Mercurial Mercurial > hg > sen-material / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | gz | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
updated
authorcu
Sun, 08 Oct 2017 23:49:40 +0100
changeset 546 3d1f65e43065
parent 545 0697622fb181
child 547 eae9a2e6ff28
updated
handouts/ho03.pdf file | annotate | diff | comparison | revisions
handouts/ho03.tex file | annotate | diff | comparison | revisions
progs/C2.c file | annotate | diff | comparison | revisions
progs/README file | annotate | diff | comparison | revisions
slides/slides03.pdf file | annotate | diff | comparison | revisions
slides/slides03.tex file | annotate | diff | comparison | revisions 
Binary file handouts/ho03.pdf has changed
--- a/handouts/ho03.tex	Tue Oct 03 22:43:03 2017 +0100
+++ b/handouts/ho03.tex	Sun Oct 08 23:49:40 2017 +0100
@@ -41,7 +41,7 @@
 take any precautions to prevent such attacks. The plot below
 shows the percentage of buffer overflow attacks listed in the
 US National Vulnerability Database.\footnote{Search for
-``Buffer errors'' at
+``Buffer errors'' in the advanced serach tab at
 \url{http://web.nvd.nist.gov/view/vuln/statistics}.}
 
 \begin{center}
@@ -51,9 +51,9 @@
     ylabel={\% of total attacks},
     ylabel style={yshift=-1em},
     enlargelimits=false,
-    xtick={1997,2000,2002,...,2016},
+    xtick={1997,1999,2001,...,2017},
     xmin=1996.5,
-    xmax=2017,
+    xmax=2018,
     ymax=21,
     ytick={0,5,...,20},
     scaled ticks=false,
@@ -76,10 +76,10 @@
 (whereby the absolute numbers of attacks grow each year). So you can
 see buffer overflow attacks are very relevant today. For example, very
 recently (February 2016) a buffer overflow attack was discovered in the glibc
-library:\footnote{See \url{goo.gl/De2mA8}}
+library:\footnote{See \url{http://goo.gl/De2mA8}}
 
 \begin{quote}\it
-``Since 2008, vulnerability has left apps and hardware open to remote
+``Since 2008, a vulnerability has left apps and hardware open to remote
   hijacking: Researchers have discovered a potentially catastrophic flaw in
   one of the Internet's core building blocks that leaves hundreds or
   thousands of apps and hardware devices vulnerable to attacks that can take
@@ -216,7 +216,9 @@
 \end{figure}
 
 On the left is the stack before \code{foo} is called; on the
-right is the stack after \code{foo} finishes. The function
+right is the stack after \code{foo} finishes. The before and
+after of the stack looks the same.
+The function
 call to \code{foo} in Line 7 (in the C program above) pushes
 the arguments onto the stack in reverse order---shown in the
 middle. Therefore first 3 then 2 and finally 1. Then it pushes
@@ -265,7 +267,7 @@
 \end{tabular}
 \end{center}
 
-\noindent You can see how the function \pcode{foo} stores
+\noindent The code for function \pcode{foo} stores
 first the last stack pointer onto the stack and then
 calculates the new stack pointer to have enough space for the
 two local buffers (Lines 2 - 4). Then it puts the two local
@@ -509,7 +511,7 @@
 the shellcode we want to run. But as you can see this is only
 47 bytes, which is a very low bar to jump over. Actually there
 are optimised versions which only need 24 bytes. More
-formidable is the choice of finding the right address to jump
+formidable is the problem of finding the right address to jump
 to. The string is typically of the form
 
 \begin{center}
@@ -532,9 +534,9 @@
 seen before), we typically cannot run anything, including a
 debugger, on the machine yet we target. And the address is
 very specific to the setup of the target machine. One way of
-finding out what the right address is is to try out one by one
+finding out what the right address is is to try out one-by-one
 every possible address until we get lucky. With the large
-memories available today, however, the odds are long. And if
+memories available today, however, the odds are long for this. And if
 we try out too many possible candidates too quickly, we might
 be detected by the system administrator of the target system.
 
