--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/slides03.tex Mon Oct 08 10:34:12 2012 +0100
@@ -0,0 +1,491 @@
+\documentclass[dvipsnames,14pt,t]{beamer}
+\usepackage{beamerthemeplainculight}
+\usepackage[T1]{fontenc}
+\usepackage[latin1]{inputenc}
+\usepackage{mathpartir}
+\usepackage[absolute,overlay]{textpos}
+\usepackage{ifthen}
+\usepackage{tikz}
+\usepackage{pgf}
+\usepackage{calc}
+\usepackage{ulem}
+\usepackage{courier}
+\usepackage{listings}
+\renewcommand{\uline}[1]{#1}
+\usetikzlibrary{arrows}
+\usetikzlibrary{automata}
+\usetikzlibrary{shapes}
+\usetikzlibrary{shadows}
+\usetikzlibrary{positioning}
+\usetikzlibrary{calc}
+\usepackage{graphicx}
+
+\definecolor{javared}{rgb}{0.6,0,0} % for strings
+\definecolor{javagreen}{rgb}{0.25,0.5,0.35} % comments
+\definecolor{javapurple}{rgb}{0.5,0,0.35} % keywords
+\definecolor{javadocblue}{rgb}{0.25,0.35,0.75} % javadoc
+
+\lstset{language=Java,
+ basicstyle=\ttfamily,
+ keywordstyle=\color{javapurple}\bfseries,
+ stringstyle=\color{javagreen},
+ commentstyle=\color{javagreen},
+ morecomment=[s][\color{javadocblue}]{/**}{*/},
+ numbers=left,
+ numberstyle=\tiny\color{black},
+ stepnumber=1,
+ numbersep=10pt,
+ tabsize=2,
+ showspaces=false,
+ showstringspaces=false}
+
+\lstdefinelanguage{scala}{
+ morekeywords={abstract,case,catch,class,def,%
+ do,else,extends,false,final,finally,%
+ for,if,implicit,import,match,mixin,%
+ new,null,object,override,package,%
+ private,protected,requires,return,sealed,%
+ super,this,throw,trait,true,try,%
+ type,val,var,while,with,yield},
+ otherkeywords={=>,<-,<\%,<:,>:,\#,@},
+ sensitive=true,
+ morecomment=[l]{//},
+ morecomment=[n]{/*}{*/},
+ morestring=[b]",
+ morestring=[b]',
+ morestring=[b]"""
+}
+
+\lstset{language=Scala,
+ basicstyle=\ttfamily,
+ keywordstyle=\color{javapurple}\bfseries,
+ stringstyle=\color{javagreen},
+ commentstyle=\color{javagreen},
+ morecomment=[s][\color{javadocblue}]{/**}{*/},
+ numbers=left,
+ numberstyle=\tiny\color{black},
+ stepnumber=1,
+ numbersep=10pt,
+ tabsize=2,
+ showspaces=false,
+ showstringspaces=false}
+
+% beamer stuff
+\renewcommand{\slidecaption}{APP 02, King's College London, 9 October 2012}
+
+
+\begin{document}
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}<1>[t]
+\frametitle{%
+ \begin{tabular}{@ {}c@ {}}
+ \\
+ \LARGE Access Control and \\[-3mm]
+ \LARGE Privacy Policies (3)\\[-6mm]
+ \end{tabular}}\bigskip\bigskip\bigskip
+
+ %\begin{center}
+ %\includegraphics[scale=1.3]{pics/barrier.jpg}
+ %\end{center}
+
+\normalsize
+ \begin{center}
+ \begin{tabular}{ll}
+ Email: & christian.urban at kcl.ac.uk\\
+ Of$\!$fice: & S1.27 (1st floor Strand Building)\\
+ Slides: & KEATS (also home work is there)
+ \end{tabular}
+ \end{center}
+
+
+\end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+
+\begin{center}
+\includegraphics[scale=0.45]{pics/trainwreck.jpg}\\
+one general defence mechanism is\\\alert{\bf defence in depth}
+\end{center}
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}<1-2>[c]
+\frametitle{Defence in Depth}
+
+\begin{itemize}
+\item \alt<1>{overlapping}{{\LARGE\bf overlapping}} systems designed to provide\\ security even if one of them fails.
