Binary file slides/slides01.pdf has changed
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/slides/slides01.tex Sun Sep 22 15:22:11 2013 +0100
@@ -0,0 +1,1028 @@
+\documentclass[dvipsnames,14pt,t]{beamer}
+\usepackage{beamerthemeplainculight}
+\usepackage[T1]{fontenc}
+\usepackage[latin1]{inputenc}
+\usepackage{mathpartir}
+\usepackage[absolute,overlay]{textpos}
+\usepackage{ifthen}
+\usepackage{tikz}
+\usepackage{pgf}
+\usepackage{calc}
+\usepackage{ulem}
+\usepackage{courier}
+\usepackage{listings}
+\renewcommand{\uline}[1]{#1}
+\usetikzlibrary{arrows}
+\usetikzlibrary{automata}
+\usetikzlibrary{shapes}
+\usetikzlibrary{shadows}
+\usetikzlibrary{positioning}
+\usetikzlibrary{calc}
+\usepackage{graphicx}
+
+\definecolor{javared}{rgb}{0.6,0,0} % for strings
+\definecolor{javagreen}{rgb}{0.25,0.5,0.35} % comments
+\definecolor{javapurple}{rgb}{0.5,0,0.35} % keywords
+\definecolor{javadocblue}{rgb}{0.25,0.35,0.75} % javadoc
+
+\lstset{language=Java,
+ basicstyle=\ttfamily,
+ keywordstyle=\color{javapurple}\bfseries,
+ stringstyle=\color{javagreen},
+ commentstyle=\color{javagreen},
+ morecomment=[s][\color{javadocblue}]{/**}{*/},
+ numbers=left,
+ numberstyle=\tiny\color{black},
+ stepnumber=1,
+ numbersep=10pt,
+ tabsize=2,
+ showspaces=false,
+ showstringspaces=false}
+
+\lstdefinelanguage{scala}{
+ morekeywords={abstract,case,catch,class,def,%
+ do,else,extends,false,final,finally,%
+ for,if,implicit,import,match,mixin,%
+ new,null,object,override,package,%
+ private,protected,requires,return,sealed,%
+ super,this,throw,trait,true,try,%
+ type,val,var,while,with,yield},
+ otherkeywords={=>,<-,<\%,<:,>:,\#,@},
+ sensitive=true,
+ morecomment=[l]{//},
+ morecomment=[n]{/*}{*/},
+ morestring=[b]",
+ morestring=[b]',
+ morestring=[b]"""
+}
+
+\lstset{language=Scala,
+ basicstyle=\ttfamily,
+ keywordstyle=\color{javapurple}\bfseries,
+ stringstyle=\color{javagreen},
+ commentstyle=\color{javagreen},
+ morecomment=[s][\color{javadocblue}]{/**}{*/},
+ numbers=left,
+ numberstyle=\tiny\color{black},
+ stepnumber=1,
+ numbersep=10pt,
+ tabsize=2,
+ showspaces=false,
+ showstringspaces=false}
+
+% beamer stuff
+\renewcommand{\slidecaption}{APP 01, King's College London, 25.~September 2012}
+
+
+\begin{document}
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}<1>[t]
+\frametitle{%
+ \begin{tabular}{@ {}c@ {}}
+ \LARGE Access Control and \\[-3mm]
+ \LARGE Privacy Policies (1)\\[-6mm]
+ \end{tabular}}
+
+ \begin{center}
+ \includegraphics[scale=1.3]{pics/barrier.jpg}
+ \end{center}
+
+\normalsize
+ \begin{center}
+ \begin{tabular}{ll}
+ Email: & christian.urban at kcl.ac.uk\\
+ Of$\!$fice: & S1.27 (1st floor Strand Building)\\
+ Slides: & KEATS
+ \end{tabular}
+ \end{center}
+
+
+\end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}
+
+\begin{center}
+\includegraphics[scale=2.1]{pics/barrier.jpg}
+\end{center}
+
+\end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}Security Engineers\end{tabular}}
+
+According to Bruce Schneier, {\bf security engineers} require
+a particular {\bf mindset}:\bigskip
+
+\begin{tikzpicture}
+\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
+{\normalsize\color{darkgray}
+\begin{minipage}{10cm}\raggedright\small
+``Security engineers --- at least the good ones --- see the world dif$\!$ferently.
+They can't walk into a store without noticing how they might shoplift. They can't
+use a computer without wondering about the security vulnerabilities. They can't
+vote without trying to figure out how to vote twice. They just can't help it.''
+\end{minipage}};
+\end{tikzpicture}
+
+\begin{flushright}
+\includegraphics[scale=0.0087]{pics/schneierbook1.jpg}\;
+\includegraphics[scale=0.0087]{pics/schneierbook2.jpg}\;
+\includegraphics[scale=0.85]{pics/schneier.png}
+\end{flushright}
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}Chip-and-PIN\end{tabular}}
+
+\begin{center}
+\includegraphics[scale=0.3]{pics/creditcard1.jpg}\;
+\includegraphics[scale=0.3]{pics/creditcard2.jpg}
+\end{center}
+
+\begin{itemize}
+\item Chip-and-PIN was introduced in the UK in 2004
+\item before that customers had to sign a receipt\medskip
+\item Is Chip-and-PIN a more secure system?
+\end{itemize}
+
+\begin{flushright}
+\small\textcolor{gray}{(Some other countries still use the old method.)}
+\end{flushright}
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}Yes \ldots\end{tabular}}
+
+\begin{tikzpicture}
+\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
+{\normalsize\color{darkgray}
+\begin{minipage}{10cm}\raggedright\small
+``Chip-and-PIN is so effective in this country [UK] that fraudsters are starting to move their activities overseas,''
+said Emile Abu-Shakra, spokesman for Lloyds TSB (in the Guardian, 2006).
+\end{minipage}};
+\end{tikzpicture}\bigskip
+
+
+\begin{itemize}
+\item mag-stripe cards cannot be cloned anymore
+\item stolen or cloned cards need to be used abroad
+\item fraud on lost, stolen and counterfeit credit cards was down \pounds{}60m (24\%) on 2004's figure
+\end{itemize}
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}But let's see \ldots\end{tabular}}
+
+
+\begin{textblock}{1}(3,4)
+\begin{tabular}{c}
+\includegraphics[scale=0.3]{pics/bank.png}\\[-2mm]
+\small Bank
+\end{tabular}
+\end{textblock}
+
+\begin{textblock}{1}(7,4.5)
+\begin{tabular}{c}
+\includegraphics[scale=3]{pics/store.png}\\[-2mm]
+\end{tabular}
+\end{textblock}
+
+\begin{textblock}{1}(4.5,9.9)
+\begin{tabular}{c}
+\includegraphics[scale=0.16]{pics/rman.png}\\[-1mm]
+\small costumer / you
+\end{tabular}
+\end{textblock}
+
+\only<2->{
+\begin{textblock}{1}(4.5,7.5)
+ \begin{tikzpicture}[scale=1.3]
+ \draw[white] (0,0) node (X) {};
+ \draw[white] (1,-1) node (Y) {};
+ \draw[red, ->, line width = 2mm] (X) -- (Y);
+ \node [inner sep=5pt,label=above:\textcolor{black}{}] at ($ (X)!.5!(Y) $) {};
+ \end{tikzpicture}
+\end{textblock}}
+
+\only<3->{
+\begin{textblock}{1}(6.8,7.5)
+ \begin{tikzpicture}[scale=1.3]
+ \draw[white] (0,0) node (X) {};
+ \draw[white] (1,1) node (Y) {};
+ \draw[red, ->, line width = 2mm] (X) -- (Y);
+ \node [inner sep=5pt,label=above:\textcolor{black}{}] at ($ (X)!.5!(Y) $) {};
+ \end{tikzpicture}
+\end{textblock}
+
+\begin{textblock}{1}(4.8,5.9)
+ \begin{tikzpicture}[scale=1.3]
+ \draw[white] (0,0) node (X) {};
+ \draw[white] (1.4,0) node (Y) {};
+ \draw[red, <->, line width = 2mm] (X) -- (Y);
+ \node [inner sep=5pt,label=above:\textcolor{black}{}] at ($ (X)!.5!(Y) $) {};
+ \end{tikzpicture}
+\end{textblock}}
+
+\only<4->{
+\begin{textblock}{1}(12,6.5)
+\begin{tabular}{c}
+\includegraphics[scale=0.8]{pics/factory.png}\\[-1mm]
+\small card\\[-2mm]\small terminal\\[-2mm] \small producer
+\end{tabular}
+\end{textblock}
+
+\begin{textblock}{1}(10,7)
+ \begin{tikzpicture}[scale=1.6]
+ \draw[white] (0,0) node (X) {};
+ \draw[white] (-1,0.6) node (Y) {};
+ \draw[red, ->, line width = 2mm] (X) -- (Y);
+ \node [inner sep=5pt,label=above:\textcolor{black}{}] at ($ (X)!.5!(Y) $) {};
+ \end{tikzpicture}
+\end{textblock}}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Chip-and-PIN\end{tabular}}
+
+
+\begin{itemize}
+\item A ``tamperesitant'' terminal playing Tetris on
+\textcolor{blue}{\href{http://www.youtube.com/watch?v=wWTzkD9M0sU}{youtube}}.\\
+\textcolor{lightgray}{\footnotesize(\url{http://www.youtube.com/watch?v=wWTzkD9M0sU})}
+\end{itemize}
+
+
+\includegraphics[scale=0.2]{pics/tetris.jpg}
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Chip-and-PIN\end{tabular}}
+
+
+\begin{itemize}
+\item in 2006, Shell petrol stations stopped accepting Chip-and-PIN after \pounds{}1m had been stolen from customer accounts\smallskip
+\item in 2008, hundreds of card readers for use in Britain, Ireland, the Netherlands, Denmark, and Belgium had been
+expertly tampered with shortly after manufacture so that details and PINs of credit cards were sent during the 9 months
+before over mobile phone networks to criminals in Lahore, Pakistan
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Chip-and-PIN is Broken\end{tabular}}
+
+\begin{flushright}
+\includegraphics[scale=0.01]{pics/andersonbook1.jpg}\;
+\includegraphics[scale=1.5]{pics/anderson.jpg}
+\end{flushright}
+
+\begin{itemize}
+\item man-in-the-middle attacks by the group around Ross Anderson\medskip
+\end{itemize}
+
+\begin{center}
+\mbox{}\hspace{-20mm}\includegraphics[scale=0.5]{pics/chip-attack.png}
+\end{center}
+
+
+\begin{textblock}{1}(11.5,13.7)
+\begin{tabular}{l}
+\footnotesize on BBC Newsnight\\[-2mm]
+\footnotesize in 2010 or \textcolor{blue}{\href{http://www.youtube.com/watch?v=JPAX32lgkrw}{youtube}}
+\end{tabular}
+\end{textblock}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}Chip-and-PIN is Really Broken\end{tabular}}
+
+\begin{flushright}
+\includegraphics[scale=0.01]{pics/andersonbook1.jpg}\;
+\includegraphics[scale=1.5]{pics/anderson.jpg}
+\end{flushright}
+
+\begin{itemize}
+\item same group successfully attacked this year card readers and ATM machines
+\item the problem: several types of ATMs generate poor random numbers, which are used as nonces
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}The Problem \ldots\end{tabular}}
+
+
+\begin{textblock}{1}(3,4)
+\begin{tabular}{c}
+\includegraphics[scale=0.3]{pics/bank.png}\\[-2mm]
+\small Bank
+\end{tabular}
+\end{textblock}
+
+\begin{textblock}{1}(7,4.5)
+\begin{tabular}{c}
+\includegraphics[scale=3]{pics/store.png}\\[-2mm]
+\end{tabular}
+\end{textblock}
+
+\begin{textblock}{1}(12,6.5)
+\begin{tabular}{c}
+\includegraphics[scale=0.8]{pics/factory.png}\\[-1mm]
+\small terminal\\[-2mm] \small producer
+\end{tabular}
+\end{textblock}
+
+\begin{textblock}{1}(4.5,9.9)
+\begin{tabular}{c}
+\includegraphics[scale=0.13]{pics/rman.png}\\[-1mm]
+\small costumer / you
+\end{tabular}
+\end{textblock}
+
+\begin{textblock}{1}(4.5,7.5)
+ \begin{tikzpicture}[scale=1.3]
+ \draw[white] (0,0) node (X) {};
+ \draw[white] (1,-1) node (Y) {};
+ \draw[gray, ->, line width = 2mm] (X) -- (Y);
+ \node [inner sep=5pt,label=above:\textcolor{black}{}] at ($ (X)!.5!(Y) $) {};
+ \end{tikzpicture}
+\end{textblock}
+
+\begin{textblock}{1}(6.8,7.5)
+ \begin{tikzpicture}[scale=1.3]
+ \draw[white] (0,0) node (X) {};
+ \draw[white] (1,1) node (Y) {};
+ \draw[gray, ->, line width = 2mm] (X) -- (Y);
+ \node [inner sep=5pt,label=above:\textcolor{black}{}] at ($ (X)!.5!(Y) $) {};
+ \end{tikzpicture}
+\end{textblock}
+
+\begin{textblock}{1}(4.8,5.9)
+ \begin{tikzpicture}[scale=1.3]
+ \draw[white] (0,0) node (X) {};
+ \draw[white] (1.4,0) node (Y) {};
+ \draw[gray, <->, line width = 2mm] (X) -- (Y);
+ \node [inner sep=5pt,label=above:\textcolor{black}{}] at ($ (X)!.5!(Y) $) {};
+ \end{tikzpicture}
+\end{textblock}
+
+\begin{textblock}{1}(10,7)
+ \begin{tikzpicture}[scale=1.6]
+ \draw[white] (0,0) node (X) {};
+ \draw[white] (-1,0.6) node (Y) {};
+ \draw[gray, ->, line width = 2mm] (X) -- (Y);
+ \node [inner sep=5pt,label=above:\textcolor{black}{}] at ($ (X)!.5!(Y) $) {};
+ \end{tikzpicture}
+\end{textblock}
+
+\begin{textblock}{14}(1,13.5)
+\begin{itemize}
+\item the burden of proof for fraud and financial liability was shifted to the costumer
+\end {itemize}
+\end{textblock}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Being Screwed Again\end{tabular}}
+
+
+\begin{flushright}
+\includegraphics[scale=0.3]{pics/rbssecure.jpg}
+\end{flushright}
+
+\begin{itemize}
+\item {\bf Responsibility}\\
+``You understand that you are financially responsible for all uses of RBS Secure.''\\
+\textcolor{lightgray}{\footnotesize\url{https://www.rbssecure.co.uk/rbs/tdsecure/terms_of_use.jsp}}
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Web Applications\end{tabular}}
+
+
+\begin{textblock}{1}(2,5)
+\begin{tabular}{c}
+\includegraphics[scale=0.15]{pics/servers.png}\\[-2mm]
+\small Servers from\\[-2mm]
+\small Dot.com Inc.
+\end{tabular}
+\end{textblock}
+
+\begin{textblock}{1}(5.6,6)
+ \begin{tikzpicture}[scale=2.5]
+ \draw[white] (0,0) node (X) {};
+ \draw[white] (1,0) node (Y) {};
+ \only<2>{\draw[red, <-, line width = 2mm] (X) -- (Y);
+ \node [inner sep=5pt,label=above:\textcolor{black}{GET request}] at ($ (X)!.5!(Y) $) {};}
+ \only<3>{\draw[red, ->, line width = 2mm] (X) -- (Y);
+ \node [inner sep=5pt,label=above:\textcolor{black}{webpage}] at ($ (X)!.5!(Y) $) {};}
+ \only<4>{\draw[red, <-, line width = 2mm] (X) -- (Y);
+ \node [inner sep=7pt,label=above:\textcolor{black}{POST data}] at ($ (X)!.5!(Y) $) {};}
+ \end{tikzpicture}
+\end{textblock}
+
+
+\begin{textblock}{1}(9,5.5)
+\begin{tabular}{c}
+\includegraphics[scale=0.15]{pics/laptop.png}\\[-2mm]
+\small Client(s)
+\end{tabular}
+\end{textblock}
+
+\begin{textblock}{13}(1,13)
+\begin{itemize}
+\item What are pitfalls and best practices?
+\end{itemize}
+\end{textblock}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Scala + Play\end{tabular}}
+
+\footnotesize a simple response from the server:
+
+{\lstset{language=Scala}\fontsize{8}{10}\selectfont
+\texttt{\lstinputlisting{app0.scala}}}\bigskip
+
+\footnotesize
+alternative response:\\
+
+{\lstset{language=Scala}\fontsize{8}{10}\selectfont
+\texttt{\lstinline{Ok("<H1>Hello world!</H1>").as(HTML)}}}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+
+{\lstset{language=Scala}\fontsize{8}{10}\selectfont
+\texttt{\lstinputlisting{app1.scala}}}
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Cookies\end{tabular}}
+
+
+\begin{textblock}{1}(1.5,5)
+\begin{tabular}{c}
+\includegraphics[scale=0.15]{pics/servers.png}\\[-2mm]
+\small Servers from\\[-2mm]
+\small Dot.com Inc.
+\end{tabular}
+\end{textblock}
+
+\begin{textblock}{1}(5.6,5.6)
+ \begin{tikzpicture}[scale=2.5]
+ \draw[white] (0,0) node (X) {};
+ \draw[white] (1,0) node (Y) {};
+ \draw[white] (0.05,-0.3) node (X1) {};
+ \draw[white] (0.95,-0.3) node (Y1) {};
+ \only<1-2>{\draw[red, <-, line width = 2mm] (X) -- (Y);
+ \node [inner sep=5pt,label=above:\textcolor{black}{GET request}] at ($ (X)!.5!(Y) $) {};}
+ \only<1>{\draw[white, <-, line width = 1mm] (X1) -- (Y1);
+ \node [inner sep=2pt,label=below:\textcolor{white}{read a cookie}] at ($ (X1)!.5!(Y1) $) {};}
+ \only<2>{\draw[red, <-, line width = 1mm] (X1) -- (Y1);
+ \node [inner sep=2pt,label=below:\textcolor{black}{read a cookie}] at ($ (X1)!.5!(Y1) $) {};}
+ \only<3->{\draw[red, ->, line width = 2mm] (X) -- (Y);
+ \node [inner sep=5pt,label=above:\textcolor{black}{webpage}] at ($ (X)!.5!(Y) $) {};}
+ \only<3->{\draw[red, ->, line width = 1mm] (X1) -- (Y1);
+ \node [inner sep=2pt,label=below:\textcolor{black}{write a cookie}] at ($ (X1)!.5!(Y1) $) {};}
+ \end{tikzpicture}
+\end{textblock}
+
+
+\begin{textblock}{1}(9.5,5.5)
+\begin{tabular}{c}
+\includegraphics[scale=0.15]{pics/laptop.png}\\[-2mm]
+\small Client
+\end{tabular}
+\end{textblock}
+
+\only<4->{
+\begin{textblock}{13}(1,11)
+\small\begin{itemize}
+\item cookies: max 4KB data\\[-2mm]
+\item cookie theft, cross-site scripting attacks\\[-2mm]
+\item session cookies, persistent cookies, HttpOnly cookies, third-party cookies, zombie cookies
+\end{itemize}
+\end{textblock}}
+
+\only<5>{
+\begin{textblock}{11}(1,3)
+\begin{tikzpicture}
+\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
+{\normalsize\color{darkgray}
+\begin{minipage}{10cm}\raggedright\small
+{\bf EU Privacy Directive about Cookies:}\smallskip\\
+``In May 2011, a European Union law was passed stating that websites that leave non-essential cookies on visitors' devices have to alert the visitor and get acceptance from them. This law applies to both individuals and businesses based in the EU regardless of the nationality of their website's visitors or the location of their web host. It is not enough to simply update a website's terms and conditions or privacy policy. The deadline to comply with the new EU cookie law was 26th May 2012 and failure to do so could mean a fine of up to \pounds{}500,000.''
