updated
authorChristian Urban <christian dot urban at kcl dot ac dot uk>
Thu, 22 Oct 2015 02:11:23 +0100
changeset 417 ca9295851eb6
parent 416 708b80c825af
child 418 ac2d2cb7dd82
updated
slides/slides05.pdf
slides/slides05.tex
slides/slides06.pdf
slides/slides10.pdf
Binary file slides/slides05.pdf has changed
--- a/slides/slides05.tex	Wed Oct 21 22:07:46 2015 +0100
+++ b/slides/slides05.tex	Thu Oct 22 02:11:23 2015 +0100
@@ -1,9 +1,10 @@
 \PassOptionsToPackage{bookmarks=false}{hyperref}
 \documentclass[dvipsnames,14pt,t,hyperref={bookmarks=false}]{beamer}
+\usepackage{../style}
 \usepackage{../slides}
 \usepackage{../graphics}
 \usepackage{../langs}
-\usepackage{../style}
+\usepackage{../data}
 \usetikzlibrary{arrows}
 \usetikzlibrary{shapes}
 
@@ -294,6 +295,7 @@
 \item CA: ``I, the CA, have verified that public key 
   \bl{$P^{pub}_{Bob}$} belongs to Bob''\bigskip
 \item CA must be trusted by everybody\medskip
+\item certificates are time limited, and can be revoked
 
 \item What happens if CA issues a false certificate? Who pays in case of loss? (VeriSign 
 explicitly limits liability to \$100.)
@@ -302,79 +304,276 @@
 \end{frame}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
 
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{PKI: Chains of Trust}
+
+\begin{center}
+  \begin{tikzpicture}[scale=1,
+                      node/.style={
+                      rectangle,rounded corners=3mm,
+                      very thick,draw=black!50,minimum height=18mm, minimum width=23mm,
+                      top color=white,bottom color=black!20}]
+
+  \node (A) at (0,0)  [node] {};
+  \node [below right] at (A.north west) 
+  {\small\begin{tabular}{@{}l}CA\\Root Cert.\end{tabular}};
+
+  \node (B) at (4,0)  [node] {};
+  \node [below right=1mm] at (B.north west) 
+ {\mbox{}\hspace{-1mm}\small
+  \begin{tabular}{@{}l}Subordinate\\ CA\end{tabular}};
+
+  \node (C) at (8,0)  [node] {};
+  \node [below right] at (C.north west) 
+  {\small\begin{tabular}{@{}l}Server\\ Bank.com\end{tabular}};
+
+  \draw [->,line width=4mm] (A) -- (B); 
+  \draw [->,line width=4mm] (B) -- (C); 
+  
+  \node (D) at (6,-3)  [node] {};
+  \node [below right] at (D.north west) 
+  {\small\begin{tabular}{@{}l}Browser\\ Root Store\end{tabular}};
+
+  \node (E) at (2,-3)  [node] {};
+  \node [below right] at (E.north west) 
+  {\small\begin{tabular}{@{}l}Browser\\ Company\end{tabular}};
+
+  \draw [->,line width=4mm] (E) -- (D); 
+  \end{tikzpicture}
+\end{center}
+
+\begin{itemize}
+\item CAs make almost no money anymore, because of competition
+\item browser companies are not really interested in security, 
+rather than market share
+\end{itemize}
+  
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%  
 
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \begin{frame}[c]
-\frametitle{Best Practices}
+\frametitle{PKI: Weaknesses}
+
+CAs just cannot win (make any profit):\medskip
+
+\begin{itemize}
+\item there are hundreds of CAs, which issue million of
+      certificates and the error rate is small
+
+\item users (servers) do not want to pay or pay as little as
+      possible\bigskip
+
+\item a CA can issue a certificate for any domain not needing
+      any permission (CAs are meant to be undergo audits,
+      but\ldots DigiNotar); if they have issued many 
+      certificates, they ``become too big to fail'' 
+  
+\item Can we be sure CAs are not just front-ends of some 
+      government organisation?  
+       
+\end{itemize}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{PKI: Weaknesses}
+
+\begin{itemize}
+
+\item many certificates are issued via whois\ldots if you
+      hijacked a domain, it is easy to obtain
+      certificates\medskip
+
+\item revocation does not work (Chrome has given up on
+      revocation lists)\medskip
 
