--- a/hws/hw04.tex Wed Oct 09 15:52:17 2013 +0100
+++ b/hws/hw04.tex Mon Oct 21 23:28:03 2013 +0100
@@ -8,33 +8,9 @@
\section*{Homework 4}
\begin{enumerate}
-\item Voice voting is the method of casting a vote in the `open air' for everyone
-present to hear. Which of the following security requirements do paper ballots
-satisfy better than voice voting? Check all that apply and give a brief explanation
-for your decision.
-
-\begin{itemize}
-\item[$\Box$] Integrity\bigskip\bigskip
-\item[$\Box$] Enfranchisement\bigskip\bigskip
-\item[$\Box$] Ballot secrecy\bigskip\bigskip
-\item[$\Box$] Voter authentication\bigskip\bigskip
-\item[$\Box$] Availability\bigskip\bigskip
-\end{itemize}
+\item Explain what is meant by \emph{Kerckhoffs' principle}.
-\item Explain how an attacker can use chain voting in order to influence the outcome of a
-poll using paper ballots.
-
-\item Which of the following mechanisms help with defending against chain voting? Check all
-that apply. Give a brief reason for each defence that mitigates chain voting attacks.
-
-\begin{itemize}
-\item[$\Box$] Using a glass ballot box to make it clear there are no ballots in the box before the start of the election.
-\item[$\Box$] Distributing ballots publicly before the election.
-\item[$\Box$] Checking that a voter's ID (drivers license, passport) matches the voter.
-\item[$\Box$] Each ballot has a unique ID. When a voter is given a ballot, the ID is recorded. When the voter submits his or her ballot, this ID is checked against the record.
-\end{itemize}
-
\end{enumerate}
--- a/slides/slides04.tex Wed Oct 09 15:52:17 2013 +0100
+++ b/slides/slides04.tex Mon Oct 21 23:28:03 2013 +0100
@@ -71,8 +71,10 @@
showstringspaces=false}
% beamer stuff
-\renewcommand{\slidecaption}{APP 03, King's College London, 1 October 2013}
-
+\renewcommand{\slidecaption}{APP 03, King's College London, 22 October 2014}
+\makeatletter
+\def\verbatim@font{\consolas\footnotesize}
+\makeatother
\begin{document}
@@ -83,14 +85,14 @@
\begin{tabular}{@ {}c@ {}}
\\
\LARGE Access Control and \\[-3mm]
- \LARGE Privacy Policies (2)\\[-6mm]
+ \LARGE Privacy Policies (4)\\[-6mm]
\end{tabular}}\bigskip\bigskip\bigskip
\normalsize
\begin{center}
\begin{tabular}{ll}
Email: & christian.urban at kcl.ac.uk\\
- Of$\!$fice: & S1.27 (1st floor Strand Building)\\
+ Office: & S1.27 (1st floor Strand Building)\\
Slides: & KEATS (also home work is there)\\
\end{tabular}
\end{center}
@@ -105,7 +107,7 @@
\begin{center}
\includegraphics[scale=0.45]{pics/trainwreck.jpg}\\
-one general defence mechanism is\\\alert{\bf defence in depth}
+two weeks ago: buffer overflow attacks
\end{center}
@@ -113,87 +115,57 @@
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}<1-2>[c]
-\frametitle{Defence in Depth}
-
-\begin{itemize}
-\item \alt<1>{overlapping}{{\LARGE\bf overlapping}} systems designed to provide\\ security even if one of them fails.
-\end{itemize}
+\begin{frame}[fragile]
+\frametitle{Buffer Overflows}
-\only<2->{
-\begin{textblock}{11}(2,12)
-\small otherwise your ``added security'' can become the point of failure
-\end{textblock}}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{verbatim}
+As a proof-of-concept, the following URL allows
+attackers to control the return value saved on
+the stack (the vulnerability is triggered when
+executing "/usr/sbin/widget"):
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{PALs}
-
-\begin{itemize}
-\item \alert{Permissive Action Links} prevent unauthorised use of nuclear weapons (so the theory)
-\end{itemize}
+ curl http://<target ip>/post_login.xml?hash=AAA...AAABBBB
-\begin{center}
-\includegraphics[scale=0.25]{pics/nuclear1.jpg}\hspace{3mm}
-\includegraphics[scale=0.25]{pics/nuclear2.jpg}
-\end{center}
-
-
-\onslide<3->{
-modern PALs also include a 2-person rule
-}
-
- \only<2->{
-\begin{textblock}{11}(3,2)
-\begin{tikzpicture}
-\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
-{\begin{minipage}{8cm}
-US Air Force's Strategic Air Command worried that in times of need the
-codes would not be available, so until 1977 quietly decided to set them
-to 00000000\ldots
-\end{minipage}};
-\end{tikzpicture}
-\end{textblock}}
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+The value of the "hash" HTTP GET parameter consists in
+292 occurrences of the 'A' character, followed by four
+occurrences of character 'B'. In our lab setup, characters
+'B' overwrite the saved program counter (%ra).