+\hfill\small\textcolor{gray}{$\rightarrow$BBC News}
+\end{minipage}};
+\end{tikzpicture}
+\end{textblock}}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+\begin{itemize}
+\item While cookies are per web-page, this can be easily circumvented.
+\end{itemize}
+
+\begin{textblock}{1}(1.5,4.5)
+\begin{tabular}{c}
+\includegraphics[scale=0.07]{pics/servers.png}\\[-2mm]
+\small Pet Store\\[-2mm]
+\small Dot.com\\[-2mm]
+\end{tabular}
+\end{textblock}
+
+\begin{textblock}{1}(1.5,8)
+\begin{tabular}{c}
+\includegraphics[scale=0.07]{pics/servers.png}\\[-2mm]
+\small Dating.com
+\end{tabular}
+\end{textblock}
+
+\begin{textblock}{1}(10.5,7.5)
+\begin{tabular}{c}
+\includegraphics[scale=0.07]{pics/servers.png}\\[-2mm]
+\small Evil-Ad-No\\[-2mm]
+\small Privacy.com
+\end{tabular}
+\end{textblock}
+
+\begin{textblock}{1}(6,10.5)
+\begin{tabular}{c}
+\includegraphics[scale=0.16]{pics/rman.png}\\[-1mm]
+\small you
+\end{tabular}
+\end{textblock}
+
+\begin{textblock}{1}(4,5)
+ \begin{tikzpicture}[scale=1]
+ \draw[white] (0,0.5) node (X) {};
+ \draw[white] (5.7,-1) node (Y) {};
+ \draw[red, ->, line width = 0.5mm] (X) -- (Y);
+ \node [inner sep=5pt,label=above:\textcolor{black}{}] at ($ (X)!.5!(Y) $) {};
+ \end{tikzpicture}
+\end{textblock}
+
+\begin{textblock}{1}(4,7.9)
+ \begin{tikzpicture}[scale=1]
+ \draw[white] (0,0) node (X) {};
+ \draw[white] (5.7,0) node (Y) {};
+ \draw[red, ->, line width = 0.5mm] (X) -- (Y);
+ \node [inner sep=5pt,label=above:\textcolor{black}{}] at ($ (X)!.5!(Y) $) {};
+ \end{tikzpicture}
+\end{textblock}
+
+\begin{textblock}{1}(3.3,9.3)
+ \begin{tikzpicture}[scale=1.2]
+ \draw[white] (0,0) node (X) {};
+ \draw[white] (1.5,-1) node (Y) {};
+ \draw[red, <->, line width = 2mm] (X) -- (Y);
+ \node [inner sep=5pt,label=above:\textcolor{black}{}] at ($ (X)!.5!(Y) $) {};
+ \draw[white] (0.9,0.3) node (X1) {};
+ \draw[white] (1.9,-1) node (Y1) {};
+ \draw[red, <->, line width = 2mm] (X1) -- (Y1);
+ \node [inner sep=5pt,label=above:\textcolor{black}{}] at ($ (X1)!.5!(Y1) $) {};
+ \end{tikzpicture}
+\end{textblock}
+
+\begin{textblock}{1}(8.6,10.1)
+ \begin{tikzpicture}[scale=0.9]
+ \draw[white] (0,0) node (X) {};
+ \draw[white] (-2,-1) node (Y) {};
+ \draw[red, <->, line width = 0.5mm] (X) -- (Y);
+ \node [inner sep=5pt,label=above:\textcolor{black}{}] at ($ (X)!.5!(Y) $) {};
+ \end{tikzpicture}
+\end{textblock}
+
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}My First Webapp\end{tabular}}
+
+{\bf GET request:}\smallskip
+\begin{enumerate}
+\item read the cookie from client
+\item if none is present, set \texttt{visits} to \textcolor{blue}{$0$}
+\item if cookie is present, extract \texttt{visits} counter
+\item if \texttt{visits} is greater or equal \textcolor{blue}{$10$}, \\
+print a valued customer message\\
+otherwise just a normal message
+\item increase \texttt{visits} by \textcolor{blue}{$1$} and store new cookie with client
+\end{enumerate}
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\mbox{}\\[-9mm]
+
+{\lstset{language=Scala}\fontsize{8}{10}\selectfont
+\texttt{\lstinputlisting{app2.scala}}}
+
+\footnotesize
+\begin{itemize}
+\item cookie value encoded as hash
+\end{itemize}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+
+\begin{center}
+\includegraphics[scale=1.8]{pics/barrier.jpg}
+\end{center}
+
+\begin{itemize}
+\item data integrity needs to be ensured
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\mbox{}\\[-7mm]
+
+{\lstset{language=Scala}\fontsize{8}{10}\selectfont
+\texttt{\lstinputlisting{app3.scala}}}
+
+\small
+\begin{itemize}
+\item the counter/hash pair is intended to prevent tampering
+\end{itemize}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}SHA-1\end{tabular}}
+
+\begin{itemize}
+\item SHA-1 is a cryptographic hash function\\
+(MD5, SHA-256, SHA-512, \ldots)
+\item message $\rightarrow$ digest
+\item no known attack exists, except brute force\bigskip\pause
+\item but dictionary attacks are very ef$\!$fective for extracting passwords (later)
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\mbox{}\\[-9mm]
+
+{\lstset{language=Scala}\fontsize{8}{10}\selectfont
+\texttt{\lstinputlisting{app4.scala}}}
+
+\begin{textblock}{1}(9,1)
+ \begin{tikzpicture}[scale=1.3]
+ \draw[white] (0,0) node (X) {};
+ \draw[white] (3,0) node (Y) {};
+ \draw[red, <-, line width = 2mm] (X) -- (Y);
+ \node [inner sep=5pt,label=above:\textcolor{black}{\small should be random}] at ($ (X)!.5!(Y) $) {};
+ \end{tikzpicture}
+\end{textblock}
+
+\begin{textblock}{1}(6.6,4.9)
+ \begin{tikzpicture}[scale=1.3]
+ \draw[white] (0,0) node (X) {};
+ \draw[white] (1,-1) node (Y) {};
+ \draw[red, <-, line width = 2mm] (X) -- (Y);
+ \node [inner sep=5pt,label=above:{}] at ($ (X)!.5!(Y) $) {};
+ \end{tikzpicture}
+\end{textblock}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Unix Passwords\end{tabular}}
+
+\begin{itemize}
+\item passwords are \alert{\bf not} stored in clear text
+\item instead \texttt{/etc/shadow} contains
+\end{itemize}
+
+{\small
+\texttt{name:\$1\$QIGCa\$/ruJs8AvmrknzKTzM2TYE.:other\_info}
+}
+
+\begin{itemize}
+\item \texttt{\$} is separator
+\item \texttt{1} is MD5 (actually SHA-512 is used nowadays, \texttt{6})
+\item \texttt{QIGCa} is salt
+\item \texttt{ruJs8AvmrknzKTzM2TYE} $\rightarrow$ password + salt
+\end{itemize}
+
+\textcolor{gray}{\small
+(\texttt{openssl passwd -1 -salt QIGCa pippo})
+}
+% Unix password
+% http://ubuntuforums.org/showthread.php?p=5318038
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Password Blunders\end{tabular}}
+
+
+\begin{itemize}
+\item in late 2009, when an SQL injection attack against online games
+service RockYou.com exposed 32 million \alert{plaintext} passwords
+
+\item 1.3 million Gawker credentials exposed in December 2010 containing
+unsalted(?) \alert{MD5} hashes
+
+\item June 6th, 2012, 6 million unsalted SHA-1 passwords were leaked from linkedIn
+% linkedIn password
+% http://erratasec.blogspot.co.uk/2012/06/confirmed-linkedin-6mil-password-dump.html
+\end{itemize}\medskip
+
+\small
+Web user maintains 25 separate accounts but uses just 6.5 passwords
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%For instance, SHA512crypt, which is included in Mac OS X and most Unix-based operating systems, passes text through 5,000 iterations, a %hurdle that would have limited Gosney to slightly less than 2,600 guesses per second. The Bcrypt algorithm is even more computationally %expensive, in large part because it subjects text to multiple iterations of the Blowfish cipher that was deliberately modified to increase the %time required to generate a hash. PBKDF2, a function built into Microsoft's .Net software developer framework, offers similar benefits.
+
+
+% rainbow tables
+% http://en.wikipedia.org/wiki/Rainbow_table
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Brute Forcing Passwords\end{tabular}}
+
+\begin{itemize}
+\item How fast can hackers crack SHA-1 passwords? \pause
+
+\item The answer is 2 billion attempts per second\\
+using a Radeon HD 7970
+\end{itemize}
+
+\begin{center}
+\begin{tabular}{@ {\hspace{-12mm}}rl}
+password length & time\smallskip\\\hline
+5 letters & 5 secs\\
+6 letters & 500 secs\\
+7 letters & 13 hours\\
+8 letters & 57 days\\
+9 letters & 15 years\\
+\end{tabular}
+\end{center}
+
+\small
+5 letters $\approx$ 100$^5$ $=$ 10 billion combinations\\
+(1 letter - upper case, lower case, digits, symbols $\approx$ 100)
+
+\only<2->{
+\begin{textblock}{1}(12,5)
+\begin{tabular}{c}
+\includegraphics[scale=0.3]{pics/radeon.jpg}\\[-6mm]
+\footnotesize graphics card\\[-1mm]
+\footnotesize ca.~\pounds{}300
+\end{tabular}
+\end{textblock}}
+
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Passwords\end{tabular}}
+
+How to recover from a breakin?\pause\medskip
+
+\begin{itemize}
+\item Do not send passwords in plain text.
+\item Security questions are tricky to get right.
+\item QQ (Chinese Skype) authenticates you via contacts.
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}This Course\end{tabular}}
+
+\begin{itemize}
+\item break-ins (buffer overflows)
+\item access control\\ (role based, data security / data integrity)
+\item protocols\\
+(specification)
+\item access control logic
+\item privacy
+\begin{quote}
+Scott McNealy: \\``You have zero privacy anyway. Get over it.''
+\end{quote}
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Books + Homework\end{tabular}}
+
+\begin{itemize}
+\item there is no single book I am following
+\begin{center}
+\includegraphics[scale=0.012]{pics/andersonbook1.jpg}
+\includegraphics[scale=0.23]{pics/accesscontrolbook.jpg}
+\end{center}\medskip\pause
+
+\item The question ``Is this relevant for the exams'' is not appreciated!\medskip\\
+
+Whatever is in the homework sheets (and is not marked optional) is relevant for the
+exam. No code needs to be written.
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Take-Home Points\end{tabular}}
+
+\begin{itemize}
+\item Never store passwords in plain text.\medskip
+\item Always salt your hashes!\medskip
+\item Use an existing algorithm; do not write your own!
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Thinking as a Defender\end{tabular}}
+
+\begin{itemize}
+\item What are you trying to protect?
+\item What properties are you trying to enforce?\medskip
+
+\item Who are the attackers? Capabilities? Motivations?
+\item What kind of attack are we trying to protect?
+\item Who can fix any vulnerabilities?\medskip
+
+\item What are the weaknesses of the system?
+\item What will successful attacks cost us?
+\item How likely are the attacks?
+\end{itemize}
+
+\small
+\textcolor{gray}{Security almost always is {\bf not} free!}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}The Security Mindset\end{tabular}}
+
+\begin{itemize}
+\item How things can go wrong.
+\item Think outside the box.
+\end{itemize}\bigskip
+
+The difference between being criminal is to only \alert{\bf think} about how things can go wrong.
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{\begin{tabular}{c}Maps in Scala\end{tabular}}
+
+\begin{itemize}
+\item {\bf\texttt{map}} takes a function, say f, and applies it to every element of the list:
+\end{itemize}
+
+\begin{textblock}{15}(2,7)
+\fontsize{13}{14}\selectfont
+\bf\texttt{List(1, 2, 3, 4, 5, 6, 7, 8, 9)}
+\end{textblock}
+
+\begin{textblock}{15}(2,10)
+\fontsize{13}{14}\selectfont
+\bf\texttt{List(1, 4, 9, 16, 25, 36, 49, 64, 81)}
+\end{textblock}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+\end{document}
+
+%%% Local Variables:
+%%% mode: latex
+%%% TeX-master: t
+%%% End:
+
Binary file slides/slides02.pdf has changed
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/slides/slides02.tex Sun Sep 22 15:22:11 2013 +0100
@@ -0,0 +1,454 @@
+\documentclass[dvipsnames,14pt,t]{beamer}
+\usepackage{beamerthemeplainculight}
+\usepackage[T1]{fontenc}
+\usepackage[latin1]{inputenc}
+\usepackage{mathpartir}
+\usepackage[absolute,overlay]{textpos}
+\usepackage{ifthen}
+\usepackage{tikz}
+\usepackage{pgf}
+\usepackage{calc}
+\usepackage{ulem}
+\usepackage{courier}
+\usepackage{listings}
+\renewcommand{\uline}[1]{#1}
+\usetikzlibrary{arrows}
+\usetikzlibrary{automata}
+\usetikzlibrary{shapes}
+\usetikzlibrary{shadows}
+\usetikzlibrary{positioning}
+\usetikzlibrary{calc}
+\usepackage{graphicx}
+
+\definecolor{javared}{rgb}{0.6,0,0} % for strings
+\definecolor{javagreen}{rgb}{0.25,0.5,0.35} % comments
+\definecolor{javapurple}{rgb}{0.5,0,0.35} % keywords
+\definecolor{javadocblue}{rgb}{0.25,0.35,0.75} % javadoc
+
+\lstset{language=Java,
+ basicstyle=\ttfamily,
+ keywordstyle=\color{javapurple}\bfseries,
+ stringstyle=\color{javagreen},
+ commentstyle=\color{javagreen},
+ morecomment=[s][\color{javadocblue}]{/**}{*/},
+ numbers=left,
+ numberstyle=\tiny\color{black},
+ stepnumber=1,
+ numbersep=10pt,
+ tabsize=2,
+ showspaces=false,
+ showstringspaces=false}
+
+\lstdefinelanguage{scala}{
+ morekeywords={abstract,case,catch,class,def,%
+ do,else,extends,false,final,finally,%
+ for,if,implicit,import,match,mixin,%
+ new,null,object,override,package,%
+ private,protected,requires,return,sealed,%
+ super,this,throw,trait,true,try,%
+ type,val,var,while,with,yield},
+ otherkeywords={=>,<-,<\%,<:,>:,\#,@},
+ sensitive=true,
+ morecomment=[l]{//},
+ morecomment=[n]{/*}{*/},
+ morestring=[b]",
+ morestring=[b]',
+ morestring=[b]"""
+}
+
+\lstset{language=Scala,
+ basicstyle=\ttfamily,
+ keywordstyle=\color{javapurple}\bfseries,
+ stringstyle=\color{javagreen},
+ commentstyle=\color{javagreen},
+ morecomment=[s][\color{javadocblue}]{/**}{*/},
+ numbers=left,
+ numberstyle=\tiny\color{black},
+ stepnumber=1,
+ numbersep=10pt,
+ tabsize=2,
+ showspaces=false,
+ showstringspaces=false}
+
+% beamer stuff
+\renewcommand{\slidecaption}{APP 02, King's College London, 2 October 2012}
+
+
+\begin{document}
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}<1>[t]
+\frametitle{%
+ \begin{tabular}{@ {}c@ {}}
+ \\
+ \LARGE Access Control and \\[-3mm]
+ \LARGE Privacy Policies (2)\\[-6mm]
+ \end{tabular}}\bigskip\bigskip\bigskip
+
+ %\begin{center}
+ %\includegraphics[scale=1.3]{pics/barrier.jpg}
+ %\end{center}
+
+\normalsize
+ \begin{center}
+ \begin{tabular}{ll}
+ Email: & christian.urban at kcl.ac.uk\\
+ Of$\!$fice: & S1.27 (1st floor Strand Building)\\
+ Slides: & KEATS (also home work is there)
+ \end{tabular}
+ \end{center}
+
+
+\end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Homework\end{tabular}}
+
+
+\ldots{} I have a question about the homework.\\[3mm]
+Is it required to submit the homework before\\
+the next lecture?\\[5mm]
+
+Thank you!\\
+Anonymous
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+
+\begin{center}
+\begin{tabular}[t]{c}
+\includegraphics[scale=1.2]{pics/barrier.jpg}\\
+future lectures
+\end{tabular}\;\;\;
+\onslide<2>{
+\begin{tabular}[t]{c}
+\includegraphics[scale=0.32]{pics/trainwreck.jpg}\\
+today
+\end{tabular}
+}
+\end{center}
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}SmartWater\end{tabular}}
+
+\begin{textblock}{1}(1,3)
+\begin{tabular}{c}
+\includegraphics[scale=0.15]{pics/SmartWater}
+\end{tabular}
+\end{textblock}
+
+
+\begin{textblock}{8.5}(7,3)
+\begin{itemize}
+\item seems helpful for preventing cable theft\medskip
+\item wouldn't be helpful to make your property safe, because of possible abuse\medskip
+
+\item security is always a tradeoff
+\end{itemize}
+\end{textblock}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}Plain-text Passwords at IEEE\end{tabular}}
+
+\small\textcolor{gray}{On 25 September 2012, a report on a data breach at IEEE:}
+
+
+\begin{itemize}
+\item IEEE is a standards organisation (not-for-profit)
+\item many standards in CS are by IEEE\medskip
+\item 100k plain-text passwords were recorded in logs
+\item the logs were openly accessible on their FTP server
+\end{itemize}\bigskip
+
+\begin{flushright}\small
+\textcolor{gray}{\url{http://ieeelog.com}}
+\end{flushright}
+
+\only<2>{
+\begin{textblock}{11}(3,2)
+\begin{tikzpicture}
+\draw (0,0) node[inner sep=2mm,fill=white, ultra thick, draw=red, rounded corners=2mm]
+{\normalsize\color{darkgray}
+\begin{minipage}{7.5cm}\raggedright\small
+\includegraphics[scale=0.6]{pics/IEEElog.jpg}
+\end{minipage}};
+\end{tikzpicture}
+\end{textblock}}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}Virgin Mobile (USA)\end{tabular}}
+
+\begin{flushright}\small
+\textcolor{gray}{\url{http://arstechnica.com/security/2012/09/virgin-mobile-password-crack-risk/}}
+\end{flushright}
+
+\begin{itemize}
+\item for online accounts passwords must be 6 digits
+\item you must cycle through 1M combinations (online)\pause\bigskip
+
+\item he limited the attack on his own account to 1 guess per second, \alert{\bf and}
+\item wrote a script that cleared the cookie set after each guess\pause
+\item has been fixed now
+\end{itemize}
+
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}Smash the Stack for Fun \ldots\end{tabular}}
+
+\begin{itemize}
+\item ``smashing the stack attacks'' or ``buffer overflow attacks''
+\item one of the most popular attacks;\\ attack of the (last) decade\\ ($>$ 50\% of security incidents reported at CERT are related to buffer overflows)
+\begin{flushright}\small
+\textcolor{gray}{\url{http://www.kb.cert.org/vuls}}
+\end{flushright}
+\medskip
+\item made popular in an article by Elias Levy\\ (also known as Aleph One):\\
+\begin{center}
+{\bf ``Smashing The Stack For Fun and Profit''}
+\end{center}\medskip
+
+\begin{flushright}
+\small\textcolor{gray}{\url{http://www.phrack.org}, Issue 49, Article 14}
+\end{flushright}
+
+\end{itemize}
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}The Problem\end{tabular}}
+
+\begin{itemize}
+\item The basic problem is that library routines in C look as follows:
+\begin{center}
+{\lstset{language=Java}\fontsize{8}{10}\selectfont%
+\texttt{\lstinputlisting{app5.c}}}
+\end{center}
+\item the resulting problems are often remotely exploitable
+\item can be used to circumvents all access control
+(botnets for further attacks)
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Variants\end{tabular}}
+
+There are many variants:
+
+\begin{itemize}
+\item return-to-lib-C attacks
+\item heap-smashing attacks\\
+\textcolor{gray}{\small(Slammer Worm in 2003 infected 90\% of vulnerable systems within 10 minutes)}\bigskip
+
+\item ``zero-days-attacks'' (new unknown vulnerability)
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+
+\small
+\texttt{my\_float} is printed twice:\bigskip
+
+{\lstset{language=Java}\fontsize{8}{10}\selectfont%
+\texttt{\lstinputlisting{C1.c}}}
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+
+\begin{center}
+\only<1>{\includegraphics[scale=0.9]{pics/stack1}\;\;}
+\only<2>{\includegraphics[scale=0.9]{pics/stack2}\;\;}
+\only<3>{\includegraphics[scale=0.9]{pics/stack3}\;\;}
+\end{center}
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+
+{\lstset{language=Java}\fontsize{8}{10}\selectfont%
+\texttt{\lstinputlisting{C2.c}}}
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+
+\small
+A programmer might be careful, but still introduce vulnerabilities:\bigskip
+
+{\lstset{language=Java}\fontsize{8}{10}\selectfont%
+\texttt{\lstinputlisting{C2a.c}}}
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Payloads\end{tabular}}
+
+\begin{itemize}
+\item the idea is you store some code as part to the buffer
+\item you then override the return address to execute this payload\medskip
+\item normally you start a root-shell\pause
+\item difficulty is to guess the right place where to ``jump''
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Payloads (2)\end{tabular}}
+
+\begin{itemize}
+\item another difficulty is that the code is not allowed to contain \texttt{$\backslash$x00}:
+
+\begin{center}
+\texttt{xorl \%eax, \%eax}
+\end{center}
+\end{itemize}\bigskip\bigskip
+
+{\lstset{language=Java}\fontsize{8}{10}\selectfont%
+\texttt{\lstinputlisting{app5.c}}}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Format String Vulnerability\end{tabular}}
+
+\small
+\texttt{string} is nowhere used:\bigskip
+
+{\lstset{language=Java}\fontsize{8}{10}\selectfont%
+\texttt{\lstinputlisting{programs/C4.c}}}\bigskip
+
+this vulnerability can be used to read out the stack
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Protections against BO Attacks\end{tabular}}
+
+\begin{itemize}
+\item use safe library functions
+\item ensure stack data is not executable (can be defeated)
+\item address space randomisation (makes one-size-fits-all more difficult)
+\item choice of programming language (one of the selling points of Java)
+
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Security Goals\end{tabular}}
+
+\begin{itemize}
+\item Prevent common vulnerabilities from occurring (e.g. buffer overflows)\pause
+\item Recover from attacks (traceability and auditing of security-relevant actions)\pause
+\item Monitoring (detect attacks)\pause
+\item Privacy, confidentiality, anonymity (to protect secrets)\pause
+\item Authenticity (needed for access control)\pause
+\item Integrity (prevent unwanted modification or tampering)\pause
+\item Availability and reliability (reduce the risk of DoS attacks)
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Homework\end{tabular}}
+
+\begin{itemize}
+\item Assume format string attacks allow you to read out the stack. What can you do
+ with this information?\bigskip
+
+\item Assume you can crash a program remotely. Why is this a problem?