-{\bf Principle 1:} Every message should say what it means: the
-interpretation of a message should not depend on the
-context.\bigskip\pause
+\item lax approach to validation of certificates 
+  (Have you bypassed certification warnings?)\medskip
+
+\item sometimes you want to install invalid certificates 
+  (self-signed)
+   
+\end{itemize}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{PKI: Attacks}
+
+\begin{itemize}
 
-{\bf Principle 2:} If the identity of a principal is essential
-to the meaning of a message, it is prudent to mention the
-principal’s name explicitly in the message (though
-difficult).\bigskip
+\item Go directly after root certificates 
+  \begin{itemize}
+  \item governments can demand private keys\smallskip
+  \item 10 years ago it was estimated to break a 1024 bit key
+   in one year using 10 -30 Mio \$; this is now reduced to 1 Mio \$
+  \end{itemize} 
+
+\item Go after buggy implementations of certificate
+      validation\smallskip
+
+\item Social Engineering 
+  \begin{itemize}
+    \item in 2001 somebody pretended to be 
+    from Microsoft and asked for two code-signing 
+    certificates
+    \end{itemize}\bigskip
+\end{itemize}
+
+\small The eco-system is completely broken (it relies on
+thousands of entities doing the right thing). Maybe DNSSEC
+where keys can be attached to domain names is a way out.
 
 \end{frame}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
 
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \begin{frame}[c]
-\frametitle{Best Practices}
-
-{\bf Principle 3:} Be clear about why encryption is being
-done. Encryption is not wholly cheap, and not asking precisely
-why it is being done can lead to redundancy. Encryption is not
-synonymous with security.
-
-\small
-\begin{center}
-Possible Uses of Encryption
+\frametitle{Real Attacks}
 
 \begin{itemize}
-\item Preservation of confidentiality: \bl{$\{X\}_K$} only those that have \bl{$K$} may recover \bl{$X$}.
\item Guarantee authenticity: The partner is indeed some particular principal.
\item Guarantee confidentiality and authenticity: binds two parts of a message --- 
-\bl{$\{X,Y\}_K$} is not the same as \bl{$\{X\}_K$} and \bl{$\{Y\}_K$}.
+
+\item In 2011, DigiNotar (Dutch) was the first CA which got
+      compromised completely, and where many fraudulent
+      certificates were issued. It included approximately
+      300,000 IP addresses, mostly located in Iran. The
+      attackers (in Iran?) were likely interested only in
+      collecting gmail passwords.\medskip
+
+\item The Flame malware piggy-bagged on this attack by
+      advertising malicious Windows updates to some targeted
+      systems (mostly in Iran, Israel, Sudan).
+
 \end{itemize}
-\end{center}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{PKI is Broken}
+
+\begin{itemize}
+
+\item PKI and certificates are meant to protect you against
+      MITM attacks, but if the attack occurs your are 
+      presented with a warning and you need to decide whether
+      you are under attack.\medskip
+
+\item Webcontent gets often loaded from 3rd-party servers,
+      which might not be secured\medskip
+     
+\item Misaligned incentives: browser vendors are not
+      interested in breaking webpages with invalid
+      certificates     
+
+\end{itemize}
 
 \end{frame}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
 
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \begin{frame}[c]
-\frametitle{Best Practices}
+
+Why are there so many invalid certificates?\bigskip
+
+\begin{itemize}
+
+\item insufficient name coverage (www.example.com should
+include example.com)
 
-{\bf Principle 4:} The protocol designers should know which
-trust relations their protocol depends on, and why the
-dependence is necessary. The reasons for particular trust
-relations being acceptable should be explicit though they will
-be founded on judgment and policy rather than on
-logic.\bigskip
+\item IoT: manny appliances have web-based admin interfaces; 
+  the manufacturer cannot know under which IP and domain name
+  the appliances are run (so cannot install a valid certificate)
 
-
Example Certification Authorities: CAs are trusted to certify
-a key only after proper steps have been taken to identify the
-principal that owns it.
+\item expired certificates, or incomplete chains of trust
+      (servers are supposed to supply them)
+
+\end{itemize}
 