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-
-\begin{itemize}
-\item until 1998, Britain had nuclear weapons that could be launched from airplanes\bigskip\pause
-
-\item these weapons were armed with a bicycle key
+Discovery date: 06/03/2013
+Release date: 02/08/2013
+\end{verbatim}
-\begin{center}
-\begin{tabular}[b]{c}
-\includegraphics[scale=1.05]{pics/britkeys1.jpg}\\
-\small nuclear weapon keys
-\end{tabular}
-\hspace{3mm}
-\begin{tabular}[b]{c}
-\includegraphics[scale=0.35]{pics/britkeys2.jpg}\\
-\small bicycle lock
-\end{tabular}
-\end{center}\bigskip\pause
-
-\item the current Trident nuclear weapons can be launched from a submarine without any code being transmitted
-\end{itemize}
-
-\end{frame}}
+\mbox{}\footnotesize\hfill\url{http://pastebin.com/vbiG42VD}
+\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[fragile]
+\frametitle{Backdoors}
+
+D-Link router flaw lets anyone login through "Joel's Backdoor":\medskip
+
+If you tell your browser to identify itself as Joel's backdoor, instead of (say)
+as Mozilla/5.0 AppleWebKit/536.30.1 Version/6.0.5, you're in without authentication.\medskip
+
+"What is this string," I hear you ask?
+
+You will laugh: it is
+
+\begin{verbatim}
+xmlset_roodkcableoj28840ybtide
+\end{verbatim}
+
+
+\hfill\footnotesize October 15, 2013\\
+\hfill\tiny\url{http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Access Control in Unix}
@@ -246,82 +218,90 @@
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
+\newcommand{\bl}[1]{\textcolor{blue}{#1}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-\frametitle{Process Ownership}
+\begin{frame}[c]
+\frametitle{Access Control}
\begin{itemize}
-\item access control in Unix is very coarse
-\end{itemize}\bigskip\bigskip\bigskip
+\item \bl{Discretionary Access Control:}\mbox{}\medskip\\
\small Access to objects (files, directories, devices, etc.) is permitted
+based on user identity. Each object is owned by a user. Owners can
+specify freely (at their discretion) how they want to share their objects
+with other users, by specifying which other users can have which
+form of access to their objects.\medskip
+
Discretionary access control is implemented on any multi-user OS
+(Unix, Windows NT, etc.).
+\end{itemize}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{center}
-\begin{tabular}{c}
-root\\
-\hline
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{Access Control}
-user$_1$ user$_2$ \ldots www, mail, lp
-\end{tabular}
-\end{center}\bigskip\bigskip\bigskip
+\begin{itemize}
+\item \bl{Mandatory Access Control:}\mbox{}\medskip\\
\small Access to objects is controlled by a system-wide policy, for example
+to prevent certain flows of information. In some forms, the system maintains
+security labels for both objects and subjects (processes, users), based on
+which access is granted or denied. Labels can change as the result of an
+access. Security policies are enforced without the cooperation of users or
+application programs.\medskip
+
+This is implemented today in special military operating system versions
+(SELinux).
+\end{itemize}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\textcolor{gray}{\small root has UID $=$ 0}\\\pause
-\textcolor{gray}{\small you also have groups that can share access to a file}\\
-\textcolor{gray}{\small but it is difficult to exclude access selectively}\\
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Access Control in Unix (2)}
-
-
-\begin{itemize}
-\item privileges are specified by file access permissions (``everything is a file'')
-\item there are 9 (plus 2) bits that specify the permissions of a file
-
-\begin{center}
-\begin{tabular}{l}
-\texttt{\$ ls - la}\\
-\texttt{-rwxrw-r-{}- \hspace{3mm} foo\_file.txt}
-\end{tabular}
-\end{center}
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
-\frametitle{Login Process}
+\frametitle{Discretionary Access Control}
+
+In its most generic form usually given by an Access Control Matrix
+of the form
+\begin{center}
+\begin{tabular}{r|c|c|c}
+ & /mail/jane & edit.exe & sendmail \\\hline
+jane & r, w & r, x & r, x\\\hline
+john & $\varnothing$ & r, w, x& r, x\\\hline
+sendmail & a & $\varnothing$ & r, x\\
+\end{tabular}
+\end{center}
+
+
+access privileges: {\bf r}ead, {\bf w}rite, e{\bf x}ecute, {\bf a}ppend
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{Mandatory Access Control}
\begin{itemize}
-\item login processes run under UID $=$ 0\medskip
-\begin{center}
-\texttt{ps -axl | grep login}
-\end{center}\medskip
+\item Restrictions to allowed information flows are not decided at the user’s
+discretion (as with Unix chmod), but instead enforced by system policies.
-\item after login, shells run under UID $=$ user (e.g.~501)\medskip
-\begin{center}
-\texttt{id cu}
-\end{center}\medskip\pause
+\item Mandatory access control mechanisms are aimed in particular at
+preventing policy violations by untrusted application software, which
+typically have at least the same access privileges as the invoking user.\medskip
-\item non-root users are not allowed to change the UID --- would break
-access control
-\item but needed for example for \texttt{passwd}
+Simple example: Air Gap Security.
Uses completely separate network and computer hardware for different application classes.
\end{itemize}
-\end{frame}}
+\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
@@ -408,39 +388,6 @@
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Famous Security Flaws in Unix\end{tabular}}
-
-
-\begin{itemize}
-\item \texttt{lpr} unfortunately runs with root privileges; you had the option to delete files after printing \ldots\pause\pause
-\item for debugging purposes (FreeBSD) Unix provides a ``core dump'', but allowed to follow links \ldots\pause
-\item \texttt{mkdir foo} is owned by root\medskip
-\begin{center}
-\texttt{-rwxr-xr-x 1 root wheel /bin/mkdir}
-\end{center}\medskip
-it first creates an i-node as root and then changes to ownership to the user's id\\ \textcolor{gray}{\small (automated with a shell script)}
-\end{itemize}
-
-\only<1>{
-\begin{textblock}{1}(3,3)
-\begin{tikzpicture}
-\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
-{\begin{minipage}{8cm}
-Only failure makes us experts.
- -- Theo de Raadt (OpenBSD, OpenSSH)
-\end{minipage}};
-\end{tikzpicture}
-\end{textblock}}
-
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]