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+\end{document}
+
+%%% Local Variables:
+%%% mode: latex
+%%% TeX-master: t
+%%% End:
+
Binary file slides/slides03.pdf has changed
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/slides/slides03.tex Sun Sep 22 15:22:11 2013 +0100
@@ -0,0 +1,727 @@
+\documentclass[dvipsnames,14pt,t]{beamer}
+\usepackage{beamerthemeplainculight}
+\usepackage[T1]{fontenc}
+\usepackage[latin1]{inputenc}
+\usepackage{mathpartir}
+\usepackage[absolute,overlay]{textpos}
+\usepackage{ifthen}
+\usepackage{tikz}
+\usepackage{pgf}
+\usepackage{calc}
+\usepackage{ulem}
+\usepackage{courier}
+\usepackage{listings}
+\renewcommand{\uline}[1]{#1}
+\usetikzlibrary{arrows}
+\usetikzlibrary{automata}
+\usetikzlibrary{shapes}
+\usetikzlibrary{shadows}
+\usetikzlibrary{positioning}
+\usetikzlibrary{calc}
+\usepackage{graphicx}
+
+\definecolor{javared}{rgb}{0.6,0,0} % for strings
+\definecolor{javagreen}{rgb}{0.25,0.5,0.35} % comments
+\definecolor{javapurple}{rgb}{0.5,0,0.35} % keywords
+\definecolor{javadocblue}{rgb}{0.25,0.35,0.75} % javadoc
+
+\lstset{language=Java,
+ basicstyle=\ttfamily,
+ keywordstyle=\color{javapurple}\bfseries,
+ stringstyle=\color{javagreen},
+ commentstyle=\color{javagreen},
+ morecomment=[s][\color{javadocblue}]{/**}{*/},
+ numbers=left,
+ numberstyle=\tiny\color{black},
+ stepnumber=1,
+ numbersep=10pt,
+ tabsize=2,
+ showspaces=false,
+ showstringspaces=false}
+
+\lstdefinelanguage{scala}{
+ morekeywords={abstract,case,catch,class,def,%
+ do,else,extends,false,final,finally,%
+ for,if,implicit,import,match,mixin,%
+ new,null,object,override,package,%
+ private,protected,requires,return,sealed,%
+ super,this,throw,trait,true,try,%
+ type,val,var,while,with,yield},
+ otherkeywords={=>,<-,<\%,<:,>:,\#,@},
+ sensitive=true,
+ morecomment=[l]{//},
+ morecomment=[n]{/*}{*/},
+ morestring=[b]",
+ morestring=[b]',
+ morestring=[b]"""
+}
+
+\lstset{language=Scala,
+ basicstyle=\ttfamily,
+ keywordstyle=\color{javapurple}\bfseries,
+ stringstyle=\color{javagreen},
+ commentstyle=\color{javagreen},
+ morecomment=[s][\color{javadocblue}]{/**}{*/},
+ numbers=left,
+ numberstyle=\tiny\color{black},
+ stepnumber=1,
+ numbersep=10pt,
+ tabsize=2,
+ showspaces=false,
+ showstringspaces=false}
+
+% beamer stuff
+\renewcommand{\slidecaption}{APP 03, King's College London, 9 October 2012}
+
+
+\begin{document}
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}<1>[t]
+\frametitle{%
+ \begin{tabular}{@ {}c@ {}}
+ \\
+ \LARGE Access Control and \\[-3mm]
+ \LARGE Privacy Policies (3)\\[-6mm]
+ \end{tabular}}\bigskip\bigskip\bigskip
+
+ %\begin{center}
+ %\includegraphics[scale=1.3]{pics/barrier.jpg}
+ %\end{center}
+
+\normalsize
+ \begin{center}
+ \begin{tabular}{ll}
+ Email: & christian.urban at kcl.ac.uk\\
+ Of$\!$fice: & S1.27 (1st floor Strand Building)\\
+ Slides: & KEATS (also home work is there)\\
+ & \alert{\bf (I have put a temporary link in there.)}\\
+ \end{tabular}
+ \end{center}
+
+
+\end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+
+\begin{center}
+\includegraphics[scale=0.45]{pics/trainwreck.jpg}\\
+one general defence mechanism is\\\alert{\bf defence in depth}
+\end{center}
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}<1-2>[c]
+\frametitle{Defence in Depth}
+
+\begin{itemize}
+\item \alt<1>{overlapping}{{\LARGE\bf overlapping}} systems designed to provide\\ security even if one of them fails.
+\end{itemize}
+
+\only<2->{
+\begin{textblock}{11}(2,12)
+\small otherwise your ``added security'' can become the point of failure
+\end{textblock}}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{PALs}
+
+\begin{itemize}
+\item \alert{Permissive Action Links} prevent unauthorised use of nuclear weapons (so the theory)
+\end{itemize}
+
+\begin{center}
+\includegraphics[scale=0.25]{pics/nuclear1.jpg}\hspace{3mm}
+\includegraphics[scale=0.25]{pics/nuclear2.jpg}
+\end{center}
+
+
+\onslide<3->{
+modern PALs also include a 2-person rule
+}
+
+ \only<2->{
+\begin{textblock}{11}(3,2)
+\begin{tikzpicture}
+\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
+{\begin{minipage}{8cm}
+US Air Force's Strategic Air Command worried that in times of need the
+codes would not be available, so until 1977 quietly decided to set them
+to 00000000\ldots
+\end{minipage}};
+\end{tikzpicture}
+\end{textblock}}
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+
+\begin{itemize}
+\item until 1998, Britain had nuclear weapons that could be launched from airplanes\bigskip\pause
+
+\item these weapons were armed with a bicycle key
+
+\begin{center}
+\begin{tabular}[b]{c}
+\includegraphics[scale=1.05]{pics/britkeys1.jpg}\\
+\small nuclear weapon keys
+\end{tabular}
+\hspace{3mm}
+\begin{tabular}[b]{c}
+\includegraphics[scale=0.35]{pics/britkeys2.jpg}\\
+\small bicycle lock
+\end{tabular}
+\end{center}\bigskip\pause
+
+\item the current Trident nuclear weapons can be launched from a submarine without any code being transmitted
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Access Control in Unix}
+
+\begin{itemize}
+\item access control provided by the OS
+\item authenticate principals (login)
+\item mediate access to files, ports, processes according to \alert{roles} (user ids)\\
+\item roles get attached with privileges\bigskip\\%
+\hspace{8mm}
+\begin{tikzpicture}
+\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
+{\begin{minipage}{8cm}
+\alert{principle of least privilege:}\\
+programs should only have as much privilege as they need
+\end{minipage}};
+\end{tikzpicture}
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Access Control in Unix (2)}
+
+\begin{itemize}
+\item the idea is to restrict access to files and therefore lower the consequences of an attack\\[1cm]\mbox{}
+\end{itemize}
+
+\begin{textblock}{1}(2.5,9.5)
+ \begin{tikzpicture}[scale=1]
+
+ \draw[line width=1mm] (-.3, 0) rectangle (1.5,2);
+ \draw (4.7,1) node {Internet};
+ \draw (0.6,1.7) node {\footnotesize Interface};
+ \draw (0.6,-0.4) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] process\end{tabular}};
+ \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}};
+
+ \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2);
+
+ \draw[white] (1.7,1) node (X) {};
+ \draw[white] (3.7,1) node (Y) {};
+ \draw[red, <->, line width = 2mm] (X) -- (Y);
+
+ \draw[red, <->, line width = 1mm] (-0.6,1) -- (-1.6,1);
+ \end{tikzpicture}
+\end{textblock}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{Process Ownership}
+
+\begin{itemize}
+\item access control in Unix is very coarse
+\end{itemize}\bigskip\bigskip\bigskip
+
+\begin{center}
+\begin{tabular}{c}
+root\\
+\hline
+
+user$_1$ user$_2$ \ldots www, mail, lp
+\end{tabular}
+\end{center}\bigskip\bigskip\bigskip
+
+
+\textcolor{gray}{\small root has UID $=$ 0}\\\pause
+\textcolor{gray}{\small you also have groups that can share access to a file}\\
+\textcolor{gray}{\small but it is difficult to exclude access selectively}\\
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Access Control in Unix (2)}
+
+
+\begin{itemize}
+\item privileges are specified by file access permissions (``everything is a file'')
+\item there are 9 (plus 2) bits that specify the permissions of a file
+
+\begin{center}
+\begin{tabular}{l}
+\texttt{\$ ls - la}\\
+\texttt{-rwxrw-r-{}- \hspace{3mm} foo\_file.txt}
+\end{tabular}
+\end{center}
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Login Process}
+
+
+\begin{itemize}
+\item login processes run under UID $=$ 0\medskip
+\begin{center}
+\texttt{ps -axl | grep login}
+\end{center}\medskip
+
+\item after login, shells run under UID $=$ user (e.g.~501)\medskip
+\begin{center}
+\texttt{id cu}
+\end{center}\medskip\pause
+
+\item non-root users are not allowed to change the UID --- would break
+access control
+\item but needed for example for \texttt{passwd}
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Setuid and Setgid}
+
+The solution is that unix file permissions are 9 + \underline{2 Bits}:
+\alert{Setuid} and \alert{Setgid} Bits
+
+\begin{itemize}
+\item When a file with setuid is executed, the resulting process will assume the UID given to the owner of the file.
+\item This enables users to create processes as root (or another user).\bigskip
+
+\item Essential for changing passwords, for example.
+\end{itemize}
+
+\begin{center}
+\texttt{chmod 4755 fobar\_file}
+\end{center}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Privilege Separation in\\ OpenSSH\end{tabular}}
+
+\begin{center}
+\begin{tikzpicture}[scale=1]
+
+ \draw[line width=1mm] (0, 1.1) rectangle (1.2,2);
+ \draw (4.7,1) node {Internet};
+ \draw (0.6,1.7) node {\footnotesize Slave};
+ \draw[line width=1mm] (0, 0) rectangle (1.2,0.9);
+ \draw (0.6,1.7) node {\footnotesize Slave};
+ \draw (0.6,0.6) node {\footnotesize Slave};
+ \draw (0.6,-0.5) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] processes\end{tabular}};
+ \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}};
+
+ \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2);
+ \draw (-2.9,1.7) node {\footnotesize Monitor};
+
+ \draw[white] (1.7,1) node (X) {};
+ \draw[white] (3.7,1) node (Y) {};
+ \draw[red, <->, line width = 2mm] (X) -- (Y);
+
+ \draw[red, <->, line width = 1mm] (-0.4,1.4) -- (-1.4,1.1);
+ \draw[red, <->, line width = 1mm] (-0.4,0.6) -- (-1.4,0.9);
+
+ \end{tikzpicture}
+\end{center}
+
+\begin{itemize}
+\item pre-authorisation slave
+\item post-authorisation\bigskip
+\item 25\% codebase is privileged, 75\% is unprivileged
+\end{itemize}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Network Applications}
+
+ideally network application in Unix should be designed as follows:
+
+\begin{itemize}
+\item need two distinct processes
+\begin{itemize}
+\item one that listens to the network; has no privilege
+\item one that is privileged and listens to the latter only (but does not trust it)
+
+\end{itemize}
+
+\item to implement this you need a parent process, which forks a child process
+\item this child process drops privileges and listens to hostile data\medskip
+
+\item after authentication the parent forks again and the new child becomes the user
+\end{itemize}
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}Famous Security Flaws in Unix\end{tabular}}
+
+
+\begin{itemize}
+\item \texttt{lpr} unfortunately runs with root privileges; you had the option to delete files after printing \ldots\pause\pause
+\item for debugging purposes (FreeBSD) Unix provides a ``core dump'', but allowed to follow links \ldots\pause
+\item \texttt{mkdir foo} is owned by root\medskip
+\begin{center}
+\texttt{-rwxr-xr-x 1 root wheel /bin/mkdir}
+\end{center}\medskip
+it first creates an i-node as root and then changes to ownership to the user's id\\ \textcolor{gray}{\small (automated with a shell script)}
+\end{itemize}
+
+\only<1>{
+\begin{textblock}{1}(3,3)
+\begin{tikzpicture}
+\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
+{\begin{minipage}{8cm}
+Only failure makes us experts.
+ -- Theo de Raadt (OpenBSD, OpenSSH)
+\end{minipage}};
+\end{tikzpicture}
+\end{textblock}}
+
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}Other Problems\end{tabular}}
+
+There are thing's you just cannot solve on the programming side:\bigskip
+
+\begin{itemize}
+\item for system maintenance you often have \texttt{cron}-jobs cleaning \texttt{/tmp}\medskip
+\begin{itemize}
+\item attacker:\\
+\texttt{mkdir /tmp/a; cat > /tmp/a/passwd}
+\item root:\\\texttt{rm /tmp/*/*}:
+\item attacker:\\
+\texttt{rm /tmp/a/passwd; rmdir /tmp/a;}\\\texttt{ln -s /etc /tmp/a}
+\end{itemize}
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}Security Levels\end{tabular}}
+
+Unix essentially can only distinguish between two security levels (root and non-root).