 \end{frame}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
 
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{Formal Methods}
-
-Ross Anderson about the use of Logic:\bigskip
-
-\begin{quote}
-Formal methods can be an excellent way of finding 
-bugs in security protocol designs as they force the designer 
-to make everything explicit and thus confront difficult design 
-choices that might otherwise be fudged. 
-\end{quote}
-
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
-
+%
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%\begin{frame}[c]
+%\frametitle{Best Practices}
+%
+%{\bf Principle 1:} Every message should say what it means: the
+%interpretation of a message should not depend on the
+%context.\bigskip\pause
+%
+%{\bf Principle 2:} If the identity of a principal is essential
+%to the meaning of a message, it is prudent to mention the
+%principal’s name explicitly in the message (though
+%difficult).\bigskip
+%
+%\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%\begin{frame}[c]
+%\frametitle{Best Practices}
+%
+%{\bf Principle 3:} Be clear about why encryption is being
+%done. Encryption is not wholly cheap, and not asking precisely
+%why it is being done can lead to redundancy. Encryption is not
+%synonymous with security.
%
+%
+%\small
+%\begin{center}
+%Possible Uses of Encryption
%
+%
+%\begin{itemize}
+%\item Preservation of confidentiality: \bl{$\{X\}_K$} only those that have \bl{$K$} may recover \bl{$X$}.
%\item Guarantee authenticity: The partner is indeed some particular principal.
%\item Guarantee confidentiality and authenticity: binds two parts of a message --- 
+%\bl{$\{X,Y\}_K$} is not the same as \bl{$\{X\}_K$} and \bl{$\{Y\}_K$}.
+%\end{itemize}
+%\end{center}
+%
+%\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%\begin{frame}[c]
+%\frametitle{Best Practices}
+%
+%{\bf Principle 4:} The protocol designers should know which
+%trust relations their protocol depends on, and why the
+%dependence is necessary. The reasons for particular trust
+%relations being acceptable should be explicit though they will
+%be founded on judgment and policy rather than on
+%logic.\bigskip
+%
+%
%Example Certification Authorities: CAs are trusted to certify
+%a key only after proper steps have been taken to identify the
+%principal that owns it.
+%
+%\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%\begin{frame}[c]
+%\frametitle{Formal Methods}
+%
+%Ross Anderson about the use of Logic:\bigskip
+%
+%\begin{quote}
+%Formal methods can be an excellent way of finding 
+%bugs in security protocol designs as they force the designer 
+%to make everything explicit and thus confront difficult design 
+%choices that might otherwise be fudged. 
+%\end{quote}
+%
+%\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+%
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \begin{frame}[c]
 \frametitle{Mid-Term}
@@ -390,6 +589,384 @@
 \end{frame}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
 
