--- a/slides03.tex Mon Oct 08 10:34:12 2012 +0100
+++ b/slides03.tex Tue Oct 09 13:39:31 2012 +0100
@@ -95,7 +95,8 @@
\begin{tabular}{ll}
Email: & christian.urban at kcl.ac.uk\\
Of$\!$fice: & S1.27 (1st floor Strand Building)\\
- Slides: & KEATS (also home work is there)
+ Slides: & KEATS (also home work is there)\\
+ & \alert{\bf (I have put a temporary link in there.)}\\
\end{tabular}
\end{center}
@@ -125,6 +126,10 @@
\item \alt<1>{overlapping}{{\LARGE\bf overlapping}} systems designed to provide\\ security even if one of them fails.
\end{itemize}
+\only<2->{
+\begin{textblock}{11}(2,12)
+\small otherwise your ``added security'' can become the point of failure
+\end{textblock}}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
@@ -176,7 +181,7 @@
\begin{center}
\begin{tabular}[b]{c}
\includegraphics[scale=1.05]{pics/britkeys1.jpg}\\
-\small nuclear weapon
+\small nuclear weapon keys
\end{tabular}
\hspace{3mm}
\begin{tabular}[b]{c}
@@ -196,8 +201,22 @@
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
-\frametitle{}
+\frametitle{Access Control in Unix}
+\begin{itemize}
+\item access control provided by the OS
+\item authenticate principals (login)
+\item mediate access to files, ports, processes according to \alert{roles} (user ids)\\
+\item roles get attached with privileges\bigskip\\%
+\hspace{8mm}
+\begin{tikzpicture}
+\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
+{\begin{minipage}{8cm}
+\alert{principle of least privilege:}\\
+programs should only have as much privilege as they need
+\end{minipage}};
+\end{tikzpicture}
+\end{itemize}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
@@ -205,32 +224,77 @@
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Plain-text Passwords at IEEE\end{tabular}}
+\frametitle{Access Control in Unix (2)}
+
+\begin{itemize}
+\item the idea is to restrict access to files and therefore lower the consequences of an attack\\[1cm]\mbox{}
+\end{itemize}
+
+\begin{textblock}{1}(2.5,9.5)
+ \begin{tikzpicture}[scale=1]
+
+ \draw[line width=1mm] (-.3, 0) rectangle (1.5,2);
+ \draw (4.7,1) node {Internet};
+ \draw (0.6,1.7) node {\footnotesize Interface};
+ \draw (0.6,-0.4) node {\footnotesize \begin{tabular}{c}unpriviledged\\[-1mm] process\end{tabular}};
+ \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}priviledged\\[-1mm] process\end{tabular}};
+
+ \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2);
+
+ \draw[white] (1.7,1) node (X) {};
+ \draw[white] (3.7,1) node (Y) {};
+ \draw[red, <->, line width = 2mm] (X) -- (Y);
+
+ \draw[red, <->, line width = 1mm] (-0.6,1) -- (-1.6,1);
+ \end{tikzpicture}
+\end{textblock}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
-\small\textcolor{gray}{On 25 September 2012, a report on a data breach at IEEE:}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{Process Ownership}
+
+\begin{itemize}
+\item access control in Unix is very coarse
+\end{itemize}\bigskip\bigskip\bigskip
+
+\begin{center}
+\begin{tabular}{c}
+root\\
+\hline
+
+user$_1$ user$_2$ \ldots www, mail, lp
+\end{tabular}
+\end{center}\bigskip\bigskip\bigskip
+
+
+\textcolor{gray}{\small root has UID $=$ 0}\\\pause
+\textcolor{gray}{\small you also have groups that can share access to a file}\\
+\textcolor{gray}{\small but it is difficult to exclude access selectively}\\
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Access Control in Unix (2)}
\begin{itemize}
-\item IEEE is a standards organisation (not-for-profit)
-\item many standards in CS are by IEEE\medskip
-\item 100k plain-text passwords were recorded in logs
-\item the logs were openly accessible on their FTP server
-\end{itemize}\bigskip
-
-\begin{flushright}\small
-\textcolor{gray}{\url{http://ieeelog.com}}
-\end{flushright}
+\item privileges are specified by file access permissions (``everything is a file'')