+
+\begin{itemize}
+\item In military applications you often have many security levels (top-secret, secret, confidential, unclassified)\bigskip\pause
+
+\item Information flow: Bell --- La Padula model
+
+\begin{itemize}
+\item read: your own level and below
+\item write: your own level and above
+\end{itemize}
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}Security Levels (2)\end{tabular}}
+
+\begin{itemize}
+\item Bell --- La Padula preserves data secrecy, but not data integrity\bigskip\pause
+
+\item Biba model is for data integrity
+
+\begin{itemize}
+\item read: your own level and above
+\item write: your own level and below
+\end{itemize}
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}Access Control in 2000\end{tabular}}
+
+According to Ross Anderson (1st edition of his book), some senior Microsoft people held the
+following view:
+
+\begin{center}
+\begin{tikzpicture}
+\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
+{\begin{minipage}{10.5cm}
+\small Access control does not matter. Computers are becoming single-purpose
+or single-user devices. Single-purpose devices, such as Web servers that deliver a single service, don't
+need much in the way of access control as there's nothing for operating system access controls
+to do; the job of separating users from each other is best left to application code. As for the PC
+on your desk, if all the software on it comes from a single source, then again there's no need
+for the operating system to provide separation. \hfill{}\textcolor{gray}{(in 2000)}
+\end{minipage}};
+\end{tikzpicture}
+\end{center}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{\begin{tabular}{@ {}c@ {}}Research Problems\end{tabular}}
+
+\begin{itemize}
+\item with access control we are back to 1970s\bigskip
+
+\only<1>{
+\begin{tikzpicture}
+\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
+{\begin{minipage}{10cm}
+\small Going all the way back to early time-sharing systems we systems people regarded the users, and any code they wrote, as the mortal enemies of us and each other. We were like the police force in a violent slum.\\
+\mbox{}\hfill--- Roger Needham
+\end{minipage}};
+\end{tikzpicture}}\pause
+
+\item the largest research area in access control in 2000-07 has been ``Trusted Computing'', but thankfully it
+is dead now\bigskip
+\item a useful research area is to not just have robust access control, but also usable access control --- by programmers and users\\
+(one possible answer is operating system virtualisation, e.g.~Xen, VMWare)\medskip\pause
+
+\item electronic voting
+\end{itemize}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{\begin{tabular}{@ {}c@ {}}Mobile OS\end{tabular}}
+
+\begin{itemize}
+\item iOS and Android solve the defence-in-depth problem by \alert{sandboxing} applications\bigskip
+
+\item you as developer have to specify the resources an application needs
+\item the OS provides a sandbox where access is restricted to only these resources
+\end{itemize}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}Security Theatre\end{tabular}}
+
+
+Security theatre is the practice of investing in countermeasures intended to provide the
+\underline{feeling} of improved security while doing little or nothing to actually achieve it.\hfill{}\textcolor{gray}{Bruce Schneier}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}Security Theatre\end{tabular}}
+
+\begin{itemize}
+\item for example, usual locks and strap seals are security theatre
+\end{itemize}
+
+\begin{center}
+\includegraphics[scale=0.45]{pics/seal.jpg}
+\end{center}
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+
+\begin{minipage}{11cm}
+From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk>\\
+To: cl-security-research@lists.cam.ac.uk\\
+Subject: Tip off\\
+Date: Tue, 02 Oct 2012 13:12:50 +0100\\
+
+I received the following tip off, and have removed the sender's
+coordinates. I suspect it is one of many security vendors who
+don't even get the basics right; if you ever go to the RSA
+conference, there are a thousand such firms in the hall, each
+with several eager but ignorant salesmen. A trying experience.\\
+
+Ross
+\end{minipage}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+
+\begin{minipage}{11cm}
+I'd like to anonymously tip you off about this\\
+product:\\
+
+{\small http://www.strongauth.com/products/key-appliance.html}\\
+
+It sounds really clever, doesn't it?\\
+\ldots\\
+
+Anyway, it occurred to me that you and your colleagues might have a
+field day discovering weaknesses in the appliance and their
+implementation of security. However, whilst I'd be willing to help
+and/or comment privately, it'd have to be off the record ;-)
+\end{minipage}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}Schneier: Step 1\end{tabular}}
+
+{\bf What assets are you trying to protect?}\bigskip
+
+This question might seem basic, but a surprising number of people never ask it. The question involves understanding the scope of the problem. For example, securing an airplane, an airport, commercial aviation, the transportation system, and a nation against terrorism are all different security problems, and require different solutions.
+
+\only<2>{
+\begin{tikzpicture}
+\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
+{\begin{minipage}{10cm}
+\small You like to prevent: ``It would be terrible if this sort of attack ever happens; we need to do everything in our power to prevent it.''
+\end{minipage}};
+\end{tikzpicture}}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}Schneier: Step 2\end{tabular}}
+
+{\bf What are the risks to these assets?}\bigskip
+
+Here we consider the need for security. Answering it involves understanding what is being defended, what the consequences are if it is successfully attacked, who wants to attack it, how they might attack it, and why.
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}Schneier: Step 3\end{tabular}}
+
+{\bf How well does the security solution mitigate those risks?}\bigskip
+
+Another seemingly obvious question, but one that is frequently ignored. If the security solution doesnÕt solve the problem, it's no good. This is not as simple as looking at the security solution and seeing how well it works. It involves looking at how the security solution interacts with everything around it, evaluating both its operation and its failures.
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}Schneier: Step 4\end{tabular}}
+
+{\bf What other risks does the security solution cause?}\bigskip
+
+This question addresses what might be called the problem of unintended consequences. Security solutions have ripple effects, and most cause new security problems. The trick is to understand the new problems and make sure they are smaller than the old ones.
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}Schneier: Step 5\end{tabular}}
+
+{\bf What costs and trade-offs does the security solution impose?}\bigskip
+
+Every security system has costs and requires trade-offs. Most security costs money, sometimes substantial amounts; but other trade-offs may be more important, ranging from matters of convenience and comfort to issues involving basic freedoms like privacy. Understanding these trade-offs is essential.
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+\end{document}
+
+%%% Local Variables:
+%%% mode: latex
+%%% TeX-master: t
+%%% End:
+
Binary file slides/slides04.pdf has changed
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/slides/slides04.tex Sun Sep 22 15:22:11 2013 +0100
@@ -0,0 +1,1014 @@
+\documentclass[dvipsnames,14pt,t]{beamer}
+\usepackage{beamerthemeplainculight}
+\usepackage[T1]{fontenc}
+\usepackage[latin1]{inputenc}
+\usepackage{mathpartir}
+\usepackage[absolute,overlay]{textpos}
+\usepackage{ifthen}
+\usepackage{tikz}
+\usepackage{pgf}
+\usepackage{calc}
+\usepackage{ulem}
+\usepackage{courier}
+\usepackage{listings}
+\renewcommand{\uline}[1]{#1}
+\usetikzlibrary{arrows}
+\usetikzlibrary{automata}
+\usetikzlibrary{shapes}
+\usetikzlibrary{shadows}
+\usetikzlibrary{positioning}
+\usetikzlibrary{calc}
+\usepackage{graphicx}
+
+\definecolor{javared}{rgb}{0.6,0,0} % for strings
+\definecolor{javagreen}{rgb}{0.25,0.5,0.35} % comments
+\definecolor{javapurple}{rgb}{0.5,0,0.35} % keywords
+\definecolor{javadocblue}{rgb}{0.25,0.35,0.75} % javadoc
+
+\lstset{language=Java,
+ basicstyle=\ttfamily,
+ keywordstyle=\color{javapurple}\bfseries,
+ stringstyle=\color{javagreen},
+ commentstyle=\color{javagreen},
+ morecomment=[s][\color{javadocblue}]{/**}{*/},
+ numbers=left,
+ numberstyle=\tiny\color{black},
+ stepnumber=1,
+ numbersep=10pt,
+ tabsize=2,
+ showspaces=false,
+ showstringspaces=false}
+
+\lstdefinelanguage{scala}{
+ morekeywords={abstract,case,catch,class,def,%
+ do,else,extends,false,final,finally,%
+ for,if,implicit,import,match,mixin,%
+ new,null,object,override,package,%
+ private,protected,requires,return,sealed,%
+ super,this,throw,trait,true,try,%
+ type,val,var,while,with,yield},
+ otherkeywords={=>,<-,<\%,<:,>:,\#,@},
+ sensitive=true,
+ morecomment=[l]{//},
+ morecomment=[n]{/*}{*/},
+ morestring=[b]",
+ morestring=[b]',
+ morestring=[b]"""
+}
+
+\lstset{language=Scala,
+ basicstyle=\ttfamily,
+ keywordstyle=\color{javapurple}\bfseries,
+ stringstyle=\color{javagreen},
+ commentstyle=\color{javagreen},
+ morecomment=[s][\color{javadocblue}]{/**}{*/},
+ numbers=left,
+ numberstyle=\tiny\color{black},
+ stepnumber=1,
+ numbersep=10pt,
+ tabsize=2,
+ showspaces=false,
+ showstringspaces=false}
+
+% beamer stuff
+\renewcommand{\slidecaption}{APP 04, King's College London, 16 October 2012}
+
+
+\begin{document}
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}<1>[t]
+\frametitle{%
+ \begin{tabular}{@ {}c@ {}}
+ \\
+ \LARGE Access Control and \\[-3mm]
+ \LARGE Privacy Policies (4)\\[-6mm]
+ \end{tabular}}\bigskip\bigskip\bigskip
+
+ %\begin{center}
+ %\includegraphics[scale=1.3]{pics/barrier.jpg}
+ %\end{center}
+
+\normalsize
+ \begin{center}
+ \begin{tabular}{ll}
+ Email: & christian.urban at kcl.ac.uk\\
+ Of$\!$fice: & S1.27 (1st floor Strand Building)\\
+ Slides: & KEATS (also homework is there)\\
+ \end{tabular}
+ \end{center}
+
+
+\end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Unix-Style Access Control}
+
+\begin{itemize}
+\item Q: ``I am using Windows. Why should I care?'' \\ A: In Windows you have similar AC:
+
+\begin{center}
+\begin{tabular}{l}
+administrators group\\
+\hspace{5mm}(has complete control over the machine)\\
+authenticated users\\
+server operators\\
+power users\\
+network configuration operators\\
+\end{tabular}
+\end{center}\medskip
+
+\item Modern versions of Windows have more fine-grained AC than Unix; they do not have a setuid bit, but
+have \texttt{runas} (asks for a password).\pause
+
+\item OS-provided access control can \alert{\bf add} to your
+security.
+\end{itemize}
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Network Applications:\\[-1mm] Privilege Separation\end{tabular}}
+
+
+\begin{center}
+ \begin{tikzpicture}[scale=1]
+
+ \draw[line width=1mm] (-.3, 0) rectangle (1.5,2);
+ \draw (4.7,1) node {Internet};
+ \draw (-2.7,1.7) node {\footnotesize Application};
+ \draw (0.6,1.7) node {\footnotesize Interface};
+ \draw (0.6,-0.4) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] process\end{tabular}};
+ \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}};
+
+ \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2);
+
+ \draw[white] (1.7,1) node (X) {};
+ \draw[white] (3.7,1) node (Y) {};
+ \draw[red, <->, line width = 2mm] (X) -- (Y);
+
+ \draw[red, <->, line width = 1mm] (-0.6,1) -- (-1.6,1);
+ \end{tikzpicture}
+\end{center}
+
+\begin{itemize}
+\item the idea is make the attack surface smaller and
+mitigate the consequences of an attack
+\end{itemize}
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Shared Access Control}
+
+\begin{center}
+\includegraphics[scale=0.7]{pics/pointsplane.jpg}
+\end{center}
+
+\begin{textblock}{11}(10.5,10.5)
+\small
+To take an action you\\[-1mm]
+need at least either:
+\begin{itemize}
+\item 1 CEO\\[-5mm]
+\item 2 MDs, or\\[-5mm]
+\item 3 Ds
+\end{itemize}
+\end{textblock}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Lessons from Access Control}
+
+Not just restricted to Unix:
+
+\begin{itemize}
+\item if you have too many roles (i.e.~too finegrained AC), then
+ hierarchy is too complex\\
+ \textcolor{gray}{you invite situations like\ldots let's be root}\bigskip
+
+\item you can still abuse the system\ldots
+
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}A ``Cron''-Attack\end{tabular}}
+
+The idea is to trick a privileged person to do something on your behalf:
+
+\begin{itemize}
+\item root:\\\texttt{rm /tmp/*/*}\bigskip\bigskip\pause
+
+\footnotesize
+\begin{minipage}{1.1\textwidth}
+\textcolor{gray}{the shell behind the scenes:}\\
+\textcolor{gray}{\texttt{rm /tmp/dir$_1$/file$_1$ /tmp/dir$_1$/file$_2$ /tmp/dir$_2$/file$_1$ \ldots}}\bigskip\\
+
+\textcolor{gray}{this takes time}
+\end{minipage}
+\end{itemize}
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}A ``Cron''-Attack\end{tabular}}
+
+\begin{enumerate}
+\item attacker \textcolor{gray}{(creates a fake passwd file)}\\
+\texttt{mkdir /tmp/a; cat > /tmp/a/passwd}\medskip
+\item root \textcolor{gray}{(does the daily cleaning)}\\
+\texttt{rm /tmp/*/*}\medskip\\
+\hspace{2cm}\textcolor{gray}{\small records that \texttt{/tmp/a/passwd}}\\
+\hspace{2cm}\textcolor{gray}{\small should be deleted, but does not do it yet}\medskip\\
+
+\item attacker \textcolor{gray}{(meanwhile deletes the fake passwd file, and establishes a link to
+the real passwd file)}\\
+\texttt{rm /tmp/a/passwd; rmdir /tmp/a;}\\\texttt{ln -s /etc /tmp/a}\\
+\item root now deletes the real passwd file
+\end{enumerate}
+
+\only<2>{
+\begin{textblock}{11}(2,5)
+\begin{tikzpicture}
+\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
+{\normalsize\color{darkgray}
+\begin{minipage}{9cm}\raggedright
+To prevent this kind of attack, you need additional
+policies (don't do such operations as root).
+\end{minipage}};
+\end{tikzpicture}
+\end{textblock}}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}Schneier Analysis\end{tabular}}
+
+\textcolor{gray}{There is no absolutely secure system and security almost never comes for free.}
+
+\begin{itemize}
+\item What assets are you trying to protect?
+\item What are the risks to these assets?
+\item How well does the security solution mitigate those risks?
+\item What other risks does the security solution cause?
+\item What costs and trade-offs does the security solution impose?
+\end{itemize}
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{\begin{tabular}{@ {}c@ {}}Example: Credit Cards\end{tabular}}
+
+You might have the policy of not typing in your credit card online. Worthwhile or not?
+\begin{itemize}
+\item<2->What assets are you trying to protect?\\
+\only<2>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}your credit card number\end{tabular}}
+\item<3->What are the risks to these assets?\\
+\only<3>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright
+With credit cards you loose a fixed amount \pounds{50}. Amazon \pounds{50}. \end{tabular}}
+\item<4->How well does the security solution mitigate those risks?\\
+\only<4>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright
+Well, hackers steal credit cards from databases. They usually do not attack you individually.\end{tabular}}
+\item<5->What other risks does the security solution cause?
+\only<5>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright None (?)\end{tabular}}
+\item<6->What costs and trade-offs does the security solution impose?
+\only<6>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright Internet shopping is convenient and sometimes cheaper.\end{tabular}}
+\item<7>[]{\bf\large No!}
+\end{itemize}\pause\pause
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}Example: Firewalls\end{tabular}}
+
+\begin{center}
+\includegraphics[scale=0.5]{pics/firewall.png}
+\end{center}
+
+A firewall is a piece of software that controls incoming and outgoing traffic according to some rules.
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{\begin{tabular}{@ {}c@ {}}Example: Firewalls\end{tabular}}
+
+\begin{itemize}
+\item<1->What assets are you trying to protect?\\
+\only<1>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}Whatever is behind the firewall
+(credit cards, passwords, blueprints, \ldots)\end{tabular}}
+\item<2->What are the risks to these assets?\\
+\only<2>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright
+With a small online shop you are already at risk. Pentagon, definitely.\end{tabular}}
+\item<3->How well does the security solution mitigate those risks?\\
+\only<3>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright
+Well, at home so not much. Everywhere else, if properly configurated then it does.\end{tabular}}
+\item<4->What other risks does the security solution cause?
+\only<4>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright There might be backdoors or bugs in the firewall,
+but generally they are secure. You choose to prevent certain traffic.\end{tabular}}
+\item<5->What costs and trade-offs does the security solution impose?
+\only<5>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright
+Minimal to modest. Firewalls are part of free software. You need a knowledgeable
+person to set them up.\end{tabular}}
+\item<7>[]{\bf\large Yes!}
+\end{itemize}\pause\pause
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{\begin{tabular}{@ {}c@ {}}Ex: Two-Factor Authentication\end{tabular}}
+
+Google uses nowadays two-factor authentication. But it is an old(er)
+idea. It is used for example in Germany and Netherlands for online transactions.
+
+\begin{center}
+\includegraphics[scale=0.6]{pics/tan1.jpg}\hspace{5mm}
+\includegraphics[scale=0.2]{pics/tan2.jpg}
+\end{center}
+
+\pause
+Or nowadays by SMS (restricts the validity of the numbers) or with a secure generator
+
+\begin{center}
+\includegraphics[scale=0.08]{pics/pinsentry.jpg}
+\end{center}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{\begin{tabular}{@ {}c@ {}}Ex: Two-Factor Authentication\end{tabular}}
+
+\begin{itemize}
+\item<1->What assets are you trying to protect?\\
+\only<1>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}Your bank account.\end{tabular}}
+\item<2->What are the risks to these assets?\\
+\only<2>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright
+Nowadays pretty high risk.\end{tabular}}
+\item<3->How well does the security solution mitigate those risks?\\
+\only<3>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright
+It prevents problems when passwords are stolen. Man-in-the-middle attacks
+still possible.\end{tabular}}
+\item<4->What other risks does the security solution cause?
+\only<4>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright Your mobile phone or credit card/pin might
+be stolen. SIM card becomes more valuable.\end{tabular}}
+\item<5->What costs and trade-offs does the security solution impose?
+\only<5>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright
+Banks need to establish an infrastructure. For you it might be inconvenient.\end{tabular}}
+\item<7>[]{\bf\large Yes!}
+\end{itemize}
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{\begin{tabular}{@ {}c@ {}}Security Seals\end{tabular}}
+
+According to Ross Anderson: ``\ldots is a tamper-indicating device
+designed to leave non-erasable, unambiguous evidence of unauthorized
+entry or tampering.''
+
+\begin{center}
+\includegraphics[scale=0.45]{pics/seal.jpg}
+\end{center}\mbox{}\\[-12mm]
+
+They also need some quite sophisticated policies (seal regiment).
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{\begin{tabular}{@ {}c@ {}}Security Seals (2)\end{tabular}}
+
+\begin{itemize}
+\item at the Argonne National Laboratory they tested 244 different security seals
+\begin{itemize}
+\item meantime to break the seals for a trained person: 100 s
+\item including 19\% that were used for safeguard of nuclear material
+\end{itemize}\bigskip
+
+\item Andrew Appel defeated all security seals which were supposed to keep
+voting machines safe
+\end{itemize}
+
+
+\only<2>{
+\begin{textblock}{11}(1,1)
+\begin{tikzpicture}
+\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
+{\normalsize
+\begin{minipage}{11cm}\raggedright\small
+\begin{center}
+\includegraphics[scale=0.25]{pics/appelseals.jpg}
+\end{center}
+\begin{center}
+\begin{minipage}{10.5cm}
+\begin{itemize}
+\item The tamper-indicating tape can be lifted using a heat gun.
+\item The security screw cap can be removed using a screwdriver, then the
+serial-numbered top can be replaced (undamaged) onto a fresh (unnumbered) base.
+\item The wire seal can be defeated using a \#4 wood screw.
+\item The plastic strap seal can be picked using a jeweler's screwdriver.
+\end{itemize}
+\end{minipage}
+\end{center}
+\end{minipage}};
+\end{tikzpicture}
+\end{textblock}}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{\begin{tabular}{@ {}c@ {}}Example: Security Seals\end{tabular}}
+
+\begin{itemize}
+\item<1->What assets are you trying to protect?\\
+\only<1>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}Voting machines, doors.\end{tabular}}
+\item<2->What are the risks to these assets?\\
+\only<2>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright Casual thieves, insider attacks.\end{tabular}}
+\item<3->How well does the security solution mitigate those risks?\\
+\only<3>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright
+Needs a quite complicated security regiment.\end{tabular}}
+\item<4->What other risks does the security solution cause?