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{Security Engineering}
+  
+  \begin{center}
+  \begin{tabular}{cc}
+  \raisebox{-0.8mm}{\includegraphics[scale=0.28]{../pics/flight.jpg}} &
+  \includegraphics[scale=0.31]{../pics/airbus.jpg}\\
+  \small Wright brothers, 1901 & \small Airbus, 2005 \\ 
+  \end{tabular}
+  \end{center}
+
+  \end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{1st Lecture}
+
+\begin{itemize}
+\item chip-and-pin, banks vs.~customers
+\begin{quote}\small\rm
+ the one who can improve security should also be 
+ liable for the losses 
+\end{quote}\pause\bigskip
+
+\item hashes and salts to guarantee data integrity\medskip
+\item storing passwords (you should know the difference between
+brute force attacks and dictionary attacks; how do salts help?)
+\end{itemize}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%  
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{1st Lecture: Cookies}
+
+\begin{itemize}
+\item good uses of cookies?\medskip
+
+\item bad uses of cookies: snooping, tracking, profiling\ldots
+      the ``disadvantage'' is that the user is in
+      \alert{control}, because you can delete them 
+          
+          \begin{center} ``Please track me using cookies.''
+          \end{center}\bigskip\pause
+                 
+\item fingerprinting beyond browser cookies
+  \begin{quote}\small\rm
+  Pixel Perfect: Fingerprinting Canvas in HTML5\\ 
+  (a research paper from 2012)\\
+  \footnotesize
+  \url{http://cseweb.ucsd.edu/~hovav/papers/ms12.html}      
+  \end{quote}      
+\end{itemize}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%  
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{1st Lecture: Cookies}
+
+\begin{itemize}
+\item a bit of JavaScript and HTML5 + canvas\medskip
+\begin{center}
+\begin{tabular}{cc}
+Firefox & Safari\\
+\includegraphics[scale=0.31]{../pics/firefox1.png} &
+\includegraphics[scale=0.31]{../pics/safari1.png} \\
+\tiny
+\pcode{55b2257ad0f20ecbf927fb66a15c61981f7ed8fc} &
+\tiny
+\pcode{17bc79f8111e345f572a4f87d6cd780b445625d3}
+\end{tabular}
+\end{center}\bigskip
+
+\item\small no actual drawing needed\pause
+\item\small in May 2014 a crawl of 100,000 popular 
+webpages revealed 5.5\% already use canvas 
+fingerprinting\smallskip
+\begin{center}\scriptsize
+\url{https://securehomes.esat.kuleuven.be/~gacar/persistent/the_web_never_forgets.pdf}
+\end{center}
+\end{itemize}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%  
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{1st Lecture: Cookies}
+
+Remember the small web-app I showed where a cookie 
+protected a counter\bigskip 
+
+\begin{itemize}
+\item NYT, the cookie looks the ``resource'' - harm\medskip
+\item imaginary discount unlocked by cookie - no harm
+\end{itemize}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%  
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[t]
+\frametitle{2nd Lecture: E-Voting}
+
+Where are paper ballots better than voice voting?\bigskip
+
+\begin{itemize}
+\item Integrity 
+\item \alert{Ballot Secrecy}
+\item Voter Authentication
+\item Enfranchisement
+\item Availability
+\end{itemize}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[t]
+\frametitle{2nd Lecture: E-Voting}
+
+\begin{itemize}
+\item (two weeks ago) an Australian parliamentary committee 
+found: e-voting is highly vulnerable to hacking and Australia 
+will not use it any time soon\bigskip\pause
+\item Alex Halderman, Washington D.C.~hack
+\begin{center}
+\scriptsize
+\url{https://jhalderm.com/pub/papers/dcvoting-fc12.pdf}
+\end{center}\medskip
+
+\item PDF-ballot tampering at the wireless router (the modification 
+is nearly undetectable and leaves no traces; MITM attack with firmware 
+updating)
+\begin{center}
+\scriptsize
