are specified by file access permissions (``everything is a file'') +\end{itemize}\medskip + +\begin{center} + \begin{tikzpicture}[scale=1] + + \draw[line width=1mm] (-.3, 0) rectangle (1.5,2); + \draw (4.7,1) node {Internet}; + \draw (-2.7,1.7) node {\footnotesize Application}; + \draw (0.6,1.7) node {\footnotesize Interface}; + \draw (0.6,-0.4) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] process\end{tabular}}; + \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}}; + + \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2); + + \draw[white] (1.7,1) node (X) {}; + \draw[white] (3.7,1) node (Y) {}; + \draw[red, <->, line width = 2mm] (X) -- (Y); + + \draw[red, <->, line width = 1mm] (-0.6,1) -- (-1.6,1); + \end{tikzpicture} +\end{center} + +\begin{itemize} +\item the idea is to make the attack surface smaller and +mitigate the consequences of an attack +\end{itemize} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[fragile,t] +\frametitle{\begin{tabular}{c}4th Lecture:\\ Unix Access Control\end{tabular}} + +\begin{itemize} +\item when a file with setuid is executed, the resulting process will assume the +UID given to the owner of the file +\end{itemize} + +\footnotesize\tt +\begin{center} +\begin{verbatim} +$ ls -ld . * */* +drwxr-xr-x 1 ping staff 32768 Apr 2 2010 . +-rw----r-- 1 ping students 31359 Jul 24 2011 manual.txt +-r--rw--w- 1 bob students 4359 Jul 24 2011 report.txt +-rwsr--r-x 1 bob students 141359 Jun 1 2013 microedit +dr--r-xr-x 1 bob staff 32768 Jul 23 2011 src +-rw-r--r-- 1 bob staff 81359 Feb 28 2012 src/code.c +-r--rw---- 1 emma students 959 Jan 23 2012 src/code.h +\end{verbatim} +\end{center} + + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[t] +\frametitle{\begin{tabular}{c}4th Lecture:\\ Unix Access Control\end{tabular}} + +\begin{itemize} +\item Alice wants to have her files readable, +\alert{except} for her office mates. +\end{itemize} + + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + \end{document} %%% Local Variables: diff -r 708b80c825af -r ca9295851eb6 slides/slides06.pdf Binary file slides/slides06.pdf has changed diff -r 708b80c825af -r ca9295851eb6 slides/slides10.pdf Binary file slides/slides10.pdf has changed