+\only<4>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright You might not notice tampering.\end{tabular}}
+\item<5->What costs and trade-offs does the security solution impose?
+\only<5>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright
+The ``hardware'' is cheap, but indirect costs can be quite high.\end{tabular}}
+\item<7>[]{\bf\large No!} {\textcolor{gray}{Though in some areas they work: airports, swimming pools, \ldots}}
+\end{itemize}
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{\begin{tabular}{@ {}c@ {}}Ex: Security-by-Obscurity\end{tabular}}
+
+You might think it is a good idea to keep a security relevant algorithm or
+software secret.
+
+\begin{itemize}
+\item<1->What assets are you trying to protect?\\
+\only<1>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}Source code, an algorithm and things that depend on it\end{tabular}}
+\item<2->What are the risks to these assets?\\
+\only<2>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright
+Can be pretty high (Oystercards).\end{tabular}}
+\item<3->How well does the security solution mitigate those risks?\\
+\only<3>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright
+Not really. The source code can be reverse engineered, stolen, coerced \ldots{}\end{tabular}}
+\item<4->What other risks does the security solution cause?
+\only<4>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright You prevent
+scrutiny and independent advice. You also more likely than not to
+get it wrong.\end{tabular}}
+\item<5>[]{\bf\large No!}
+\end{itemize}
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{\begin{tabular}{@ {}c@ {}}Voting as Security Problem\end{tabular}}
+
+What are the security requirements of a voting system?\bigskip
+
+\begin{itemize}
+\item<2->Integrity
+\item<3->Ballot Secrecy
+\item<5->Voter Authentication
+\item<6->Enfranchisement
+\item<7->Availability
+\end{itemize}
+
+\only<2>{
+\begin{textblock}{5.5}(8,5)
+\begin{tikzpicture}
+\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm, text centered]
+{\small
+\begin{minipage}{5cm}\raggedright
+\begin{center}
+\begin{minipage}{4.5cm}
+\begin{itemize}
+\item The outcome matches with the voters' intend.
+\item There might be gigantic sums at stake and need to be defended against.
+\end{itemize}
+\end{minipage}
+\end{center}
+\end{minipage}};
+\end{tikzpicture}
+\end{textblock}}
+
+\only<4>{
+\begin{textblock}{5.5}(8,5)
+\begin{tikzpicture}
+\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm, text centered]
+{\small
+\begin{minipage}{5cm}\raggedright
+\begin{center}
+\begin{minipage}{4.5cm}
+\begin{itemize}
+\item Nobody can find out how you voted.
+\item (Stronger) Even if you try, you cannot prove how you voted.
+\end{itemize}
+\end{minipage}
+\end{center}
+\end{minipage}};
+\end{tikzpicture}
+\end{textblock}}
+
+\only<5>{
+\begin{textblock}{5.5}(8,5)
+\begin{tikzpicture}
+\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm, text centered]
+{\small
+\begin{minipage}{5cm}\raggedright
+\begin{center}
+\begin{minipage}{4.5cm}
+\begin{itemize}
+\item Only authorised voters can vote up to the permitted number of votes.
+\end{itemize}
+\end{minipage}
+\end{center}
+\end{minipage}};
+\end{tikzpicture}
+\end{textblock}}
+
+\only<6>{
+\begin{textblock}{5.5}(8,5)
+\begin{tikzpicture}
+\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm, text centered]
+{\small
+\begin{minipage}{5cm}\raggedright
+\begin{center}
+\begin{minipage}{4.5cm}
+\begin{itemize}
+\item Authorised voters should have the opportunity to vote.
+\end{itemize}
+\end{minipage}
+\end{center}
+\end{minipage}};
+\end{tikzpicture}
+\end{textblock}}
+
+\only<7>{
+\begin{textblock}{5.5}(8,5)
+\begin{tikzpicture}
+\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm, text centered]
+{\small
+\begin{minipage}{5cm}\raggedright
+\begin{center}
+\begin{minipage}{4.5cm}
+\begin{itemize}
+\item The voting system should accept all authorised votes and produce results in a timely manner.
+\end{itemize}
+\end{minipage}
+\end{center}
+\end{minipage}};
+\end{tikzpicture}
+\end{textblock}}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{\begin{tabular}{@ {}c@ {}}Ballot Boxes\end{tabular}}
+
+
+\begin{center}
+\includegraphics[scale=2.5]{pics/ballotbox.jpg}
+\end{center}
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{\begin{tabular}{@ {}c@ {}}Problems with Voting\end{tabular}}
+
+
+\begin{center}\large
+\begin{tabular}{rcl}
+Integrity & vs. & Ballot Secrecy\bigskip\\
+Authentication & vs. &Enfranchisement
+\end{tabular}
+\end{center}\bigskip\bigskip\pause
+
+Further constraints:
+
+\begin{itemize}
+\item costs
+\item accessibility
+\item convenience
+\item intelligibility
+\end{itemize}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{\begin{tabular}{@ {}c@ {}}E-Voting\end{tabular}}
+
+
+\begin{itemize}
+\item The Netherlands between 1997 - 2006 had electronic voting machines\\
+\textcolor{gray}{(hacktivists had found: they can be hacked and also emitted radio signals revealing how you voted)}
+
+\item Germany had used them in pilot studies\\
+\textcolor{gray}{(in 2007 a law suit has reached the highest court and it rejected electronic voting
+on the grounds of not being understandable by the general public)}
+
+\item UK used optical scan voting systems in a few polls
+\end{itemize}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{\begin{tabular}{@ {}c@ {}}E-Voting\end{tabular}}
+
+\mbox{}\\[-12mm]
+\begin{itemize}
+\item US used mechanical machines since the 30s, later punch cards, now DREs and
+optical scan voting machines \textcolor{gray}{(fantastic ``ecosystem'' for study)}
+
+\item Estonia used in 2007 the Internet for national elections
+\textcolor{gray}{(there were earlier pilot studies in other countries)}
+
+\item India uses e-voting devices since at least 2003\\
+\textcolor{gray}{(``keep-it-simple'' machines produced by a government owned company)}
+
+\item South Africa used software for its tallying in the 1993 elections (when Nelson Mandela was elected)
+\textcolor{gray}{(they found the tallying software was rigged, but they were able to tally manually)}
+\end{itemize}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{\begin{tabular}{@ {}c@ {}}A Brief History of Voting\end{tabular}}
+
+
+\begin{itemize}
+\item Athenians
+\begin{itemize}
+\item show of hands
+\item ballots on pieces of pottery
+\item different colours of stones
+\item ``facebook''-like authorisation
+\end{itemize}\bigskip
+
+\textcolor{gray}{problems with vote buying / no ballot privacy}\bigskip
+
+
+\item French Revolution and the US Constitution got things ``started'' with
+paper ballots (you first had to bring your own; later they were pre-printed by parties)
+\end{itemize}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{\begin{tabular}{@ {}c@ {}}Ballot Boxes\end{tabular}}
+
+Security policies involved with paper ballots:
+
+\begin{enumerate}
+\item you need to check that the ballot box is empty at the start of the poll / no false bottom (to prevent ballot stuffing)
+\item you need to guard the ballot box during the poll until counting
+\item tallied by a team at the end of the poll (independent observers)
+\end{enumerate}
+
+\begin{center}
+\includegraphics[scale=1.5]{pics/ballotbox.jpg}
+\end{center}
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{\begin{tabular}{@ {}c@ {}}Paper Ballots\end{tabular}}
+
+What can go wrong with paper ballots?
+
+\only<2>{
+\begin{center}
+\includegraphics[scale=0.8]{pics/tweet.jpg}\\
+\footnotesize William M.~Tweed, US Politician in 1860's\\
+``As long as I count the votes, what are you going to do about it?''
+\end{center}}
+
+\only<3>{
+\medskip
+\begin{center}
+\begin{minipage}{10cm}
+{\bf Chain Voting Attack}
+\begin{enumerate}
+\item you obtain a blank ballot and fill it out as you want
+\item you give it to a voter outside the polling station
+\item voter receives a new blank ballot
+\item voter submits prefilled ballot
+\item voter gives blank ballot to you, you give money
+\item goto 1
+\end{enumerate}
+\end{minipage}
+\end{center}
+}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{\begin{tabular}{@ {}c@ {}}Mechanical Voting Machines\end{tabular}}
+
+\begin{itemize}
+\item<1-> Lever Voting Machines (ca.~1930 - 1990)
+\only<1>{
+\begin{center}
+\includegraphics[scale=0.56]{pics/leavermachine.jpg}
+\end{center}
+}
+\item<2->Punch Cards (ca.~1950 - 2000)
+\only<2>{
+\begin{center}
+\includegraphics[scale=0.5]{pics/punchcard1.jpg}\;\;
+\includegraphics[scale=0.46]{pics/punchcard2.jpg}
+\end{center}
+}
+\end{itemize}
+
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{\begin{tabular}{@ {}c@ {}}Electronic Voting Machines\end{tabular}}
+
+\begin{center}
+\begin{tabular}{c}
+\includegraphics[scale=0.45]{pics/dre1.jpg}\;
+\includegraphics[scale=0.40]{pics/dre2.jpg}\\\hline\\
+\includegraphics[scale=0.5]{pics/opticalscan.jpg}
+\end{tabular}
+\end{center}
+
+\only<1->{
+\begin{textblock}{5.5}(1,4)
+DREs
+\end{textblock}}
+\only<1->{
+\begin{textblock}{5.5}(1,11)
+Optical Scan
+\end{textblock}}
+
+\only<2>{
+\begin{textblock}{5.5}(0.5,14.5)
+all are computers
+\end{textblock}}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}DREs\end{tabular}}
+
+Direct-recording electronic voting machines\\
+(votes are recorded for example memory cards)
+
+typically touchscreen machines
+
+usually no papertrail (hard to add: ballot secrecy)
+
+\begin{center}
+\includegraphics[scale=0.56]{pics/dre1.jpg}
+\end{center}
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}Diebold Machines\end{tabular}}
+
+The work by J.~Alex Halderman:
+
+\begin{itemize}
+\item acquired a machine from an anonymous source\medskip
+\item the source code running the machine was tried to keep secret\medskip\pause
+
+\item first reversed-engineered the machine (extremely tedious)
+\item could completely reboot the machine and even install a virus that infects other Diebold machines
+\item obtained also the source code for other machines
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}Diebold Machines\end{tabular}}
+
+What could go wrong?\pause \;\;Failure-in-depth.\bigskip\pause
+
+A non-obvious problem:
+
+\begin{itemize}
+\item you can nowadays get old machines, which still store old polls
+
+\item the paper ballot box needed to be secured during the voting until counting;
+e-voting machines need to be secured during the entire life-time
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}Paper Trail\end{tabular}}
+
+Conclusion:\\ Any electronic solution should have a paper trail.
+
+\begin{center}
+\begin{tabular}{c}
+\includegraphics[scale=0.5]{pics/opticalscan.jpg}
+\end{tabular}
+\end{center}\pause
+
+You still have to solve problems about
+Voter registration, voter authentification, guarding against tampering
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}E-Voting in India\end{tabular}}
+
+Their underlying engineering principle is ``keep-it-simple'':
+
+\begin{center}
+\begin{tabular}{c}
+\includegraphics[scale=1.05]{pics/indiaellection.jpg}\;\;
+\includegraphics[scale=0.40]{pics/india1.jpg}
+\end{tabular}
+\end{center}\medskip\pause
+
+Official claims: ``perfect'', ``tamperproof'', ``no need for technical improvements'' , ``infallible''
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}Lessons to be Learned\end{tabular}}
+
+\begin{itemize}
+\item keep a paper trail and design your system to keep this secure\medskip
+\item make the software open source (avoid security-by-obscurity))\medskip
+\item have a simple design in order to minimise the attack surface
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+
+\begin{center}
+\includegraphics[scale=0.56]{pics/Voting1.png}
+\end{center}
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+
+\begin{center}
+\includegraphics[scale=0.56]{pics/Voting2.png}
+\end{center}
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+
+\begin{center}
+\includegraphics[scale=0.56]{pics/Voting3.png}
+\end{center}
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+
+\begin{center}
+\includegraphics[scale=0.56]{pics/Voting4.png}
+\end{center}
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+\end{document}
+
+%%% Local Variables:
+%%% mode: latex
+%%% TeX-master: t
+%%% End:
+
Binary file slides/slides05.pdf has changed
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/slides/slides05.tex Sun Sep 22 15:22:11 2013 +0100
@@ -0,0 +1,1296 @@
+\documentclass[dvipsnames,14pt,t]{beamer}
+\usepackage{proof}
+\usepackage{beamerthemeplainculight}
+\usepackage[T1]{fontenc}
+\usepackage[latin1]{inputenc}
+\usepackage{mathpartir}
+\usepackage{isabelle}
+\usepackage{isabellesym}
+\usepackage[absolute,overlay]{textpos}
+\usepackage{ifthen}
+\usepackage{tikz}
+\usepackage{courier}
+\usepackage{listings}
+\usetikzlibrary{arrows}
+\usetikzlibrary{positioning}
+\usetikzlibrary{calc}
+\usepackage{graphicx}
+
+\isabellestyle{rm}
+\renewcommand{\isastyle}{\rm}%
+\renewcommand{\isastyleminor}{\rm}%
+\renewcommand{\isastylescript}{\footnotesize\rm\slshape}%
+\renewcommand{\isatagproof}{}
+\renewcommand{\endisatagproof}{}
+\renewcommand{\isamarkupcmt}[1]{#1}
+
+% Isabelle characters
+\renewcommand{\isacharunderscore}{\_}
+\renewcommand{\isacharbar}{\isamath{\mid}}
+\renewcommand{\isasymiota}{}
+\renewcommand{\isacharbraceleft}{\{}
+\renewcommand{\isacharbraceright}{\}}
+\renewcommand{\isacharless}{$\langle$}
+\renewcommand{\isachargreater}{$\rangle$}
+\renewcommand{\isasymsharp}{\isamath{\#}}
+\renewcommand{\isasymdots}{\isamath{...}}
+\renewcommand{\isasymbullet}{\act}
+
+
+
+\definecolor{javared}{rgb}{0.6,0,0} % for strings
+\definecolor{javagreen}{rgb}{0.25,0.5,0.35} % comments
+\definecolor{javapurple}{rgb}{0.5,0,0.35} % keywords
+\definecolor{javadocblue}{rgb}{0.25,0.35,0.75} % javadoc
+
+\lstset{language=Java,
+ basicstyle=\ttfamily,
+ keywordstyle=\color{javapurple}\bfseries,
+ stringstyle=\color{javagreen},
+ commentstyle=\color{javagreen},
+ morecomment=[s][\color{javadocblue}]{/**}{*/},
+ numbers=left,
+ numberstyle=\tiny\color{black},
+ stepnumber=1,
+ numbersep=10pt,
+ tabsize=2,
+ showspaces=false,
+ showstringspaces=false}
+
+\lstdefinelanguage{scala}{
+ morekeywords={abstract,case,catch,class,def,%
+ do,else,extends,false,final,finally,%
+ for,if,implicit,import,match,mixin,%
+ new,null,object,override,package,%
+ private,protected,requires,return,sealed,%
+ super,this,throw,trait,true,try,%
+ type,val,var,while,with,yield},
+ otherkeywords={=>,<-,<\%,<:,>:,\#,@},
+ sensitive=true,
+ morecomment=[l]{//},
+ morecomment=[n]{/*}{*/},
+ morestring=[b]",
+ morestring=[b]',
+ morestring=[b]"""
+}
+
+\lstset{language=Scala,
+ basicstyle=\ttfamily,
+ keywordstyle=\color{javapurple}\bfseries,
+ stringstyle=\color{javagreen},
+ commentstyle=\color{javagreen},
+ morecomment=[s][\color{javadocblue}]{/**}{*/},
+ numbers=left,
+ numberstyle=\tiny\color{black},
+ stepnumber=1,
+ numbersep=10pt,
+ tabsize=2,
+ showspaces=false,
+ showstringspaces=false}
+
+% beamer stuff
+\renewcommand{\slidecaption}{APP 05, King's College London, 23 October 2012}
+
+\newcommand{\bl}[1]{\textcolor{blue}{#1}}
+\begin{document}
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}<1>[t]
+\frametitle{%
+ \begin{tabular}{@ {}c@ {}}
+ \\
+ \LARGE Access Control and \\[-3mm]
+ \LARGE Privacy Policies (5)\\[-6mm]
+ \end{tabular}}\bigskip\bigskip\bigskip
+
+ %\begin{center}
+ %\includegraphics[scale=1.3]{pics/barrier.jpg}
+ %\end{center}
+
+\normalsize
+ \begin{center}
+ \begin{tabular}{ll}
+ Email: & christian.urban at kcl.ac.uk\\
+ Of$\!$fice: & S1.27 (1st floor Strand Building)\\
+ Slides: & KEATS (also homework is there)\\
+ \end{tabular}
+ \end{center}
+
+
+\end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Satan's Computer}
+
+Ross Anderson and Roger Needham wrote:\bigskip
+
+\begin{quote}
+In effect, our task is to program a computer which gives
+answers which are subtly and maliciously wrong at the most
+inconvenient possible moment\ldots{} we hope that the lessons
+learned from programming Satan's computer may be helpful
+in tackling the more common problem of programming Murphy's.
+\end{quote}
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Protocol Specifications}
+
+The Needham-Schroeder Protocol:
+
+\begin{center}
+\begin{tabular}{@ {\hspace{-7mm}}l@{\hspace{2mm}}r@ {\hspace{1mm}}l}
+Message 1 & \bl{$A \rightarrow S :$} & \bl{$A, B, N_A$}\\
+Message 2 & \bl{$S \rightarrow A :$} & \bl{$\{N_A, B, K_{AB},\{K_{AB}, A\}_{K_{BS}} \}_{K_{AS}}$}\\
+Message 3 & \bl{$A \rightarrow B :$} & \bl{$\{K_{AB}, A\}_{K_{BS}} $}\\
+Message 4 & \bl{$B \rightarrow A :$} & \bl{$\{N_B\}_{K_{AB}}$}\\
+Message 5 & \bl{$A \rightarrow B :$} & \bl{$\{N_B-1\}_{K_{AB}}$}\\
+\end{tabular}
+\end{center}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Cryptographic Protocol Failures}
+
+Again Ross Anderson and Roger Needham wrote:\bigskip
+
+\begin{quote}
+\textcolor{gray}{
+A lot of the recorded frauds were the result of this kind of blunder, or from
+management negligence pure and simple.} However, there have been a
+significant number of cases where the designers protected the right things,
+used cryptographic algorithms which were not broken, and yet found that their
+systems were still successfully attacked.