+\end{itemize}
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{PALs}
+
+\begin{itemize}
+\item \alert{Permissive Action Links} prevent unauthorised use of nuclear weapons (so the theory)
+\end{itemize}
+
+\begin{center}
+\includegraphics[scale=0.25]{pics/nuclear1.jpg}\hspace{3mm}
+\includegraphics[scale=0.25]{pics/nuclear2.jpg}
+\end{center}
+
+
+\onslide<3->{
+modern PALs also include a 2-person rule
+}
+
+ \only<2->{
+\begin{textblock}{11}(3,2)
+\begin{tikzpicture}
+\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
+{\begin{minipage}{8cm}
+US Air Force's Strategic Air Command worried that in times of need the
+codes would not be available, so until 1977 quietly decided to set them
+to 00000000\ldots
+\end{minipage}};
+\end{tikzpicture}
+\end{textblock}}
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+
+\begin{itemize}
+\item until 1998, Britain had nuclear weapons that could be launched from airplanes\bigskip\pause
+
+\item these weapons were armed with a bicycle key
+
+\begin{center}
+\begin{tabular}[b]{c}
+\includegraphics[scale=1.05]{pics/britkeys1.jpg}\\
+\small nuclear weapon
+\end{tabular}
+\hspace{3mm}
+\begin{tabular}[b]{c}
+\includegraphics[scale=0.35]{pics/britkeys2.jpg}\\
+\small bicycle lock
+\end{tabular}
+\end{center}\bigskip\pause
+
+\item the current Trident nuclear weapons can be launched from a submarine without any code being transmitted
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{}
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}Plain-text Passwords at IEEE\end{tabular}}
+
+\small\textcolor{gray}{On 25 September 2012, a report on a data breach at IEEE:}
+
+
+\begin{itemize}
+\item IEEE is a standards organisation (not-for-profit)
+\item many standards in CS are by IEEE\medskip
+\item 100k plain-text passwords were recorded in logs
+\item the logs were openly accessible on their FTP server
+\end{itemize}\bigskip
+
+\begin{flushright}\small
+\textcolor{gray}{\url{http://ieeelog.com}}
+\end{flushright}
+
+\only<2>{
+\begin{textblock}{11}(3,2)
+\begin{tikzpicture}
+\draw (0,0) node[inner sep=2mm,fill=white, ultra thick, draw=red, rounded corners=2mm]
+{\normalsize\color{darkgray}
+\begin{minipage}{7.5cm}\raggedright\small
+\includegraphics[scale=0.6]{pics/IEEElog.jpg}
+\end{minipage}};
+\end{tikzpicture}
+\end{textblock}}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}Virgin Mobile (USA)\end{tabular}}
+
+\begin{flushright}\small
+\textcolor{gray}{\url{http://arstechnica.com/security/2012/09/virgin-mobile-password-crack-risk/}}
+\end{flushright}
+
+\begin{itemize}
+\item for online accounts passwords must be 6 digits
+\item you must cycle through 1M combinations (online)\pause\bigskip
+
+\item he limited the attack on his own account to 1 guess per second, \alert{\bf and}
+\item wrote a script that cleared the cookie set after each guess\pause
+\item has been fixed now
+\end{itemize}
+
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}Smash the Stack for Fun \ldots\end{tabular}}
+
+\begin{itemize}
+\item ``smashing the stack attacks'' or ``buffer overflow attacks''
+\item one of the most popular attacks;\\ attack of the (last) decade\\ ($>$ 50\% of security incidents reported at CERT are related to buffer overflows)
+\begin{flushright}\small
+\textcolor{gray}{\url{http://www.kb.cert.org/vuls}}
+\end{flushright}
+\medskip
+\item made popular in an article by Elias Levy\\ (also known as Aleph One):\\
+\begin{center}
+{\bf ``Smashing The Stack For Fun and Profit''}
+\end{center}\medskip
+
+\begin{flushright}
+\small\textcolor{gray}{\url{http://www.phrack.org}, Issue 49, Article 14}
+\end{flushright}
+
+\end{itemize}
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}The Problem\end{tabular}}
+
+\begin{itemize}
+\item The basic problem is that library routines in C look as follows:
