--- a/slides/slides03.tex Fri Oct 03 16:10:50 2014 +0100
+++ b/slides/slides03.tex Sat Oct 04 00:36:51 2014 +0100
@@ -1,92 +1,21 @@
\documentclass[dvipsnames,14pt,t]{beamer}
-\usepackage{beamerthemeplaincu}
-%%\usepackage[T1]{fontenc}
-\usepackage[latin1]{inputenc}
-\usepackage{mathpartir}
-\usepackage[absolute,overlay]{textpos}
-\usepackage{ifthen}
-\usepackage{tikz}
-\usepackage{pgf}
-\usepackage{calc}
-\usepackage{ulem}
-\usepackage{courier}
-\usepackage{listings}
-\renewcommand{\uline}[1]{#1}
-\usetikzlibrary{arrows}
-\usetikzlibrary{automata}
-\usetikzlibrary{shapes}
-\usetikzlibrary{shadows}
-\usetikzlibrary{positioning}
-\usetikzlibrary{calc}
-\usepackage{graphicx}
-\setmonofont[Scale=MatchLowercase]{Consolas}
+\usepackage{../slides}
+\usepackage{../graphics}
+\usepackage{../langs}
+
+\setmonofont[Scale=.88]{Consolas}
\newfontfamily{\consolas}{Consolas}
-\definecolor{javared}{rgb}{0.6,0,0} % for strings
-\definecolor{javagreen}{rgb}{0.25,0.5,0.35} % comments
-\definecolor{javapurple}{rgb}{0.5,0,0.35} % keywords
-\definecolor{javadocblue}{rgb}{0.25,0.35,0.75} % javadoc
-
-\makeatletter
-\lst@CCPutMacro\lst@ProcessOther {"2D}{\lst@ttfamily{-{}}{-{}}}
-\@empty\z@\@empty
-\makeatother
-
-\lstset{language=Java,
- basicstyle=\consolas,
- keywordstyle=\color{javapurple}\bfseries,
- stringstyle=\color{javagreen},
- commentstyle=\color{javagreen},
- morecomment=[s][\color{javadocblue}]{/**}{*/},
- numbers=left,
- numberstyle=\tiny\color{black},
- stepnumber=1,
- numbersep=10pt,
- tabsize=2,
- showspaces=false,
- showstringspaces=false}
-
-\lstdefinelanguage{scala}{
- morekeywords={abstract,case,catch,class,def,%
- do,else,extends,false,final,finally,%
- for,if,implicit,import,match,mixin,%
- new,null,object,override,package,%
- private,protected,requires,return,sealed,%
- super,this,throw,trait,true,try,%
- type,val,var,while,with,yield},
- otherkeywords={=>,<-,<\%,<:,>:,\#,@,->},
- sensitive=true,
- morecomment=[l]{//},
- morecomment=[n]{/*}{*/},
- morestring=[b]",
- morestring=[b]',
- morestring=[b]"""
-}
-
-\lstset{language=Scala,
- basicstyle=\consolas,
- keywordstyle=\color{javapurple}\bfseries,
- stringstyle=\color{javagreen},
- commentstyle=\color{javagreen},
- morecomment=[s][\color{javadocblue}]{/**}{*/},
- numbers=left,
- numberstyle=\tiny\color{black},
- stepnumber=1,
- numbersep=10pt,
- tabsize=2,
- showspaces=false,
- showstringspaces=false}
-
+\hfuzz=220pt
% beamer stuff
-\renewcommand{\slidecaption}{APP 03, King's College London, 8 October 2013}
+\renewcommand{\slidecaption}{APP 03, King's College London}
\begin{document}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}<1>[t]
+\begin{frame}[t]
\frametitle{%
\begin{tabular}{@ {}c@ {}}
\\
@@ -94,11 +23,7 @@
\LARGE Privacy Policies (3)\\[-6mm]
\end{tabular}}\bigskip\bigskip\bigskip
- %\begin{center}
- %\includegraphics[scale=1.3]{pics/barrier.jpg}
- %\end{center}
-
-\normalsize
+ \normalsize
\begin{center}
\begin{tabular}{ll}
Email: & christian.urban at kcl.ac.uk\\
@@ -107,41 +32,87 @@
\end{tabular}
\end{center}
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{A ``Cron''-Attack}
+
+The idea is to trick a privileged person to do something on your
+behalf:
+
+\begin{itemize}
+\item root:\\\texttt{rm /tmp/*/*}\bigskip\bigskip\pause
+
+\footnotesize
+\begin{minipage}{1.1\textwidth}
+\textcolor{gray}{the shell behind the scenes:}\\
+\textcolor{gray}{\texttt{rm /tmp/dir$_1$/file$_1$ /tmp/dir$_1$/file$_2$ /tmp/dir$_2$/file$_1$ \ldots}}\bigskip\\
+
+\textcolor{gray}{this takes time}
+\end{minipage}
+\end{itemize}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{A ``Cron''-Attack}
+
+\begin{enumerate}
+\item attacker \textcolor{gray}{(creates a fake passwd file)}\\
+\texttt{mkdir /tmp/a; cat > /tmp/a/passwd}\medskip
+\item root \textcolor{gray}{(does the daily cleaning)}\\
+\texttt{rm /tmp/*/*}\medskip\\
+\hspace{2cm}\textcolor{gray}{\small records that \texttt{/tmp/a/passwd}}\\
+\hspace{2cm}\textcolor{gray}{\small should be deleted, but does not do it yet}\medskip\\
+\item attacker \textcolor{gray}{(meanwhile deletes the fake passwd file, and establishes a link to
+the real passwd file)}\\
+\texttt{rm /tmp/a/passwd; rmdir /tmp/a;}\\\texttt{ln -s /etc /tmp/a}\\
+\item root now deletes the real passwd file
+\end{enumerate}
+
+\only<2>{
+\begin{textblock}{11}(2,5)
+\begin{bubble}[8cm]
+\normalsize To prevent this kind of attack, you need additional
+policies (don't do such operations as root).