+\end{quote}
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{The Access Control Problem}
+
+
+\begin{center}
+ \begin{tikzpicture}[scale=1]
+
+ \draw[line width=1mm] (-.3, 0) rectangle (1.5,2);
+ \draw (-2.7,1) node {\begin{tabular}{l}access\\request\end{tabular}};
+ \draw (4.2,1) node {\begin{tabular}{l}granted/\\not granted\end{tabular}};
+ \draw (0.6,1.2) node {\footnotesize \begin{tabular}{l}Access\\Control\\Checker\end{tabular}};
+
+ \draw[red, ->, line width = 2mm] (1.7,1) -- (2.7,1);
+ \draw[red,<-, line width = 2mm] (-0.6,1) -- (-1.6,1);
+ \draw[red, <-, line width = 3mm] (0.6,2.2) -- (0.6,3.2);
+
+ \draw (0.6,4) node {\begin{tabular}{l}\large some rules\\(access policy)\end{tabular}};
+
+ \end{tikzpicture}
+\end{center}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Access Control Logic}
+
+Ross Anderson about the use of Logic:\bigskip
+
+\begin{quote}
+Formal methods can be an excellent way of finding
+bugs in security protocol designs as they force the designer
+to make everything explicit and thus confront dif$\!$ficult design
+choices that might otherwise be fudged.
+\end{quote}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+
+\begin{center}
+ \begin{tikzpicture}[scale=1]
+
+ \draw[line width=1mm] (-.3, 0) rectangle (1.5,2);
+ \draw (-2.7,1) node {\begin{tabular}{l}access\\request\end{tabular}};
+ \draw (4.2,1) node {\begin{tabular}{l}granted/\\not granted\end{tabular}};
+ \draw (0.6,1.2) node {\footnotesize \begin{tabular}{l}Access\\Control\\Checker\end{tabular}};
+
+ \draw[red, ->, line width = 2mm] (1.7,1) -- (2.7,1);
+ \draw[red,<-, line width = 2mm] (-0.6,1) -- (-1.6,1);
+ \draw[red, <-, line width = 3mm] (0.6,2.2) -- (0.6,3.2);
+
+ \draw (0.6,3.7) node {\begin{tabular}{l}access policy\end{tabular}};
+
+ \end{tikzpicture}
+\end{center}
+
+Assuming one file on my computer contains a virus.\smallskip\\
+\only<1>{Q: Given my access policy, can this file ``infect'' my whole computer?}%
+\only<2>{Q: Can my access policy prevent that my whole computer gets infected.}
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[c]
+ \small
+ \begin{center}
+ \mbox{
+ \inferrule{\mbox{\begin{tabular}{l}
+ \ldots\\
+ is\_at\_library (Christian)\\
+ is\_student (a) $\wedge$ is\_at\_library (a) $\Rightarrow$ may\_obtain\_email (a)\\
+ is\_staff (a) $\wedge$ is\_at\_library (a) $\Rightarrow$ may\_obtain\_email (a)\medskip\\
+ \onslide<2->{HoD says is\_staff (a) $\Rightarrow$ is\_staff (a)}\\
+ \onslide<2->{HoD says is\_staff (Christian)}\medskip\\
+ \onslide<3->{may\_obtain\_email (a) $\wedge$ sending\_spam (a) $\Rightarrow$\\}
+ \onslide<3->{\hspace{6cm}$\neg$ may\_obtain\_email (a)}
+ \end{tabular}
+ }}
+ {\mbox{? may\_obtain\_email (Christian)}}}
+ \end{center}
+ \end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[c]
+ \frametitle{}
+
+ There are two ways for tackling such problems:\medskip
+
+ \begin{itemize}
+ \item either you make up our own language in which you can describe
+ the problem,\medskip
+
+ \item or you use an existing language and represent the problem in
+ this language.
+ \end{itemize}
+
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[t]
+ \frametitle{\Large\begin{tabular}{@ {}c@ {}}Logic(s)\end{tabular}}
+
+ \begin{itemize}
+ \item Formulas
+
+ \begin{center}\color{blue}
+ \begin{tabular}{rcl@ {\hspace{10mm}}l}
+ \isa{F} & \isa{{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}} & \isa{true} \\
+ & \isa{{\isaliteral{7C}{\isacharbar}}} & \isa{false} \\
+ & \isa{{\isaliteral{7C}{\isacharbar}}} & \isa{F\ {\isaliteral{5C3C616E643E}{\isasymand}}\ F} \\
+ & \isa{{\isaliteral{7C}{\isacharbar}}} & \isa{F\ {\isaliteral{5C3C6F723E}{\isasymor}}\ F} \\
+ & \isa{{\isaliteral{7C}{\isacharbar}}} & \isa{F\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ F} & \textcolor{black}{implies}\\
+ & \isa{{\isaliteral{7C}{\isacharbar}}} & \isa{{\isaliteral{5C3C6E6F743E}{\isasymnot}}\ F} & \textcolor{black}{negation}\\
+ & \isa{{\isaliteral{7C}{\isacharbar}}} & \isa{p\ {\isaliteral{28}{\isacharparenleft}}t\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}{\isaliteral{2C}{\isacharcomma}}{\isaliteral{5C3C646F74733E}{\isasymdots}}{\isaliteral{2C}{\isacharcomma}}t\isaliteral{5C3C5E697375623E}{}\isactrlisub n{\isaliteral{29}{\isacharparenright}}} & \textcolor{black}{predicates}\\
+ & \onslide<2->{\isa{{\isaliteral{7C}{\isacharbar}}}} & \onslide<2->{\isa{{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}x{\isaliteral{2E}{\isachardot}}\ F}} &
+ \onslide<2->{\textcolor{black}{forall quantification}}\\
+ & \onslide<2->{\isa{{\isaliteral{7C}{\isacharbar}}}} & \onslide<2->{\isa{{\isaliteral{5C3C6578697374733E}{\isasymexists}}x{\isaliteral{2E}{\isachardot}}\ F}} &
+ \onslide<2->{\textcolor{black}{exists quantification}}\\[-7mm]
+ \end{tabular}
+ \end{center}
+
+ \end{itemize}
+
+ \begin{textblock}{12}(1,14)
+ Terms \textcolor{blue}{\isa{t\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ x\ {\isaliteral{5C3C646F74733E}{\isasymdots}}\ {\isaliteral{7C}{\isacharbar}}\ c\ {\isaliteral{5C3C646F74733E}{\isasymdots}}}}
+ \end{textblock}
+
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[c]
+
+{\lstset{language=Scala}\fontsize{10}{12}\selectfont
+\texttt{\lstinputlisting{programs/formulas.scala}}}
+
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[t]
+ \frametitle{Judgements}
+
+ \begin{center}
+ \LARGE
+ \textcolor{blue}{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ F}}
+ \end{center}
+
+ \textcolor{blue}{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}}} is a collection of formulas, called the \alert{assumptions}\bigskip\pause
+
+ \begin{itemize}
+ \item Example\mbox{}\\[-8mm]
+
+ \only<2>{\begin{center}\tiny
+ \textcolor{blue}{
+ \begin{tabular}{l}
+ \isa{is{\isaliteral{5F}{\isacharunderscore}}staff\ {\isaliteral{28}{\isacharparenleft}}Christian{\isaliteral{29}{\isacharparenright}}},\\
+ \isa{is{\isaliteral{5F}{\isacharunderscore}}at{\isaliteral{5F}{\isacharunderscore}}library\ {\isaliteral{28}{\isacharparenleft}}Christian{\isaliteral{29}{\isacharparenright}}},\\
+ \isa{{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}x{\isaliteral{2E}{\isachardot}}\ is{\isaliteral{5F}{\isacharunderscore}}at{\isaliteral{5F}{\isacharunderscore}}library\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ is{\isaliteral{5F}{\isacharunderscore}}staff\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ may{\isaliteral{5F}{\isacharunderscore}}obtain{\isaliteral{5F}{\isacharunderscore}}email\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{29}{\isacharparenright}}}\\
+ \end{tabular}\isa{{\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ may{\isaliteral{5F}{\isacharunderscore}}obtain{\isaliteral{5F}{\isacharunderscore}}email\ {\isaliteral{28}{\isacharparenleft}}Christian{\isaliteral{29}{\isacharparenright}}}}
+ \end{center}}
+ \only<3>{\small
+ \textcolor{blue}{
+ \begin{center}
+ \mbox{
+ \infer{\mbox{\isa{may{\isaliteral{5F}{\isacharunderscore}}obtain{\isaliteral{5F}{\isacharunderscore}}email\ {\isaliteral{28}{\isacharparenleft}}Christian{\isaliteral{29}{\isacharparenright}}}}}
+ {\mbox{\begin{tabular}{@ {}l@ {}}
+ \isa{is{\isaliteral{5F}{\isacharunderscore}}staff\ {\isaliteral{28}{\isacharparenleft}}Christian{\isaliteral{29}{\isacharparenright}}}\\
+ \isa{is{\isaliteral{5F}{\isacharunderscore}}at{\isaliteral{5F}{\isacharunderscore}}library\ {\isaliteral{28}{\isacharparenleft}}Christian{\isaliteral{29}{\isacharparenright}}}\\
+ \isa{{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}x{\isaliteral{2E}{\isachardot}}\ is{\isaliteral{5F}{\isacharunderscore}}at{\isaliteral{5F}{\isacharunderscore}}library\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ is{\isaliteral{5F}{\isacharunderscore}}staff\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ may{\isaliteral{5F}{\isacharunderscore}}obtain{\isaliteral{5F}{\isacharunderscore}}email\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{29}{\isacharparenright}}}\\
+ \end{tabular}}
+ }
+ }
+ \end{center}
+ }}
+ \only<4>{\small
+ \textcolor{blue}{
+ \begin{center}
+ \mbox{
+ \infer{\mbox{\isa{may{\isaliteral{5F}{\isacharunderscore}}obtain{\isaliteral{5F}{\isacharunderscore}}email\ {\isaliteral{28}{\isacharparenleft}}Alice{\isaliteral{29}{\isacharparenright}}}}}
+ {\mbox{\begin{tabular}{@ {}l@ {}}
+ \isa{is{\isaliteral{5F}{\isacharunderscore}}staff\ {\isaliteral{28}{\isacharparenleft}}Alice{\isaliteral{29}{\isacharparenright}}}\\
+ \isa{is{\isaliteral{5F}{\isacharunderscore}}staff\ {\isaliteral{28}{\isacharparenleft}}Christian{\isaliteral{29}{\isacharparenright}}}\\
+ \isa{is{\isaliteral{5F}{\isacharunderscore}}at{\isaliteral{5F}{\isacharunderscore}}library\ {\isaliteral{28}{\isacharparenleft}}Christian{\isaliteral{29}{\isacharparenright}}}\\
+ \isa{{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}x{\isaliteral{2E}{\isachardot}}\ is{\isaliteral{5F}{\isacharunderscore}}at{\isaliteral{5F}{\isacharunderscore}}library\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ is{\isaliteral{5F}{\isacharunderscore}}staff\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ may{\isaliteral{5F}{\isacharunderscore}}obtain{\isaliteral{5F}{\isacharunderscore}}email\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{29}{\isacharparenright}}}\\
+ \end{tabular}}
+ }
+ }
+ \end{center}
+ }}
+
+ \end{itemize}
+
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[c]
+
+{\lstset{language=Scala}\fontsize{10}{12}\selectfont
+\texttt{\lstinputlisting{programs/judgement.scala}}}
+
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[t]
+ \frametitle{Inference Rules}
+
+ \textcolor{blue}{
+ \begin{center}
+ \Large
+ \mbox{
+ \infer{\mbox{\isa{conclusion}}}
+ {\mbox{\isa{premise\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}}} & \mbox{\isa{{\isaliteral{5C3C646F74733E}{\isasymdots}}}} & \mbox{\isa{premise\isaliteral{5C3C5E697375623E}{}\isactrlisub n}}}}
+ \end{center}}
+
+ The conlusion and premises are judgements\bigskip\pause
+
+ \begin{itemize}
+ \item Examples
+ \textcolor{blue}{
+ \begin{center}
+ \mbox{
+ \infer{\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ F\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ F\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{2}}}}}
+ {\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ F\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}}} & \mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ F\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{2}}}}}}
+ \end{center}}\pause
+
+ \textcolor{blue}{
+ \begin{center}
+ \mbox{
+ \infer{\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ F\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}\ {\isaliteral{5C3C6F723E}{\isasymor}}\ F\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{2}}}}}
+ {\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ F\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}}}}}
+ \hspace{10mm}
+ \mbox{
+ \infer{\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ F\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}\ {\isaliteral{5C3C6F723E}{\isasymor}}\ F\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{2}}}}}
+ {\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ F\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{2}}}}}}
+ \end{center}}
+ \end{itemize}
+
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[t]
+ \frametitle{Implication}
+ \Large
+
+ \textcolor{blue}{
+ \begin{center}
+ \mbox{
+ \infer{\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ F\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ F\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{2}}}}}
+ {\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}{\isaliteral{2C}{\isacharcomma}}\ F\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ F\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{2}}}}}}
+ \end{center}}
+
+ \textcolor{blue}{
+ \begin{center}
+ \mbox{
+ \infer{\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ F\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{2}}}}}
+ {\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ F\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ F\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{2}}}} & \mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ F\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}}}}}
+ \end{center}}
+
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[t]
+ \frametitle{Universal Quantification}
+ \Large
+
+ \textcolor{blue}{
+ \begin{center}
+ \mbox{
+ \infer{\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ F{\isaliteral{5B}{\isacharbrackleft}}x\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ t{\isaliteral{5D}{\isacharbrackright}}}}}
+ {\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}x{\isaliteral{2E}{\isachardot}}\ F}}}}
+ \end{center}}
+
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[t]
+ \frametitle{Start Rules / Axioms}
+
+ \normalsize
+ \alert{if \textcolor{blue}{\isa{F\ {\isaliteral{5C3C696E3E}{\isasymin}}\ {\isaliteral{5C3C47616D6D613E}{\isasymGamma}}}}}
+
+ \textcolor{blue}{\Large
+ \begin{center}
+ \mbox{
+ \infer{\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ F}}}{}}
+ \end{center}}\bigskip\pause
+
+ \normalsize
+ Also written as:
+ \textcolor{blue}{\Large
+ \begin{center}
+ \mbox{
+ \infer{\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}{\isaliteral{2C}{\isacharcomma}}\ F\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ F}}}{}}
+ \end{center}}\pause
+
+ \textcolor{blue}{\Large
+ \begin{center}
+ \mbox{
+ \infer{\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ true}}}{}}
+ \end{center}}
+
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[t]
+ \frametitle{}
+
+ \begin{minipage}{1.1\textwidth}
+ Let \textcolor{blue}{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{3D}{\isacharequal}}}\footnotesize\begin{tabular}{l}
+ \isa{is{\isaliteral{5F}{\isacharunderscore}}staff\ {\isaliteral{28}{\isacharparenleft}}Christian{\isaliteral{29}{\isacharparenright}}},\\
+ \isa{is{\isaliteral{5F}{\isacharunderscore}}at{\isaliteral{5F}{\isacharunderscore}}library\ {\isaliteral{28}{\isacharparenleft}}Christian{\isaliteral{29}{\isacharparenright}}},\\
+ \isa{{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}x{\isaliteral{2E}{\isachardot}}\ is{\isaliteral{5F}{\isacharunderscore}}at{\isaliteral{5F}{\isacharunderscore}}library\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ is{\isaliteral{5F}{\isacharunderscore}}staff\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ may{\isaliteral{5F}{\isacharunderscore}}obtain{\isaliteral{5F}{\isacharunderscore}}email\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{29}{\isacharparenright}}}\\
+ \end{tabular}}
+ \end{minipage}
+
+ \only<2>{
+ \begin{textblock}{12}(4,3)\footnotesize
+ \textcolor{blue}{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ is{\isaliteral{5F}{\isacharunderscore}}staff\ {\isaliteral{28}{\isacharparenleft}}Christian{\isaliteral{29}{\isacharparenright}}}}\hspace{10mm}
+ \textcolor{blue}{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ is{\isaliteral{5F}{\isacharunderscore}}at{\isaliteral{5F}{\isacharunderscore}}library\ {\isaliteral{28}{\isacharparenleft}}Christian{\isaliteral{29}{\isacharparenright}}}}
+ \end{textblock}}
+
+ \only<3->{
+ \begin{textblock}{12}(4,3)\footnotesize
+ \mbox{\textcolor{blue}{
+ \infer{\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ is{\isaliteral{5F}{\isacharunderscore}}staff\ {\isaliteral{28}{\isacharparenleft}}Christian{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ is{\isaliteral{5F}{\isacharunderscore}}at{\isaliteral{5F}{\isacharunderscore}}library\ {\isaliteral{28}{\isacharparenleft}}Christian{\isaliteral{29}{\isacharparenright}}}}}
+ {\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ is{\isaliteral{5F}{\isacharunderscore}}staff\ {\isaliteral{28}{\isacharparenleft}}Christian{\isaliteral{29}{\isacharparenright}}}} &\hspace{10mm}
+ \mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ is{\isaliteral{5F}{\isacharunderscore}}at{\isaliteral{5F}{\isacharunderscore}}library\ {\isaliteral{28}{\isacharparenleft}}Christian{\isaliteral{29}{\isacharparenright}}}}}
+ }}
+ \end{textblock}}
+
+ \only<4>{
+ \begin{textblock}{14}(0.5,6)\footnotesize
+ \textcolor{blue}{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}x{\isaliteral{2E}{\isachardot}}\ is{\isaliteral{5F}{\isacharunderscore}}staff\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ is{\isaliteral{5F}{\isacharunderscore}}at{\isaliteral{5F}{\isacharunderscore}}library\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ may{\isaliteral{5F}{\isacharunderscore}}obtain{\isaliteral{5F}{\isacharunderscore}}email\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{29}{\isacharparenright}}}}
+ \end{textblock}}
+
+ \only<5->{
+ \begin{textblock}{14}(0.5,6)\footnotesize
+ \textcolor{blue}{
+ \infer{\mbox{\begin{tabular}{l}\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ is{\isaliteral{5F}{\isacharunderscore}}staff\ {\isaliteral{28}{\isacharparenleft}}Christian{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ is{\isaliteral{5F}{\isacharunderscore}}at{\isaliteral{5F}{\isacharunderscore}}library\ {\isaliteral{28}{\isacharparenleft}}Christian{\isaliteral{29}{\isacharparenright}}}\\
+ \hspace{40mm}\isa{{\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ may{\isaliteral{5F}{\isacharunderscore}}obtain{\isaliteral{5F}{\isacharunderscore}}email\ {\isaliteral{28}{\isacharparenleft}}Christian{\isaliteral{29}{\isacharparenright}}}\end{tabular}}}
+ {\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}x{\isaliteral{2E}{\isachardot}}\ is{\isaliteral{5F}{\isacharunderscore}}staff\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ is{\isaliteral{5F}{\isacharunderscore}}at{\isaliteral{5F}{\isacharunderscore}}library\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ may{\isaliteral{5F}{\isacharunderscore}}obtain{\isaliteral{5F}{\isacharunderscore}}email\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{29}{\isacharparenright}}}}}}
+ \end{textblock}}
+
+ \only<6->{
+ \begin{textblock}{14}(5,10)\footnotesize
+ \textcolor{blue}{
+ \infer{\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ may{\isaliteral{5F}{\isacharunderscore}}obtain{\isaliteral{5F}{\isacharunderscore}}email\ {\isaliteral{28}{\isacharparenleft}}Christian{\isaliteral{29}{\isacharparenright}}}}}
+ {\vdots & \hspace{30mm} \vdots}}
+ \end{textblock}}
+
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[t]
+ \frametitle{Access Control}
+ \Large
+
+ \textcolor{blue}{
+ \begin{center}
+ \isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ F}
+ \end{center}}\bigskip
+
+ \normalsize
+ \begin{itemize}
+ \item If there is a proof \isa{{\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}} yes (granted)
+ \item If there isn't \isa{{\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}} no (denied)
+ \end{itemize}\bigskip\pause
+
+\begin{minipage}{1.1\textwidth}
+ \small
+ \textcolor{blue}{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{3D}{\isacharequal}}}\small\begin{tabular}{l}
+ \isa{is{\isaliteral{5F}{\isacharunderscore}}staff\ {\isaliteral{28}{\isacharparenleft}}Christian{\isaliteral{29}{\isacharparenright}}},\\
+ \isa{is{\isaliteral{5F}{\isacharunderscore}}at{\isaliteral{5F}{\isacharunderscore}}library\ {\isaliteral{28}{\isacharparenleft}}Christian{\isaliteral{29}{\isacharparenright}}},\\
+ \isa{{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}x{\isaliteral{2E}{\isachardot}}\ is{\isaliteral{5F}{\isacharunderscore}}at{\isaliteral{5F}{\isacharunderscore}}library\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ is{\isaliteral{5F}{\isacharunderscore}}staff\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ may{\isaliteral{5F}{\isacharunderscore}}obtain{\isaliteral{5F}{\isacharunderscore}}email\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{29}{\isacharparenright}}}\\
+ \end{tabular}}\medskip
+
+ \textcolor{blue}{
+ \mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}} $\not\vdash$ \isa{may{\isaliteral{5F}{\isacharunderscore}}obtain{\isaliteral{5F}{\isacharunderscore}}email\ {\isaliteral{28}{\isacharparenleft}}Alice{\isaliteral{29}{\isacharparenright}}}}}
+\end{minipage}
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{The Access Control Problem}
+
+
+\begin{center}
+ \begin{tikzpicture}[scale=1]
+
+ \draw[line width=1mm] (-.3, 0) rectangle (1.5,2);
+ \draw (-2.7,1) node {\begin{tabular}{l}access\\request\\ (\bl{$F$})\end{tabular}};
+ \draw (4.2,1) node {\begin{tabular}{l}granted/\\not granted\end{tabular}};
+ \draw (0.6,1.2) node {\footnotesize \begin{tabular}{l}Access\\Control\\Checker\end{tabular}};
+
+ \draw[red, ->, line width = 2mm] (1.7,1) -- (2.7,1);
+ \draw[red,<-, line width = 2mm] (-0.6,1) -- (-1.6,1);
+ \draw[red, <-, line width = 3mm] (0.6,2.2) -- (0.6,3.2);
+
+ \draw (0.6,4) node {\begin{tabular}{l}\large Access Policy (\bl{$\Gamma$})\end{tabular}};
+
+ \end{tikzpicture}
+\end{center}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[c]
+ \frametitle{Bad News}
+
+ \begin{itemize}
+ \item We introduced (roughly) first-order logic. \bigskip\pause
+
+ \item Judgements
+ \begin{center}
+ \textcolor{blue}
+ {\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ F}}}
+ \end{center}
+
+ are in general \alert{undecidable}.\pause\medskip\\
+
+ The problem is \alert{semi-decidable}.