@@ -661,7 +663,7 @@
 
 How can we defend against these attacks? Well, a reflex could
 be to blame programmers. Precautions should be taken by them
-so that buffers cannot been overfilled and format strings
+so that buffers cannot be overfilled and format strings
 should not be forgotten. This might actually be slightly
 simpler to achieve by programmers nowadays since safe versions
 of the library functions exist, which always specify the
@@ -748,7 +750,7 @@
 A real attacker would be more knowledgeable and not need this
 shortcut.
 
-To work I run my example under an Ubuntu version ``Maverick
+To explain BoAs, I run my examples under an Ubuntu version ``Maverick
 Meerkat'' from October 2010 and the gcc 4.4.5. I have not
 tried whether newer versions would work as well. I tested all
 examples inside a virtual
@@ -765,15 +767,15 @@
 \end{tabular}
 \end{center}
 
-\noindent The first two are innocent as they instruct the
+\noindent The first two options are innocent as they instruct the
 compiler to include debugging information and also produce
 non-optimised code (the latter makes the output of the code a
 bit more predictable). The third is important as it switches
 off defences like the stack canaries. The fourth again makes
 it a bit easier to read the code. The final option makes the
 stack executable, thus the example in Figure~\ref{C3} works as
-intended. While this might be considered cheating....since I
-explicitly switched off all defences, I hope I was able convey
+intended. While this might be considered as a complete cheat....since I
+explicitly switched off all defences; I hope I was able convey
 the point that this is actually not too far from realistic
 scenarios. I have shown you the classic version of the buffer
 overflow attacks. Updated and more advanced variants do exist.
--- a/progs/C2.c	Tue Oct 03 22:43:03 2017 +0100
+++ b/progs/C2.c	Sun Oct 08 23:49:40 2017 +0100
@@ -3,8 +3,8 @@
 #include <stdlib.h>
 
 // Since gets() is insecure and produces lots 
-// of warnings, thereofre I use my own input 
-// function instead.
+// of warnings, therefore I use my own input 
+// function instead...of course, why not?
 int i;
 char ch;  
     
--- a/progs/README	Tue Oct 03 22:43:03 2017 +0100
+++ b/progs/README	Sun Oct 08 23:49:40 2017 +0100
@@ -25,6 +25,11 @@
 
 Backtick is key §/±.
 
+example.c
+=========
+file to explain assembly code
+
+
 C0.c
 ====
 
Binary file slides/slides03.pdf has changed
--- a/slides/slides03.tex	Tue Oct 03 22:43:03 2017 +0100
+++ b/slides/slides03.tex	Sun Oct 08 23:49:40 2017 +0100
@@ -42,8 +42,10 @@
   \begin{itemize}
   \item homework, slides, programs are on KEATS
   \item include the question text  
-  \item please send the homework as PDF (or txt)\bigskip    
-  \item survey at the end  
+  \item please send the homework as PDF (or txt)\bigskip
+  \item exam 90\%, q's from homeworks (work in pairs)
+  \item coursework 10\% \bigskip  
+  \item survey at KEATS; to be answered until Sunday  
   \end{itemize}
 \end{frame}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
@@ -281,6 +283,17 @@
 \begin{frame}[c]
 \frametitle{Behind the Scenes}
 
+\only<1>{
+\begin{textblock}{7}(3,3)
+\begin{bubble}[6.8cm]
+\footnotesize
+\lstinputlisting[language=C,
+                 xleftmargin=5mm,
+                 belowskip=-1mm,
+                 aboveskip=-1mm]{../progs/example1.c} 
+\end{bubble}
+\end{textblock}}
+
 \only<2->{
 \begin{textblock}{7}(1,0.6)
 \begin{bubble}[6.8cm]
@@ -480,7 +493,7 @@
 \frametitle{Payloads}
 
 \begin{itemize}
-\item the idea is that you store some code in the buffer (the payload)
+\item the idea is that you store some code in the buffer (the ``payload'')
 \item you then override the return address to execute this payload\medskip
 \item normally you want to start a shell\pause
 \item difficulty is to guess the right place where to ``jump''
sen-material