authorChristian Urban <christian dot urban at kcl dot ac dot uk>
Mon, 21 Oct 2013 23:28:03 +0100 (2013-10-21)
changeset 117 59d3bf386a6d
parent 116 be57673022d3
child 118 a42bbdfe5dd9
Binary file hws/hw04.pdf has changed
--- a/hws/hw04.tex	Wed Oct 09 15:52:17 2013 +0100
+++ b/hws/hw04.tex	Mon Oct 21 23:28:03 2013 +0100
@@ -8,33 +8,9 @@
 \section*{Homework 4}
-\item Voice voting is the method of casting a vote in the `open air' for everyone
-present to hear. Which of the following security requirements do paper ballots 
-satisfy better than voice voting? Check all that apply and give a brief explanation 
-for your decision.
-\item[$\Box$] Integrity\bigskip\bigskip
-\item[$\Box$] Enfranchisement\bigskip\bigskip
-\item[$\Box$] Ballot secrecy\bigskip\bigskip
-\item[$\Box$] Voter authentication\bigskip\bigskip
-\item[$\Box$] Availability\bigskip\bigskip
+\item Explain what is meant by \emph{Kerckhoffs' principle}.
-\item Explain how an attacker can use chain voting in order to influence the outcome of a 
-poll using paper ballots. 
-\item Which of the following mechanisms help with defending against chain voting? Check all 
-that apply. Give a brief reason for each defence that mitigates chain voting attacks.
-\item[$\Box$] Using a glass ballot box to make it clear there are no ballots in the box before the start of the election.
-\item[$\Box$] Distributing ballots publicly before the election.
-\item[$\Box$] Checking that a voter's ID (drivers license, passport) matches the voter.
-\item[$\Box$] Each ballot has a unique ID. When a voter is given a ballot, the ID is recorded. When the voter submits his or her ballot, this ID is checked against the record.
Binary file slides/slides01.pdf has changed
Binary file slides/slides04.pdf has changed
--- a/slides/slides04.tex	Wed Oct 09 15:52:17 2013 +0100
+++ b/slides/slides04.tex	Mon Oct 21 23:28:03 2013 +0100
@@ -71,8 +71,10 @@
 % beamer stuff 
-\renewcommand{\slidecaption}{APP 03, King's College London, 1 October 2013}
+\renewcommand{\slidecaption}{APP 03, King's College London, 22 October 2014}
@@ -83,14 +85,14 @@
   \begin{tabular}{@ {}c@ {}}
   \LARGE Access Control and \\[-3mm] 
-  \LARGE Privacy Policies (2)\\[-6mm] 
+  \LARGE Privacy Policies (4)\\[-6mm] 
   Email:  & christian.urban at\\
-  Of$\!$fice: & S1.27 (1st floor Strand Building)\\
+  Office: & S1.27 (1st floor Strand Building)\\
   Slides: & KEATS (also home work is there)\\
@@ -105,7 +107,7 @@
-one general defence mechanism is\\\alert{\bf defence in depth}
+two weeks ago: buffer overflow attacks
@@ -113,87 +115,57 @@
-\frametitle{Defence in Depth}
-\item \alt<1>{overlapping}{{\LARGE\bf overlapping}} systems designed to provide\\ security even if one of them fails.
+\frametitle{Buffer Overflows}
-\small otherwise your ``added security'' can become the point of failure 
+As a proof-of-concept, the following URL allows 
+attackers to control the return value saved on 
+the stack (the vulnerability is triggered when
+executing "/usr/sbin/widget"):
-\item \alert{Permissive Action Links} prevent unauthorised use of nuclear weapons (so the theory)
+ curl http://<target ip>/post_login.xml?hash=AAA...AAABBBB
-modern PALs also include a 2-person rule
- \only<2->{
-\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] 
-US Air Force's Strategic Air Command worried that in times of need the 
-codes would not be available, so until 1977 quietly decided to set them 
-to 00000000\ldots
+The value of the "hash" HTTP GET parameter consists in 
+292 occurrences of the 'A' character, followed by four 
+occurrences of character 'B'. In our lab setup, characters 
+'B' overwrite the saved program counter (%ra).