+\item there are 9 (plus 2) bits that specify the permissions of a file
-\only<2>{
-\begin{textblock}{11}(3,2)
-\begin{tikzpicture}
-\draw (0,0) node[inner sep=2mm,fill=white, ultra thick, draw=red, rounded corners=2mm]
-{\normalsize\color{darkgray}
-\begin{minipage}{7.5cm}\raggedright\small
-\includegraphics[scale=0.6]{pics/IEEElog.jpg}
-\end{minipage}};
-\end{tikzpicture}
-\end{textblock}}
+\begin{center}
+\begin{tabular}{l}
+\texttt{\$ ls - la}\\
+\texttt{-rwxrw-r-{}- \hspace{3mm} foo\_file.txt}
+\end{tabular}
+\end{center}
+\end{itemize}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
@@ -239,88 +303,25 @@
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Virgin Mobile (USA)\end{tabular}}
-
-\begin{flushright}\small
-\textcolor{gray}{\url{http://arstechnica.com/security/2012/09/virgin-mobile-password-crack-risk/}}
-\end{flushright}
-
-\begin{itemize}
-\item for online accounts passwords must be 6 digits
-\item you must cycle through 1M combinations (online)\pause\bigskip
-
-\item he limited the attack on his own account to 1 guess per second, \alert{\bf and}
-\item wrote a script that cleared the cookie set after each guess\pause
-\item has been fixed now
-\end{itemize}
-
+\frametitle{Login Process}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Smash the Stack for Fun \ldots\end{tabular}}
-
\begin{itemize}
-\item ``smashing the stack attacks'' or ``buffer overflow attacks''
-\item one of the most popular attacks;\\ attack of the (last) decade\\ ($>$ 50\% of security incidents reported at CERT are related to buffer overflows)
-\begin{flushright}\small
-\textcolor{gray}{\url{http://www.kb.cert.org/vuls}}
-\end{flushright}
-\medskip
-\item made popular in an article by Elias Levy\\ (also known as Aleph One):\\
+\item login processes run under UID $=$ 0\medskip
\begin{center}
-{\bf ``Smashing The Stack For Fun and Profit''}
+\texttt{ps -axl | grep login}
\end{center}\medskip
-\begin{flushright}
-\small\textcolor{gray}{\url{http://www.phrack.org}, Issue 49, Article 14}
-\end{flushright}
-
+\item after login, shells run under UID $=$ user (e.g.~501)\medskip
+\begin{center}
+\texttt{id cu}
+\end{center}\medskip\pause
+
+\item non-root users are not allowed to change the UID --- would break
+access control
+\item but needed for example for \texttt{passwd}
\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{c}The Problem\end{tabular}}
-
-\begin{itemize}
-\item The basic problem is that library routines in C look as follows:
-\begin{center}
-{\lstset{language=Java}\fontsize{8}{10}\selectfont%
-\texttt{\lstinputlisting{app5.c}}}
-\end{center}
-\item the resulting problems are often remotely exploitable
-\item can be used to circumvents all access control
-(botnets for further attacks)
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Variants\end{tabular}}
-
-There are many variants:
-
-\begin{itemize}
-\item return-to-lib-C attacks
-\item heap-smashing attacks\\
-\textcolor{gray}{\small(Slammer Worm in 2003 infected 90\% of vulnerable systems within 10 minutes)}\bigskip
-
-\item ``zero-days-attacks'' (new unknown vulnerability)
-\end{itemize}
-
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
@@ -329,87 +330,161 @@
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
+\frametitle{Setuid and Setgid}
-\small
-\texttt{my\_float} is printed twice:\bigskip
+The solution is that unix file permissions are 9 + \underline{2 Bits}:
+\alert{Setuid} and \alert{Setgid} Bits
+
+\begin{itemize}
+\item When a file with setuid is executed, the resulting process will assume the UID given to the owner of the file.
+\item This enables users to create processes as root (or another user).\bigskip
-{\lstset{language=Java}\fontsize{8}{10}\selectfont%
-\texttt{\lstinputlisting{C1.c}}}
+\item Essential for changing passwords, for example.