+
+ \end{itemize}
+
+
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[t]
+ \frametitle{\Large\begin{tabular}{@ {}c@ {}}Access Control Logic\end{tabular}}
+
+ \begin{itemize}
+ \item[]
+
+ \begin{center}\color{blue}
+ \begin{tabular}[t]{rcl@ {\hspace{10mm}}l}
+ \isa{F} & \isa{{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}} & \isa{true} \\
+ & \isa{{\isaliteral{7C}{\isacharbar}}} & \isa{false} \\
+ & \isa{{\isaliteral{7C}{\isacharbar}}} & \isa{F\ {\isaliteral{5C3C616E643E}{\isasymand}}\ F} \\
+ & \isa{{\isaliteral{7C}{\isacharbar}}} & \isa{F\ {\isaliteral{5C3C6F723E}{\isasymor}}\ F} \\
+ & \isa{{\isaliteral{7C}{\isacharbar}}} & \isa{F\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ F}\\
+ & \isa{{\isaliteral{7C}{\isacharbar}}} & \isa{p\ {\isaliteral{28}{\isacharparenleft}}t\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}{\isaliteral{2C}{\isacharcomma}}{\isaliteral{5C3C646F74733E}{\isasymdots}}{\isaliteral{2C}{\isacharcomma}}t\isaliteral{5C3C5E697375623E}{}\isactrlisub n{\isaliteral{29}{\isacharparenright}}} \\
+ & \isa{{\isaliteral{7C}{\isacharbar}}} & \alert{\isa{P\ says\ F}} & \textcolor{black}{``saying predicate''}\\
+ \end{tabular}
+ \end{center}
+
+ where \textcolor{blue}{\isa{P\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ Alice{\isaliteral{2C}{\isacharcomma}}\ Bob{\isaliteral{2C}{\isacharcomma}}\ Christian{\isaliteral{2C}{\isacharcomma}}\ {\isaliteral{5C3C646F74733E}{\isasymdots}}}} (principals)\bigskip\pause
+
+ \item \textcolor{blue}{\isa{HoD\ says\ is{\isaliteral{5F}{\isacharunderscore}}staff\ {\isaliteral{28}{\isacharparenleft}}Christian{\isaliteral{29}{\isacharparenright}}}}
+ \end{itemize}
+
+
+
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[c]
+
+{\lstset{language=Scala}\fontsize{10}{12}\selectfont
+\texttt{\lstinputlisting{programs/formulas1.scala}}}
+
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[t]
+ \frametitle{Rules about Says}
+
+ \textcolor{blue}{
+ \begin{center}
+ \mbox{
+ \infer{\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ P\ says\ F}}}
+ {\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ F}}}}
+ \end{center}}
+
+ \textcolor{blue}{
+ \begin{center}
+ \mbox{
+ \infer{\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ P\ says\ F\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{2}}}}}
+ {\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ P\ says\ {\isaliteral{28}{\isacharparenleft}}F\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ F\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{2}}{\isaliteral{29}{\isacharparenright}}}} & \hspace{10mm}\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ P\ says\ F\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}}}}}
+ \end{center}}
+
+ \textcolor{blue}{
+ \begin{center}
+ \mbox{
+ \infer{\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ P\ says\ F}}}
+ {\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ P\ says\ {\isaliteral{28}{\isacharparenleft}}P\ says\ F{\isaliteral{29}{\isacharparenright}}}}}}
+ \end{center}}
+
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[c]
+ \frametitle{}
+
+ Consider the following scenario:
+
+ \begin{itemize}
+ \item If \textcolor{blue}{Admin} says that \textcolor{blue}{\isa{file\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}}}
+ should be deleted, then this file must be deleted.
+ \item \textcolor{blue}{Admin} trusts \textcolor{blue}{Bob} to decide whether
+ \textcolor{blue}{\isa{file\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}}} should be deleted.
+ \item \textcolor{blue}{Bob} wants to delete \textcolor{blue}{\isa{file\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}}}.
+ \end{itemize}\bigskip\pause
+
+ \small
+ \textcolor{blue}{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{3D}{\isacharequal}}}\small\begin{tabular}{l}
+ \isa{{\isaliteral{28}{\isacharparenleft}}Admin\ says\ del{\isaliteral{5F}{\isacharunderscore}}file\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ del{\isaliteral{5F}{\isacharunderscore}}file\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}},\\
+ \isa{{\isaliteral{28}{\isacharparenleft}}Admin\ says\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{28}{\isacharparenleft}}Bob\ says\ del{\isaliteral{5F}{\isacharunderscore}}file\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ del{\isaliteral{5F}{\isacharunderscore}}file\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}},\\
+ \isa{Bob\ says\ del{\isaliteral{5F}{\isacharunderscore}}file\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}}\\
+ \end{tabular}}\medskip\pause
+
+ \textcolor{blue}{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ del{\isaliteral{5F}{\isacharunderscore}}file\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}}}
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[c]
+ \frametitle{}
+
+ \textcolor{blue}{
+ \begin{center}
+ \mbox{
+ \infer{\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ P\ says\ F}}}
+ {\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ F}}}}\\\bigskip
+ \mbox{
+ \infer{\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ P\ says\ F\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{2}}}}}
+ {\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ P\ says\ {\isaliteral{28}{\isacharparenleft}}F\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ F\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{2}}{\isaliteral{29}{\isacharparenright}}}} & \hspace{5mm}\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ P\ says\ F\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}}}}}
+ \end{center}}\bigskip
+
+ \small
+ \textcolor{blue}{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{3D}{\isacharequal}}}\small\begin{tabular}{l}
+ \isa{{\isaliteral{28}{\isacharparenleft}}Admin\ says\ del{\isaliteral{5F}{\isacharunderscore}}file\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ del{\isaliteral{5F}{\isacharunderscore}}file\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}},\\
+ \isa{{\isaliteral{28}{\isacharparenleft}}Admin\ says\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{28}{\isacharparenleft}}Bob\ says\ del{\isaliteral{5F}{\isacharunderscore}}file\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ del{\isaliteral{5F}{\isacharunderscore}}file\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}},\\
+ \isa{Bob\ says\ del{\isaliteral{5F}{\isacharunderscore}}file\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}}\\
+ \end{tabular}}\medskip
+
+ \textcolor{blue}{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ del{\isaliteral{5F}{\isacharunderscore}}file\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}}}
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[t]
+ \frametitle{}
+ \small
+
+ \textcolor{blue}{
+ \begin{center}
+ \only<1>{$ \underbrace{
+ \mbox{\infer{\Gamma \vdash \mbox{Admin says (Bob says del\_file)}}
+ {\infer{\Gamma \vdash \mbox{Bob says del\_file}}{}}}}_{X}$}
+ \end{center}}
+
+ \textcolor{blue}{
+ \begin{center}
+ \only<1>{
+ $ \underbrace{
+ \mbox{\infer{\Gamma \vdash \mbox{Admin says del\_file}}
+ {\infer{\Gamma \vdash \mbox{Admin says (Bob says del\_file \isa{{\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}} del\_file)}}{}
+ &
+ \deduce[$\vdots$]{X}{}
+ }}}_{Y}$}
+ \end{center}}
+
+ \textcolor{blue}{
+ \begin{center}
+ \only<1>{\mbox{\infer{\Gamma \vdash \mbox{del\_file}}
+ {\infer{\Gamma \vdash \mbox{(Admin says del\_file) \isa{{\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}} del\_file}}{}
+ &
+ \deduce[$\vdots$]{Y}{}
+ }}}
+ \end{center}}
+
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[c]
+ \frametitle{Controls}
+ \small
+
+ \begin{itemize}
+ \item \bl{\isa{P\ controls\ F\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ {\isaliteral{28}{\isacharparenleft}}P\ says\ F{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ F}}
+
+ \item its meaning ``\bl{P} is entitled to do \bl{F}''
+ \item if \bl{P controls F} and \bl{P says F} then \bl{F}\pause
+
+ \begin{center}
+ \bl{\mbox{
+ \infer{\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ F}}}
+ {\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ P\ controls\ F}} & \mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ P\ says\ F}}}
+ }}
+ \end{center}\pause
+
+ \begin{center}
+ \bl{\mbox{
+ \infer{\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ F}}}
+ {\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ {\isaliteral{28}{\isacharparenleft}}P\ says\ F{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ F}} & \mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ P\ says\ F}}}
+ }}
+ \end{center}
+ \end{itemize}
+
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[c]
+ \frametitle{Speaks For}
+ \small
+
+ \begin{itemize}
+ \item \bl{\isa{P\ {\isaliteral{5C3C6D617073746F3E}{\isasymmapsto}}\ Q\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}F{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}P\ says\ F{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}Q\ says\ F{\isaliteral{29}{\isacharparenright}}}}
+
+ \item its meaning ``\bl{P} speaks for \bl{Q}''
+
+
+ \begin{center}
+ \bl{\mbox{
+ \infer{\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ Q\ says\ F}}}
+ {\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ P\ {\isaliteral{5C3C6D617073746F3E}{\isasymmapsto}}\ Q}} & \mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ P\ says\ F}}}
+ }}
+ \end{center}\pause
+
+ \begin{center}
+ \bl{\mbox{
+ \infer{\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ P\ controls\ F}}}
+ {\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ P\ {\isaliteral{5C3C6D617073746F3E}{\isasymmapsto}}\ Q}} & \mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ Q\ controls\ F}}}
+ }}
+ \end{center}
+
+ \begin{center}
+ \bl{\mbox{
+ \infer{\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ P\ {\isaliteral{5C3C6D617073746F3E}{\isasymmapsto}}\ R}}}
+ {\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ P\ {\isaliteral{5C3C6D617073746F3E}{\isasymmapsto}}\ Q}} & \mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ Q\ {\isaliteral{5C3C6D617073746F3E}{\isasymmapsto}}\ R}}}
+ }}
+ \end{center}
+ \end{itemize}
+
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[c]
+ \frametitle{Tickets}
+
+ \begin{itemize}
+ \item Tickets control access to restricted objects.\bigskip
+ \end{itemize}
+ \small
+
+ Example: \bl{Permitted (Bob, enter\_flight)} ? \bigskip
+
+ \begin{minipage}{1.1\textwidth}
+ \begin{itemize}
+ \item \bl{Bob says Permitted (Bob, enter\_flight)}\\ (access request)
+ \item \bl{Ticket says (Bob controls Permitted (Bob, enter\_flight))}
+ \item \bl{Airline controls (Bob controls Permitted (Bob, enter\_flight))} (access policy)\pause
+ \item \bl{\isa{Ticket\ {\isaliteral{5C3C6D617073746F3E}{\isasymmapsto}}\ Airline}}\\
+ (trust assumption)
+ \end{itemize}
+ \end{minipage}
+
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[c]
+ \frametitle{Tickets}
+ \small
+
+ \begin{minipage}{1.1\textwidth}
+ \begin{enumerate}
+ \item \bl{Bob says Permitted (Bob, enter\_flight)}
+ \item \bl{Ticket says (Bob controls Permitted (Bob, enter\_flight))}
+ \item \bl{Airline controls (Bob controls Permitted (Bob, enter\_flight))}
+ \item \bl{\isa{Ticket\ {\isaliteral{5C3C6D617073746F3E}{\isasymmapsto}}\ Airline}}
+ \end{enumerate}
+ \end{minipage}\bigskip\bigskip
+
+ Is \bl{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ Permitted\ {\isaliteral{28}{\isacharparenleft}}Bob{\isaliteral{2C}{\isacharcomma}}\ enter{\isaliteral{5F}{\isacharunderscore}}flight{\isaliteral{29}{\isacharparenright}}}} derivable ? \bigskip
+
+
+ \small
+ \begin{minipage}{1.1\textwidth}
+ \begin{center}
+ \bl{\mbox{
+ \infer{\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ F}}}
+ {\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ P\ controls\ F}} & \mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ P\ says\ F}}}
+ }}
+ \bl{\mbox{\hspace{6mm}
+ \infer{\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ Q\ says\ F}}}
+ {\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ P\ {\isaliteral{5C3C6D617073746F3E}{\isasymmapsto}}\ Q}} & \mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ P\ says\ F}}}
+ }}
+ \end{center}
+ \end{minipage}
+
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[c]
+ \frametitle{Tickets}
+ \small
+
+ \begin{minipage}{1.1\textwidth}
+ \begin{itemize}
+ \item Access Request:
+ \begin{center}
+ \bl{Person says Object}
+ \end{center}
+
+ \item Ticket:
+ \begin{center}
+ \bl{Ticket says (Person controls Object)}
+ \end{center}
+
+ \item Access policy:
+ \begin{center}
+ \bl{Authority controls (Person controls Object)}
+ \end{center}
+
+ \item Trust assumption:
+ \begin{center}
+ \bl{\isa{Ticket\ {\isaliteral{5C3C6D617073746F3E}{\isasymmapsto}}\ Authority}}
+ \end{center}
+ \end{itemize}
+ \end{minipage}
+
+
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[t]
+ \frametitle{\LARGE Derived Rule for Tickets}
+ \small
+ \mbox{}\\[2cm]
+
+ \begin{center}
+ \bl{\mbox{\infer{\mbox{F}}
+ {\mbox{\begin{tabular}{l}
+ Authority controls (Person controls F)\\
+ Ticket says (Person controls F)\\
+ \isa{Ticket\ {\isaliteral{5C3C6D617073746F3E}{\isasymmapsto}}\ Authority}\\
+ Person says F
+ \end{tabular}}
+ }}}
+ \end{center}
+ \mbox{}\\[1cm]
+
+
+ \small
+ \begin{minipage}{1.1\textwidth}
+ \begin{center}
+ \bl{\mbox{
+ \infer{\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ F}}}
+ {\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ P\ controls\ F}} & \mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ P\ says\ F}}}
+ }}
+ \bl{\mbox{\hspace{6mm}
+ \infer{\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ Q\ says\ F}}}
+ {\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ P\ {\isaliteral{5C3C6D617073746F3E}{\isasymmapsto}}\ Q}} & \mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ P\ says\ F}}}
+ }}
+ \end{center}
+ \end{minipage}
+
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+\newcommand{\dn}{\stackrel{\mbox{\scriptsize def}}{=}}% for definitions
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[c]
+ \frametitle{Security Levels}
+ \small
+
+ \begin{itemize}
+ \item Top secret (\bl{$T\!S$})
+ \item Secret (\bl{$S$})
+ \item Public (\bl{$P$})
+ \end{itemize}
+
+ \begin{center}
+ \bl{$slev(P) < slev(S) < slev(T\!S)$}\pause
+ \end{center}
+
+ \begin{itemize}
+ \item Bob has a clearance for ``secret''
+ \item Bob can read documents that are public or sectret, but not top secret
+ \end{itemize}
+
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[c]
+ \frametitle{Reading a File}
+
+ \bl{\begin{center}
+ \begin{tabular}{c}
+ \begin{tabular}{@ {}l@ {}}
+ \only<2->{\textcolor{red}{$slev($File$)$ $<$ $slev($Bob$)$ $\Rightarrow$}}\\
+ \only<2->{\hspace{3cm}}Bob controls Permitted $($File, read$)$\\
+ Bob says Permitted $($File, read$)$\only<2->{\\}
+ \only<2>{\textcolor{red}{$slev($File$)$ $<$ $slev($Bob$)$}}%
+ \only<3>{\textcolor{red}{$slev($File$)$ $=$ $P$}\\}%
+ \only<3>{\textcolor{red}{$slev($Bob$)$ $=$ $S$}\\}%
+ \only<3>{\textcolor{red}{$slev(P)$ $<$ $slev(S)$}\\}%
+ \end{tabular}\\
+ \hline
+ Permitted $($File, read$)$
+ \end{tabular}
+ \end{center}}
+
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[c]
+ \frametitle{Substitution Rule}
+ \small
+
+ \bl{\begin{center}
+ \begin{tabular}{c}
+ $\Gamma \vdash slev(P) = l_1$ \hspace{4mm} $\Gamma \vdash slev(Q) = l_2$
+ \hspace{4mm} $\Gamma \vdash l_1 < l_2$\\\hline
+ $\Gamma \vdash slev(P) < slev(Q)$
+ \end{tabular}
+ \end{center}}\bigskip\pause
+
+ \begin{itemize}
+ \item \bl{$slev($Bob$)$ $=$ $S$}
+ \item \bl{$slev($File$)$ $=$ $P$}
+ \item \bl{$slev(P) < slev(S)$}
+ \end{itemize}
+
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[c]
+ \frametitle{Reading a File}
+
+ \bl{\begin{center}
+ \begin{tabular}{c}
+ \begin{tabular}{@ {}l@ {}}
+ $slev($File$)$ $<$ $slev($Bob$)$ $\Rightarrow$\\
+ \hspace{3cm}Bob controls Permitted $($File, read$)$\\
+ Bob says Permitted $($File, read$)$\\
+ $slev($File$)$ $=$ $P$\\
+ $slev($Bob$)$ $=$ $T\!S$\\
+ \only<1>{\textcolor{red}{$?$}}%
+ \only<2>{\textcolor{red}{$slev(P) < slev(S)$}\\}%
+ \only<2>{\textcolor{red}{$slev(S) < slev(T\!S)$}}%
+ \end{tabular}\\
+ \hline
+ Permitted $($File, read$)$
+ \end{tabular}
+ \end{center}}
+
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[c]
+ \frametitle{Transitivity Rule}
+ \small
+
+ \bl{\begin{center}
+ \begin{tabular}{c}
+ $\Gamma \vdash l_1 < l_2$
+ \hspace{4mm} $\Gamma \vdash l_2 < l_3$\\\hline
+ $\Gamma \vdash l_1 < l_3$
+ \end{tabular}
+ \end{center}}\bigskip
+
+ \begin{itemize}
+ \item \bl{$slev(P) < slev (S)$}
+ \item \bl{$slev(S) < slev (T\!S)$}
+ \item[] \bl{$slev(P) < slev (T\!S)$}
+ \end{itemize}
+
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[c]
+ \frametitle{Reading Files}
+
+ \begin{itemize}
+ \item Access policy for reading
+ \end{itemize}
+
+ \bl{\begin{center}
+ \begin{tabular}{c}
+ \begin{tabular}{@ {}l@ {}}
+ $\forall f.\;slev(f)$ \only<1>{$<$}\only<2>{\textcolor{red}{$\le$}} $slev($Bob$)$ $\Rightarrow$\\
+ \hspace{3cm}Bob controls Permitted $(f$, read$)$\\
+ Bob says Permitted $($File, read$)$\\
+ $slev($File$)$ $=$ \only<1>{$P$}\only<2>{\textcolor{red}{$T\!S$}}\\
+ $slev($Bob$)$ $=$ $T\!S$\\
+ $slev(P) < slev(S)$\\
+ $slev(S) < slev(T\!S)$
+ \end{tabular}\\
+ \hline
+ Permitted $($File, read$)$
+ \end{tabular}
+ \end{center}}
+
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[c]
+ \frametitle{Writing Files}
+
+ \begin{itemize}
+ \item Access policy for \underline{writing}
+ \end{itemize}
+
+ \bl{\begin{center}
+ \begin{tabular}{c}
+ \begin{tabular}{@ {}l@ {}}
+ $\forall f.\;slev($Bob$)$ $\le$ $slev(f)$ $\Rightarrow$\\
+ \hspace{3cm}Bob controls Permitted $(f$, write$)$\\
+ Bob says Permitted $($File, write$)$\\
+ $slev($File$)$ $=$ $T\!S$\\
+ $slev($Bob$)$ $=$ $S$\\
+ $slev(P) < slev(S)$\\
+ $slev(S) < slev(T\!S)$
+ \end{tabular}\\
+ \hline
+ Permitted $($File, write$)$
+ \end{tabular}
+ \end{center}}
+
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[c]
+ \frametitle{Bell-LaPadula}
+ \small
+
+ \begin{itemize}
+ \item \alert{Read Rule}: A principal \bl{$P$} can read an object \bl{$O$} if and only if
+ \bl{$P$}'s security level is at least as high as \bl{$O$}'s.