+\url{http://galois.com/wp-content/uploads/2014/11/technical-hack-a-pdf.pdf}
+\end{center}
+
+\end{itemize}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\tikzset{alt/.code args={<#1>#2#3#4}{%
+  \alt<#1>{\pgfkeysalso{#2}}{\pgfkeysalso{#3}} % \pgfkeysalso doesn't change the path
+}}
+
+\begin{frame}[t]
+\frametitle{\begin{tabular}{c}3rd Lecture:\\ Buffer Overflow Attacks\end{tabular}}
+
+\begin{itemize}
+\item the problem arises from the way C/C++ organises its function calls\\[-8mm]\mbox{}
+\end{itemize}
+
+\begin{center}
+\begin{tikzpicture}[scale=1]
+%\draw[black!10,step=2mm] (0,0) grid (9,4);
+%\draw[black!10,thick,step=10mm] (0,0) grid (9,4);
+
+\node at (0.5,4.5) {\small\begin{tabular}{l}main\\[-2mm] prog.\end{tabular}};
+\draw[line width=0mm, white, alt=<2->{fill=red}{fill=blue}] (0,2.5) rectangle (1,3.8);
+\draw[line width=0mm, white, alt=<9->{fill=red}{fill=blue}] (0,0.2) rectangle (1,0.5);
+\draw[line width=1mm, alt=<3->{fill=yellow}{fill=blue}] (0,2.0) rectangle (1,2.5);
+\draw[line width=1mm, alt=<6->{fill=red}{fill=blue}] (0,1.0) rectangle (1,2.0);
+\draw[line width=1mm, alt=<7->{fill=yellow}{fill=blue}] (0,0.5) rectangle (1,1.0);
+\draw[line width=1mm] (0,0) -- (0,4);
+\draw[line width=1mm] (1,0) -- (1,4);
+
+\node at (3.5,3.5) {\small\begin{tabular}{l}fact(n)\end{tabular}};
+\draw[line width=1mm, alt=<{4-5,8}>{fill=red}{fill=blue}] (3,1.0) rectangle (4,3.0);
+
+\onslide<3-4>{\draw[->, line width=1mm,red] (1,2.3) to node [above,sloped,midway] {n=4} (3,3);}
+\onslide<5>{\draw[<-, line width=1mm,red] (1,2.3) to node [above,sloped,midway] {res=24} (3,1);}
+
+\onslide<7-8>{\draw[->, line width=1mm,red] (1,0.8) to node [above,sloped,midway] {n=3} (3,3);}
+\onslide<9>{\draw[<-, line width=1mm,red] (1,0.8) to node [above,sloped,midway] {res=6} (3,1);}
+
+
+\node at (7.75,3.9) {\small\begin{tabular}{l}stack\end{tabular}};
+\draw[line width=1mm] (7,3.5) -- (7,0.5) -- (8.5,0.5) -- (8.5,3.5);
+
+\onslide<3,4,7,8>{
+\node at (7.75, 1.4) {ret};
+\draw[line width=1mm] (7,1.1) -- (8.5,1.1);
+\node at (7.75, 2.0) {sp};
+\draw[line width=1mm] (7,2.3) -- (8.5,2.3);
+}
+\onslide<3,4>{
+\node at (7.75, 0.8) {4};
+\draw[line width=1mm] (7,1.7) -- (8.5,1.7);
+}
+\onslide<7,8>{
+\node at (7.75, 0.8) {3};
+\draw[line width=1mm] (7,1.7) -- (8.5,1.7);
+}
+
+
+\end{tikzpicture}
+\end{center}
+
+\end{frame}
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[t]
+
+\begin{center}
+\begin{tikzpicture}[scale=1]
+%\draw[black!10,step=2mm] (0,0) grid (9,4);
+%\draw[black!10,thick,step=10mm] (0,0) grid (9,4);
+
+\node at (0.5,4.5) {\small\begin{tabular}{l}main\\[-2mm] prog.\end{tabular}};
+\draw[line width=0mm, white, alt=<2->{fill=red}{fill=blue}] (0,2.5) rectangle (1,3.8);
+\draw[line width=1mm, white, fill=blue] (0,1.0) rectangle (1,2.0);
+\draw[line width=1mm, alt=<3->{fill=yellow}{fill=blue}] (0,2.0) rectangle (1,2.5);
+\draw[line width=1mm] (0,0) -- (0,4);
+\draw[line width=1mm] (1,0) -- (1,4);
+
+\node at (3.5,3.5) {\small\begin{tabular}{l}fact(n)\end{tabular}};
+\draw[line width=0mm, alt=<{4-}>{red, fill=red}{blue, fill=blue}] (3,2.8) rectangle (4,3.0);
+\draw[line width=0mm, alt=<{5-}>{red, fill=red}{blue, fill=blue}] (3,2.8) rectangle (4,2.0);
+\draw[line width=0mm, alt=<{7-}>{red, fill=red}{blue, fill=blue}] (3,2.0) rectangle (4,1.0);
+\draw[line width=1mm] (3,1.0) rectangle (4,3.0);
+
+\onslide<3->{\draw[->, line width=1mm,red] (1,2.3) to node [above,sloped,midway] {n=4} (3,3);}
+\onslide<5->{\draw[<-, line width=2mm,red] (4,2) to node [above,sloped,midway] 
+{\begin{tabular}{l}user\\[-1mm] input\end{tabular}} (6,2);}
+\onslide<8->{\draw[<-, line width=1mm,red] (1,-2) to (3,1);}
+
+\node at (7.75,3.9) {\small\begin{tabular}{l}stack\end{tabular}};
+\draw[line width=1mm] (7,3.5) -- (7,-0.1) -- (8.5,-0.1) -- (8.5,3.5);
+
+\onslide<3->{
+\node at (7.75, 0.2) {4};