+\end{itemize}
-
+\begin{center}
+\texttt{chmod 4755 fobar\_file}
+\end{center}
+
\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Privilege Separation in\\ OpenSSH\end{tabular}}
\begin{center}
-\only<1>{\includegraphics[scale=0.9]{pics/stack1}\;\;}
-\only<2>{\includegraphics[scale=0.9]{pics/stack2}\;\;}
-\only<3>{\includegraphics[scale=0.9]{pics/stack3}\;\;}
+\begin{tikzpicture}[scale=1]
+
+ \draw[line width=1mm] (0, 1.1) rectangle (1.2,2);
+ \draw (4.7,1) node {Internet};
+ \draw (0.6,1.7) node {\footnotesize Slave};
+ \draw[line width=1mm] (0, 0) rectangle (1.2,0.9);
+ \draw (0.6,1.7) node {\footnotesize Slave};
+ \draw (0.6,0.6) node {\footnotesize Slave};
+ \draw (0.6,-0.5) node {\footnotesize \begin{tabular}{c}unpriviledged\\[-1mm] processes\end{tabular}};
+ \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}priviledged\\[-1mm] process\end{tabular}};
+
+ \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2);
+ \draw (-2.9,1.7) node {\footnotesize Monitor};
+
+ \draw[white] (1.7,1) node (X) {};
+ \draw[white] (3.7,1) node (Y) {};
+ \draw[red, <->, line width = 2mm] (X) -- (Y);
+
+ \draw[red, <->, line width = 1mm] (-0.4,1.4) -- (-1.4,1.1);
+ \draw[red, <->, line width = 1mm] (-0.4,0.6) -- (-1.4,0.9);
+
+ \end{tikzpicture}
\end{center}
-
-
+
+\begin{itemize}
+\item pre-authorisation slave
+\item post-authorisation\bigskip
+\item 25\% codebase is privileged, 75\% is unprivileged
+\end{itemize}
\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
+\frametitle{Network Applications}
-{\lstset{language=Java}\fontsize{8}{10}\selectfont%
-\texttt{\lstinputlisting{C2.c}}}
+ideally network application in Unix should be designed as follows:
+
+\begin{itemize}
+\item need two distinct processes
+\begin{itemize}
+\item one that listens to the network; has no privilege
+\item one that is privileged and listens to the latter only (but does not trust it)
+
+\end{itemize}
+
+\item to implement this you need a parent process, which forks a child process
+\item this child process drops privileges and listens to hostile data\medskip
+
+\item after authentication the parent forks again and the new child becomes the user
+\end{itemize}
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
-
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}Famous Security Flaws in Unix\end{tabular}}
+
+
+\begin{itemize}
+\item \texttt{lpr} unfortunately runs with root privileges; you had the option to delete files after printing \ldots\pause\pause
+\item for debugging purposes (FreeBSD) Unix provides a ``core dump'', but allowed to follow links \ldots\pause
+\item \texttt{mkdir foo} is owned by root\medskip
+\begin{center}
+\texttt{-rwxr-xr-x 1 root wheel /bin/mkdir}
+\end{center}\medskip
+it first creates an i-node as root and then changes to ownership to the user's id\\ \textcolor{gray}{\small (automated with a shell script)}
+\end{itemize}
+
+\only<1>{
+\begin{textblock}{1}(3,3)
+\begin{tikzpicture}
+\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
+{\begin{minipage}{8cm}
+Only failure makes us experts.
+ -- Theo de Raadt (OpenBSD, OpenSSH)
+\end{minipage}};
+\end{tikzpicture}
+\end{textblock}}
+
+
+
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}Other Problems\end{tabular}}
-\small
-A programmer might be careful, but still introduce vulnerabilities:\bigskip
+There are thing's you just cannot solve on the programming side:\bigskip
-{\lstset{language=Java}\fontsize{8}{10}\selectfont%
-\texttt{\lstinputlisting{C2a.c}}}
+\begin{itemize}
+\item for system maintenance you often have \texttt{cron}-jobs cleaning \texttt{/tmp}\medskip
+\begin{itemize}
+\item attacker:\\
+\texttt{mkdir /tmp/a; cat > /tmp/a/passwd}
+\item root:\\\texttt{rm /tmp/*/*}:
+\item attacker:\\
+\texttt{rm /tmp/a/passwd; rmdir /tmp/a;}\\\texttt{ln -s /etc /tmp/a}
+\end{itemize}
+\end{itemize}
-
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Payloads\end{tabular}}
+\frametitle{\begin{tabular}{@ {}c@ {}}Security Levels\end{tabular}}
+
+Unix essentially can only distinguish between two security levels (root and non-root).