-\item until 1998, Britain had nuclear weapons that could be launched from airplanes\bigskip\pause
-\item these weapons were armed with a bicycle key
+Discovery date: 06/03/2013
+Release date:   02/08/2013
-\small nuclear weapon keys
-\small bicycle lock
-\item the current Trident nuclear weapons can be launched from a submarine without any code being transmitted
+D-Link router flaw lets anyone login through "Joel's Backdoor":\medskip
+If you tell your browser to identify itself as Joel's backdoor, instead of (say) 
+as Mozilla/5.0 AppleWebKit/536.30.1 Version/6.0.5, you're in without authentication.\medskip
+"What is this string," I hear you ask?
+You will laugh: it is 
+\hfill\footnotesize October 15, 2013\\
 \frametitle{Access Control in Unix}
@@ -246,82 +218,90 @@
-\frametitle{Process Ownership}
+\frametitle{Access Control}
-\item access control in Unix is very coarse
+\item \bl{Discretionary Access Control:}\mbox{}\medskip\\
\small Access to objects (files, directories, devices, etc.) is permitted 
+based on user identity. Each object is owned by a user. Owners can 
+specify freely (at their discretion) how they want to share their objects 
+with other users, by specifying which other users can have which 
+form of access to their objects.\medskip
Discretionary access control is implemented on any multi-user OS 
+(Unix, Windows NT, etc.).
+\frametitle{Access Control}
-user$_1$ user$_2$ \ldots www, mail, lp
+\item \bl{Mandatory Access Control:}\mbox{}\medskip\\
\small Access to objects is controlled by a system-wide policy, for example 
+to prevent certain flows of information. In some forms, the system maintains 
+security labels for both objects and subjects (processes, users), based on 
+which access is granted or denied. Labels can change as the result of an 
+access. Security policies are enforced without the cooperation of users or 
+application programs.\medskip
+This is implemented today in special military operating system versions
-\textcolor{gray}{\small root has UID $=$ 0}\\\pause
-\textcolor{gray}{\small you also have groups that can share access to a file}\\
-\textcolor{gray}{\small but it is difficult to exclude access selectively}\\
-\frametitle{Access Control in Unix (2)}
-\item privileges are specified by file access permissions (``everything is a file'') 
-\item there are 9 (plus 2) bits that specify the permissions of a file
-\texttt{\$ ls - la}\\
-\texttt{-rwxrw-r-{}- \hspace{3mm} foo\_file.txt}
-\frametitle{Login Process}
+\frametitle{Discretionary Access Control}
+In its most generic form usually given by an Access Control Matrix 
+of the form
+                 & /mail/jane & edit.exe & sendmail \\\hline
+jane          & r, w & r, x & r, x\\\hline
+john          & $\varnothing$ & r, w, x&  r, x\\\hline
+sendmail  & a & $\varnothing$ &  r, x\\
+access privileges: {\bf r}ead, {\bf w}rite, e{\bf x}ecute, {\bf a}ppend
+\frametitle{Mandatory Access Control}
-\item login processes run under UID $=$ 0\medskip 
-\texttt{ps -axl | grep login}
+\item Restrictions to allowed information flows are not decided at the user’s 
+discretion (as with Unix chmod), but instead enforced by system policies.
-\item after login, shells run under UID $=$ user (e.g.~501)\medskip
-\texttt{id cu}
+\item Mandatory access control mechanisms are aimed in particular at 
+preventing policy violations by untrusted application software, which 
+typically have at least the same access privileges as the invoking user.\medskip
-\item non-root users are not allowed to change the UID --- would break 
-access control
-\item but needed for example for \texttt{passwd}
+Simple example: Air Gap Security.
Uses completely separate network and computer hardware for different application classes.
@@ -408,39 +388,6 @@
-\frametitle{\begin{tabular}{@ {}c@ {}}Famous Security Flaws in Unix\end{tabular}}
-\item \texttt{lpr} unfortunately runs with root privileges; you had the option to delete files after printing \ldots\pause\pause
-\item for debugging purposes (FreeBSD) Unix provides a ``core dump'', but allowed to follow links \ldots\pause
-\item \texttt{mkdir foo} is owned by root\medskip
-\texttt{-rwxr-xr-x  1 root  wheel /bin/mkdir}
-it first creates an i-node as root and then changes to ownership to the user's id\\ \textcolor{gray}{\small (automated with a shell script)}
-\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] 
-Only failure makes us experts.
-	-- Theo de Raadt (OpenBSD, OpenSSH)