+\draw[line width=1mm,alt=<6->{fill=red}{fill=white}] (7,0.5) rectangle (8.5,1.1);
+\node at (7.75, 0.8) {\alt<6->{@a\#}{ret}};
+\draw[line width=1mm,alt=<6->{fill=red}{fill=white}] (7,1.1) rectangle (8.5,1.7);
+\node at (7.75, 1.4) {\alt<6->{!?w;}sp};
+}
+
+\onslide<4->{
+\draw[line width=1mm,fill=red] (7,1.7) rectangle (8.5,3.0);
+\node[white] at (7.75, 2.4) {buffer};
+}
+
+\end{tikzpicture}
+\end{center}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[t]
+\frametitle{\begin{tabular}{c}3rd Lecture:\\[-3mm] 
+Buffer Overflow Attacks\end{tabular}}
+
+US National Vulnerability Database\\ 
+\small(636 out of 6675 in 2014)
+
+\begin{center}
+\begin{tikzpicture}
+\begin{axis}[
+    xlabel={year},
+    ylabel={\% of total attacks},
+    ylabel style={yshift=0em},
+    enlargelimits=false,
+    xtick={1997,1998,2000,...,2014},
+    xmin=1996.5,
+    xmax=2015,
+    ymax=21,
+    ytick={0,5,...,20},
+    scaled ticks=false,
+    axis lines=left,
+    width=11cm,
+    height=5cm,
+    ybar,
+    nodes near coords=
+     {\footnotesize
+      $\pgfmathprintnumber[fixed,fixed zerofill,precision=1,use comma]{\pgfkeysvalueof{/data point/y}}$},
+    x tick label style={font=\scriptsize,/pgf/number format/1000 sep={}}]
+\addplot
+  table [x=Year,y=Percentage] {bufferoverflows.data};
+\end{axis}
+\end{tikzpicture}
+\end{center}
+
+\scriptsize
+\url{http://web.nvd.nist.gov/view/vuln/statistics}
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[t]
+\frametitle{\begin{tabular}{c}4th Lecture:\\ Unix Access Control\end{tabular}}
+
+\begin{itemize}
+\item privileges are specified by file access permissions (``everything is a file'') 
+\end{itemize}\medskip
+
+\begin{center}
+  \begin{tikzpicture}[scale=1]
+  
+  \draw[line width=1mm] (-.3, 0) rectangle (1.5,2);
+  \draw (4.7,1) node {Internet};
+  \draw (-2.7,1.7) node {\footnotesize Application};
+  \draw (0.6,1.7) node {\footnotesize Interface};
+  \draw (0.6,-0.4) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] process\end{tabular}};
+  \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}};
+  
+  \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2);
+
+  \draw[white] (1.7,1) node (X) {};
+  \draw[white] (3.7,1) node (Y) {};
+  \draw[red, <->, line width = 2mm] (X) -- (Y);
+ 
+  \draw[red, <->, line width = 1mm] (-0.6,1) -- (-1.6,1);
+  \end{tikzpicture}
+\end{center}
+
+\begin{itemize}
+\item the idea is to make the attack surface smaller and 
+mitigate the consequences of an attack
+\end{itemize}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[fragile,t]
+\frametitle{\begin{tabular}{c}4th Lecture:\\ Unix Access Control\end{tabular}}
+
+\begin{itemize}
+\item when a file with setuid is executed, the resulting process will assume the 
+UID given to the owner of the file
+\end{itemize}
+
+\footnotesize\tt
+\begin{center}
+\begin{verbatim}
+$ ls -ld . * */*
+drwxr-xr-x 1 ping staff  32768 Apr  2 2010 .
+-rw----r-- 1 ping students  31359 Jul 24 2011 manual.txt
+-r--rw--w- 1 bob students    4359 Jul 24 2011 report.txt
+-rwsr--r-x 1 bob students  141359 Jun  1 2013 microedit
+dr--r-xr-x 1 bob staff      32768 Jul 23 2011 src
+-rw-r--r-- 1 bob staff      81359 Feb 28 2012 src/code.c
+-r--rw---- 1 emma students    959 Jan 23 2012 src/code.h
+\end{verbatim}
+\end{center}
+
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%  
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[t]
+\frametitle{\begin{tabular}{c}4th Lecture:\\ Unix Access Control\end{tabular}}
+
+\begin{itemize}
+\item Alice wants to have her files readable, 
+\alert{except} for her office mates.
+\end{itemize}
+
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%  
+
+
 \end{document}
 
 %%% Local Variables:  
Binary file slides/slides06.pdf has changed
Binary file slides/slides10.pdf has changed