\begin{itemize}
-\item the idea is you store some code as part to the buffer
-\item you then override the return address to execute this payload\medskip
-\item normally you start a root-shell\pause
-\item difficulty is to guess the right place where to ``jump''
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\item In military applications you often have many security levels (top-secret, secret, confidential, unclassified)\bigskip\pause
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Payloads (2)\end{tabular}}
+\item Information flow: Bell --- La Pudela model
\begin{itemize}
-\item another difficulty is that the code is not allowed to contain \texttt{$\backslash$x00}:
+\item read: your own level and below
+\item write: your own level and above
+\end{itemize}
+\end{itemize}
-\begin{center}
-\texttt{xorl \%eax, \%eax}
-\end{center}
-\end{itemize}\bigskip\bigskip
-
-{\lstset{language=Java}\fontsize{8}{10}\selectfont%
-\texttt{\lstinputlisting{app5.c}}}
-
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
@@ -417,50 +492,86 @@
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Format String Vulnerability\end{tabular}}
+\frametitle{\begin{tabular}{@ {}c@ {}}Security Levels (2)\end{tabular}}
-\small
-\texttt{string} is nowhere used:\bigskip
+\begin{itemize}
+\item Bell --- La Pudela preserves data secrecy, but not data integrity\bigskip\pause
+
+\item Biba model is for data integrity
-{\lstset{language=Java}\fontsize{8}{10}\selectfont%
-\texttt{\lstinputlisting{C6.c}}}\bigskip
+\begin{itemize}
+\item read: your own level and above
+\item write: your own level and below
+\end{itemize}
+\end{itemize}
-this vulnerability can be used to read out the stack
-
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Protections against BO Attacks\end{tabular}}
+\frametitle{\begin{tabular}{@ {}c@ {}}Access Control in 2000\end{tabular}}
+
+According to Ross Anderson (1st edition of his book), some senior Microsoft people held the
+following view:
+
+\begin{center}
+\begin{tikzpicture}
+\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
+{\begin{minipage}{10.5cm}
+\small Access control does not matter. Computers are becoming single-purpose
+or single-user devices. Single-purpose devices, such as Web servers that deliver a single service, don't
+need much in the way of access control as there's nothing for operating system access controls
+to do; the job of separating users from each other is best left to application code. As for the PC
+on your desk, if all the software on it comes from a single source, then again there's no need
+for the operating system to provide separation. \hfill{}\textcolor{gray}{(in 2000)}
+\end{minipage}};
+\end{tikzpicture}
+\end{center}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{\begin{tabular}{@ {}c@ {}}Research Problems\end{tabular}}
\begin{itemize}
-\item use safe library functions
-\item ensure stack data is not executable (can be defeated)
-\item address space randomisation (makes one-size-fits-all more difficult)
-\item choice of programming language (one of the selling points of Java)
+\item with access control we are back to 1970s\bigskip
+\only<1>{
+\begin{tikzpicture}
+\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
+{\begin{minipage}{10cm}
+\small Going all the way back to early time-sharing systems we systems people regarded the users, and any code they wrote, as the mortal enemies of us and each other. We were like the police force in a violent slum.\\
+\mbox{}\hfill--- Roger Needham
+\end{minipage}};
+\end{tikzpicture}}\pause
+
+\item the largest research area in access control in 2000-07 has been ``Trusted Computing'', but thankfully it
+is dead now\bigskip
+\item a useful research area is to not just have robust access control, but also usable access control --- by programmers and users\\
+(one possible answer is operating system virtualisation, e.g.~Xen, VMWare)\medskip\pause
+
+\item electronic voting
\end{itemize}
-
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Security Goals\end{tabular}}
+\begin{frame}[t]
+\frametitle{\begin{tabular}{@ {}c@ {}}Mobile OS\end{tabular}}
\begin{itemize}
-\item Prevent common vulnerabilities from occurring (e.g. buffer overflows)\pause
-\item Recover from attacks (traceability and auditing of security-relevant actions)\pause
-\item Monitoring (detect attacks)\pause
-\item Privacy, confidentiality, anonymity (to protect secrets)\pause
-\item Authenticity (eeded for access control)\pause
-\item Integrity (prevent unwanted modification or tampering)\pause
-\item Availability and reliability (reduce the risk of DoS attacks)
+\item iOS and Android solve the defence-in-depth problem by \alert{sandboxing} applications\bigskip
+
+\item you as developer have to specify the resources an application needs
+\item the OS provides a sandbox where access is restricted to only these resources
\end{itemize}
-
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
@@ -469,18 +580,42 @@
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Homework\end{tabular}}
+\frametitle{\begin{tabular}{@ {}c@ {}}Security Theater\end{tabular}}
+
-\begin{itemize}
-\item Assume format string attacks allow you to read out the stack. What can you do
- with this information?\bigskip
+Security theater is the practice of investing in countermeasures intended to provide the
+\underline{feeling} of improved security while doing little or nothing to actually achieve it.\hfill{}\textcolor{gray}{Bruce Schneier}
-\item Assume you can crash a program remotely. Why is this a problem?
-\end{itemize}
-
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}\end{tabular}}
+
+
+Security theater is the practice of investing in countermeasures intended to provide the
+\underline{feeling} of improved security while doing little or nothing to actually achieve it.\hfill{}\textcolor{gray}{Bruce Schneier}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk>
+Sender: cl-security-research-bounces@lists.cam.ac.uk
+To: cl-security-research@lists.cam.ac.uk
+Subject: Tip off
+Date: Tue, 02 Oct 2012 13:12:50 +0100
+
+I received the following tip off, and have removed the sender's
+coordinates. I suspect it is one of many security vendors who
+don't even get the basics right; if you ever go to the RSA
+conference, there are a thousand such firms in the hall, each
+with several eager but ignorant salesmen. A trying experience
+
+Ross
+
\end{document}