+\end{bubble}
+\end{textblock}}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{\Large Buffer Overflow Attacks}
+
+\begin{center}
+\begin{columns}[b]
+\begin{column}{.4\textwidth}
+\centering
+\includegraphics[scale=1.2]{pics/barrier.jpg}\\
+lectures so far
+\end{column}
+\begin{column}<2>{.4\textwidth}
+\centering
+\includegraphics[scale=0.32]{pics/trainwreck.jpg}\\
+today
+\end{column}
+\end{columns}
+\end{center}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-
-\begin{center}
-\begin{tabular}[t]{c}
-\includegraphics[scale=1.2]{pics/barrier.jpg}\\
-first lecture
-\end{tabular}\;\;\;
-\onslide<2>{
-\begin{tabular}[t]{c}
-\includegraphics[scale=0.32]{pics/trainwreck.jpg}\\
-today
-\end{tabular}
-}
-\end{center}
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{c}Network Applications:\\[-1mm] Privilege Separation\end{tabular}}
-
\begin{center}
\begin{tikzpicture}[scale=1]
@@ -167,8 +138,7 @@
mitigate the consequences of an attack
\end{itemize}
-
-\end{frame}}
+\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
@@ -434,9 +404,8 @@
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Smash the Stack for Fun \ldots\end{tabular}}
+\frametitle{Smash the Stack for Fun\ldots}
\begin{itemize}
\item ``smashing the stack attacks'' or\\ ``buffer overflow attacks''\medskip
@@ -456,36 +425,30 @@
\end{itemize}
-
-\end{frame}}
+\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
\begin{frame}[c]
\frametitle{A Float Printed ``Twice''}
-{\lstset{language=Java}
\footnotesize
-\lstinputlisting{../progs/C1.c}}
+\lstinputlisting[language=C]{../progs/C1.c}
-\end{frame}}
+\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
\begin{frame}[c]
-\frametitle{\begin{tabular}{c}The Problem\end{tabular}}
+\frametitle{The Problem}
\begin{itemize}
\item The basic problem is that library routines in C look as follows:
\begin{center}
-{\lstset{language=Java}
-\footnotesize
-\lstinputlisting{../progs/app5.c}}
+\footnotesize\lstinputlisting[language=C]{../progs/app5.c}
\end{center}
\item the resulting problems are often remotely exploitable
@@ -493,13 +456,12 @@
(for grooming botnets for further attacks)
\end{itemize}
-\end{frame}}
+\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Variants\end{tabular}}
+\frametitle{Variants}
There are many variants:
@@ -511,11 +473,10 @@
\item ``zero-days-attacks'' (new unknown vulnerability)
\end{itemize}
-\end{frame}}
+\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
\begin{frame}[c]
\begin{center}
@@ -523,20 +484,16 @@
\only<2>{\includegraphics[scale=0.9]{pics/stack2}\;\;}
\only<3>{\includegraphics[scale=0.9]{pics/stack3}\;\;}
\end{center}
-
-
-\end{frame}}
+
+\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
\begin{frame}[c]
-{\lstset{language=Java}\fontsize{8}{10}\selectfont%
-\texttt{\lstinputlisting{../progs/C2.c}}}
-
+{\small\lstinputlisting[language=C]{../progs/C2.c}}
-\end{frame}}
+\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
@@ -554,9 +511,8 @@
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Payloads\end{tabular}}
+\frametitle{Payloads}
\begin{itemize}
\item the idea is you store some code to the buffer
@@ -565,13 +521,12 @@
\item difficulty is to guess the right place where to ``jump''
\end{itemize}
-\end{frame}}
+\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Payloads (2)\end{tabular}}
+\frametitle{Payloads (2)}
\begin{itemize}
\item another difficulty is that the code is not allowed to contain \texttt{$\backslash$x00}:
@@ -581,31 +536,28 @@
\end{center}
\end{itemize}\bigskip\bigskip
-{\lstset{language=Java}\small
-\texttt{\lstinputlisting{../progs/app5.c}}}
+{\small
+\lstinputlisting[language=C]{../progs/app5.c}}
-\end{frame}}
+\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Format String Vulnerability\end{tabular}}
+\frametitle{Format String Vulnerability}
\small
\texttt{string} is nowhere used:\bigskip
-{\lstset{language=Java}\footnotesize
-\texttt{\lstinputlisting{../progs/C4.c}}}\bigskip
+{\footnotesize\lstinputlisting[language=C]{../progs/C4.c}}\bigskip
this vulnerability can be used to read out the stack
-\end{frame}}
+\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{c}Protections against\\ Buffer Overflow Attacks\end{tabular}}
@@ -618,13 +570,12 @@
\end{itemize}
-\end{frame}}
+\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Security Goals\end{tabular}}
+\frametitle{Security Goals}
\begin{itemize}
\item Prevent common vulnerabilities from occurring (e.g. buffer overflows)\pause
@@ -636,15 +587,12 @@
\item Availability and reliability (reduce the risk of DoS attacks)
\end{itemize}
-\end{frame}}
+\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Homework\end{tabular}}
+\frametitle{Homework}
\begin{itemize}
\item Assume format string attacks allow you to read out the stack. What can you do
@@ -653,7 +601,7 @@
\item Assume you can crash a program remotely. Why is this a problem?
\end{itemize}
-\end{frame}}
+\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%