+\begin{center}
+{\lstset{language=Java}\fontsize{8}{10}\selectfont%
+\texttt{\lstinputlisting{app5.c}}}
+\end{center}
+\item the resulting problems are often remotely exploitable
+\item can be used to circumvents all access control
+(botnets for further attacks)
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Variants\end{tabular}}
+
+There are many variants:
+
+\begin{itemize}
+\item return-to-lib-C attacks
+\item heap-smashing attacks\\
+\textcolor{gray}{\small(Slammer Worm in 2003 infected 90\% of vulnerable systems within 10 minutes)}\bigskip
+
+\item ``zero-days-attacks'' (new unknown vulnerability)
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+
+\small
+\texttt{my\_float} is printed twice:\bigskip
+
+{\lstset{language=Java}\fontsize{8}{10}\selectfont%
+\texttt{\lstinputlisting{C1.c}}}
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+
+\begin{center}
+\only<1>{\includegraphics[scale=0.9]{pics/stack1}\;\;}
+\only<2>{\includegraphics[scale=0.9]{pics/stack2}\;\;}
+\only<3>{\includegraphics[scale=0.9]{pics/stack3}\;\;}
+\end{center}
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+
+{\lstset{language=Java}\fontsize{8}{10}\selectfont%
+\texttt{\lstinputlisting{C2.c}}}
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+
+\small
+A programmer might be careful, but still introduce vulnerabilities:\bigskip
+
+{\lstset{language=Java}\fontsize{8}{10}\selectfont%
+\texttt{\lstinputlisting{C2a.c}}}
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Payloads\end{tabular}}
+
+\begin{itemize}
+\item the idea is you store some code as part to the buffer
+\item you then override the return address to execute this payload\medskip
+\item normally you start a root-shell\pause
+\item difficulty is to guess the right place where to ``jump''
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Payloads (2)\end{tabular}}
+
+\begin{itemize}
+\item another difficulty is that the code is not allowed to contain \texttt{$\backslash$x00}:
+
+\begin{center}
+\texttt{xorl \%eax, \%eax}
+\end{center}
+\end{itemize}\bigskip\bigskip
+
+{\lstset{language=Java}\fontsize{8}{10}\selectfont%
+\texttt{\lstinputlisting{app5.c}}}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Format String Vulnerability\end{tabular}}
+
+\small
+\texttt{string} is nowhere used:\bigskip
+
+{\lstset{language=Java}\fontsize{8}{10}\selectfont%
+\texttt{\lstinputlisting{C6.c}}}\bigskip
+
+this vulnerability can be used to read out the stack
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Protections against BO Attacks\end{tabular}}
+
+\begin{itemize}
+\item use safe library functions
+\item ensure stack data is not executable (can be defeated)
+\item address space randomisation (makes one-size-fits-all more difficult)
+\item choice of programming language (one of the selling points of Java)
+
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Security Goals\end{tabular}}
+
+\begin{itemize}
+\item Prevent common vulnerabilities from occurring (e.g. buffer overflows)\pause
+\item Recover from attacks (traceability and auditing of security-relevant actions)\pause
+\item Monitoring (detect attacks)\pause
+\item Privacy, confidentiality, anonymity (to protect secrets)\pause
+\item Authenticity (eeded for access control)\pause
+\item Integrity (prevent unwanted modification or tampering)\pause
+\item Availability and reliability (reduce the risk of DoS attacks)
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Homework\end{tabular}}
+
+\begin{itemize}
+\item Assume format string attacks allow you to read out the stack. What can you do
+ with this information?\bigskip
+
+\item Assume you can crash a program remotely. Why is this a problem?
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+\end{document}
+
+%%% Local Variables:
+%%% mode: latex
+%%% TeX-master: t
+%%% End:
+