+ \item \alert{Write Rule}: A principal \bl{$P$} can write an object \bl{$O$} if and only if
+ \bl{$O$}'s security level is at least as high as \bl{$P$}'s.\medskip
+
+ \item Meta-Rule: All principals in a system should have a sufficiently high security level
+ in order to access an object.
+ \end{itemize}\bigskip
+
+ This restricts information flow $\Rightarrow$ military\bigskip\bigskip\pause
+
+ Bell-LaPadula: {\bf `no read up'} - {\bf `no write down'}
+
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[c]
+ \frametitle{\begin{tabular}{c}Principle of\\[-2mm] Least Privilege\end{tabular}}
+
+ \begin{tikzpicture}
+ \draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
+ {\normalsize\color{darkgray}
+ \begin{minipage}{10cm}\raggedright
+ A principal should have as few privileges as possible to access a resource.
+ \end{minipage}};
+ \end{tikzpicture}\bigskip\bigskip
+ \small
+
+ \begin{itemize}
+ \item Bob ($T\!S$) and Alice ($S$) want to communicate
+ \item[] $\Rightarrow$ Bob should lower his security level
+ \end{itemize}
+
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[c]
+ \frametitle{Biba Policy}
+ \small
+
+ Data Integrity (rather than data confidentiality)
+
+ \begin{itemize}
+ \item Biba: {\bf `no read down'} - {\bf `no write up'}
+ \item \alert{Read Rule}: A principal \bl{$P$} can read an object \bl{$O$} if and only if
+ \bl{$P$}'s security level is lower or equal than \bl{$O$}'s.
+ \item \alert{Write Rule}: A principal \bl{$P$} can write an object \bl{$O$} if and only if
+ \bl{$O$}'s security level is lower or equal than \bl{$P$}'s.
+ \end{itemize}\bigskip\bigskip\pause
+
+ E.g.~Generals write orders to officers; officers write oders to solidiers\\
+ Firewall: you can read from inside the firewall, but not from outside\\
+ Phishing: you can look at an approved PDF, but not one from a random email\\
+
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Point to Take Home}
+
+\begin{itemize}
+\item Formal methods can be an excellent way of finding
+bugs as they force the designer
+to make everything explicit and thus confront dif$\!$ficult design
+choices that might otherwise be fudged.
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+
+\end{document}
+
+%%% Local Variables:
+%%% mode: latex
+%%% TeX-master: t
+%%% End:
+
Binary file slides/slides06.pdf has changed
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/slides/slides06.tex Sun Sep 22 15:22:11 2013 +0100
@@ -0,0 +1,636 @@
+\documentclass[dvipsnames,14pt,t]{beamer}
+\usepackage{proof}
+\usepackage{beamerthemeplainculight}
+\usepackage[T1]{fontenc}
+\usepackage[latin1]{inputenc}
+\usepackage{mathpartir}
+\usepackage{isabelle}
+\usepackage{isabellesym}
+\usepackage[absolute,overlay]{textpos}
+\usepackage{ifthen}
+\usepackage{tikz}
+\usepackage{courier}
+\usepackage{listings}
+\usetikzlibrary{arrows}
+\usetikzlibrary{positioning}
+\usetikzlibrary{calc}
+\usepackage{graphicx}
+
+\isabellestyle{rm}
+\renewcommand{\isastyle}{\rm}%
+\renewcommand{\isastyleminor}{\rm}%
+\renewcommand{\isastylescript}{\footnotesize\rm\slshape}%
+\renewcommand{\isatagproof}{}
+\renewcommand{\endisatagproof}{}
+\renewcommand{\isamarkupcmt}[1]{#1}
+
+% Isabelle characters
+\renewcommand{\isacharunderscore}{\_}
+\renewcommand{\isacharbar}{\isamath{\mid}}
+\renewcommand{\isasymiota}{}
+\renewcommand{\isacharbraceleft}{\{}
+\renewcommand{\isacharbraceright}{\}}
+\renewcommand{\isacharless}{$\langle$}
+\renewcommand{\isachargreater}{$\rangle$}
+\renewcommand{\isasymsharp}{\isamath{\#}}
+\renewcommand{\isasymdots}{\isamath{...}}
+\renewcommand{\isasymbullet}{\act}
+
+
+
+\definecolor{javared}{rgb}{0.6,0,0} % for strings
+\definecolor{javagreen}{rgb}{0.25,0.5,0.35} % comments
+\definecolor{javapurple}{rgb}{0.5,0,0.35} % keywords
+\definecolor{javadocblue}{rgb}{0.25,0.35,0.75} % javadoc
+
+\lstset{language=Java,
+ basicstyle=\ttfamily,
+ keywordstyle=\color{javapurple}\bfseries,
+ stringstyle=\color{javagreen},
+ commentstyle=\color{javagreen},
+ morecomment=[s][\color{javadocblue}]{/**}{*/},
+ numbers=left,
+ numberstyle=\tiny\color{black},
+ stepnumber=1,
+ numbersep=10pt,
+ tabsize=2,
+ showspaces=false,
+ showstringspaces=false}
+
+\lstdefinelanguage{scala}{
+ morekeywords={abstract,case,catch,class,def,%
+ do,else,extends,false,final,finally,%
+ for,if,implicit,import,match,mixin,%
+ new,null,object,override,package,%
+ private,protected,requires,return,sealed,%
+ super,this,throw,trait,true,try,%
+ type,val,var,while,with,yield},
+ otherkeywords={=>,<-,<\%,<:,>:,\#,@},
+ sensitive=true,
+ morecomment=[l]{//},
+ morecomment=[n]{/*}{*/},
+ morestring=[b]",
+ morestring=[b]',
+ morestring=[b]"""
+}
+
+\lstset{language=Scala,
+ basicstyle=\ttfamily,
+ keywordstyle=\color{javapurple}\bfseries,
+ stringstyle=\color{javagreen},
+ commentstyle=\color{javagreen},
+ morecomment=[s][\color{javadocblue}]{/**}{*/},
+ numbers=left,
+ numberstyle=\tiny\color{black},
+ stepnumber=1,
+ numbersep=10pt,
+ tabsize=2,
+ showspaces=false,
+ showstringspaces=false}
+
+% beamer stuff
+\renewcommand{\slidecaption}{APP 06, King's College London, 29 October 2012}
+
+\newcommand{\bl}[1]{\textcolor{blue}{#1}}
+\begin{document}
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}<1>[t]
+\frametitle{%
+ \begin{tabular}{@ {}c@ {}}
+ \\
+ \LARGE Access Control and \\[-3mm]
+ \LARGE Privacy Policies (6)\\[-6mm]
+ \end{tabular}}\bigskip\bigskip\bigskip
+
+ %\begin{center}
+ %\includegraphics[scale=1.3]{pics/barrier.jpg}
+ %\end{center}
+
+\normalsize
+ \begin{center}
+ \begin{tabular}{ll}
+ Email: & christian.urban at kcl.ac.uk\\
+ Of$\!$fice: & S1.27 (1st floor Strand Building)\\
+ Slides: & KEATS (also homework is there)\\
+ \end{tabular}
+ \end{center}
+
+
+\end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{1st Week}
+
+\begin{itemize}
+\item What are hashes and salts?\bigskip\pause
+\item \ldots can be use to store securely data on a client, but
+you cannot make your protocol dependent on the
+presence of the data\bigskip\pause
+\item \ldots can be used to store and verify passwords
+
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{2nd Week}
+
+\begin{itemize}
+\item Buffer overflows\bigskip
+\item choice of programming language can mitigate or even eliminate this problem
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{3rd Week}
+
+\begin{itemize}
+\item defence in depth\bigskip
+\item privilege separation afforded by the OS
+\end{itemize}
+
+\begin{center}
+\begin{tikzpicture}[scale=1]
+
+ \draw[line width=1mm] (0, 1.1) rectangle (1.2,2);
+ \draw (4.7,1) node {Internet};
+ \draw (0.6,1.7) node {\footnotesize Slave};
+ \draw[line width=1mm] (0, 0) rectangle (1.2,0.9);
+ \draw (0.6,1.7) node {\footnotesize Slave};
+ \draw (0.6,0.6) node {\footnotesize Slave};
+ \draw (0.6,-0.5) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] processes\end{tabular}};
+ \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}};
+
+ \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2);
+ \draw (-2.9,1.7) node {\footnotesize Monitor};
+
+ \draw[white] (1.7,1) node (X) {};
+ \draw[white] (3.7,1) node (Y) {};
+ \draw[red, <->, line width = 2mm] (X) -- (Y);
+
+ \draw[red, <->, line width = 1mm] (-0.4,1.4) -- (-1.4,1.1);
+ \draw[red, <->, line width = 1mm] (-0.4,0.6) -- (-1.4,0.9);
+
+ \end{tikzpicture}
+\end{center}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{4th Week}
+
+\begin{itemize}
+\item voting\ldots has security requirements that are in tension with each other
+\begin{center}
+integrity vs ballot secrecy\\
+authentication vs enfranchisment
+\end{center}\bigskip
+
+\item electronic voting makes `whole sale' fraud easier as opposed to `retail attacks'
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{5th Week}
+
+\begin{itemize}
+\item access control logic\bigskip
+
+\item formulas
+\item judgements
+\item inference rules
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[t]
+ \frametitle{\Large\begin{tabular}{@ {}c@ {}}Access Control Logic\end{tabular}}
+
+ Formulas
+
+ \begin{itemize}
+ \item[]
+
+ \begin{center}\color{blue}
+ \begin{tabular}[t]{rcl@ {\hspace{10mm}}l}
+ \isa{F} & \isa{{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}} & \isa{true} \\
+ & \isa{{\isaliteral{7C}{\isacharbar}}} & \isa{false} \\
+ & \isa{{\isaliteral{7C}{\isacharbar}}} & \isa{F\ {\isaliteral{5C3C616E643E}{\isasymand}}\ F} \\
+ & \isa{{\isaliteral{7C}{\isacharbar}}} & \isa{F\ {\isaliteral{5C3C6F723E}{\isasymor}}\ F} \\
+ & \isa{{\isaliteral{7C}{\isacharbar}}} & \isa{F\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ F}\\
+ & \isa{{\isaliteral{7C}{\isacharbar}}} & \isa{p\ {\isaliteral{28}{\isacharparenleft}}t\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}{\isaliteral{2C}{\isacharcomma}}{\isaliteral{5C3C646F74733E}{\isasymdots}}{\isaliteral{2C}{\isacharcomma}}t\isaliteral{5C3C5E697375623E}{}\isactrlisub n{\isaliteral{29}{\isacharparenright}}} \\
+ & \isa{{\isaliteral{7C}{\isacharbar}}} & \alert{\isa{P\ says\ F}} & \textcolor{black}{``saying predicate''}\\
+ \end{tabular}
+ \end{center}
+
+ \end{itemize}
+
+Judgements
+
+\begin{itemize}
+\item[] \mbox{\hspace{9mm}}\bl{$\Gamma \vdash \text{F}$}
+\end{itemize}
+
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Inference Rules}
+
+\begin{center}
+\bl{\infer{\Gamma, F\vdash F}{}}\bigskip\\
+
+\bl{\infer{\Gamma \vdash F_2}{\Gamma \vdash F_1 \Rightarrow F_2 \quad \Gamma \vdash F_1}}
+\qquad
+\bl{\infer{\Gamma \vdash F_1 \Rightarrow F_2}{F_1, \Gamma \vdash F_2}}\bigskip\\
+
+\bl{\infer{\Gamma \vdash P\,\text{says}\, F}{\Gamma \vdash F}}\medskip\\
+
+\bl{\infer{\Gamma \vdash P \,\text{says}\, F_2}
+ {\Gamma \vdash P \,\text{says}\, (F_1\Rightarrow F_2) \quad
+ \Gamma \vdash P \,\text{says}\, F_1}}
+\end{center}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Proofs}
+
+\begin{center}
+\bl{
+\infer{\Gamma \vdash F}
+ {\infer{\hspace{1cm}:\hspace{1cm}}
+ {\infer{\hspace{1cm}:\hspace{1cm}}{:}
+ &
+ \infer{\hspace{1cm}:\hspace{1cm}}{:\quad :}
+ }}
+}
+\end{center}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{The Access Control Problem}
+
+
+\begin{center}
+ \begin{tikzpicture}[scale=1]
+
+ \draw[line width=1mm] (-.3, -0.5) rectangle (1.5,2);
+ \draw (-2.7,1) node {\begin{tabular}{l}access\\request\\ (\bl{$F$})\end{tabular}};
+ \draw (4.2,1) node {\begin{tabular}{l}provable/\\not provable\end{tabular}};
+ \draw (0.6,0.8) node {\footnotesize \begin{tabular}{l}AC-\\ Checker:\\ applies\\ inference\\ rules\end{tabular}};
+
+ \draw[red, ->, line width = 2mm] (1.7,1) -- (2.7,1);
+ \draw[red,<-, line width = 2mm] (-0.6,1) -- (-1.6,1);
+ \draw[red, <-, line width = 3mm] (0.6,2.2) -- (0.6,3.2);
+
+ \draw (0.6,4) node {\begin{tabular}{l}\large Access Policy (\bl{$\Gamma$})\end{tabular}};
+
+ \end{tikzpicture}
+\end{center}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[c]
+ \frametitle{}
+
+ Recall the following scenario:
+
+ \begin{itemize}
+ \item If \textcolor{blue}{Admin} says that \textcolor{blue}{\isa{file\isaliteral{5C3C5E697375623E}{} {}}}
+ should be deleted, then this file must be deleted.
+ \item \textcolor{blue}{Admin} trusts \textcolor{blue}{Bob} to decide whether
+ \textcolor{blue}{\isa{file\isaliteral{5C3C5E697375623E}{}}} should be deleted.
+ \item \textcolor{blue}{Bob} wants to delete \textcolor{blue}{\isa{file\isaliteral{5C3C5E697375623E}{}}}.
+ \end{itemize}\bigskip
+
+ \small
+ \textcolor{blue}{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{3D}{\isacharequal}}}\small\begin{tabular}{l}
+ \isa{{\isaliteral{28}{\isacharparenleft}}Admin\ says\ del{\isaliteral{5F}{\isacharunderscore}}file\isaliteral{5C3C5E697375623E}{}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ del{\isaliteral{5F}{\isacharunderscore}}file\isaliteral{5C3C5E697375623E}{}},\\
+ \isa{{\isaliteral{28}{\isacharparenleft}}Admin\ says\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{28}{\isacharparenleft}}Bob\ says\ del{\isaliteral{5F}{\isacharunderscore}}file\isaliteral{5C3C5E697375623E}{}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ del{\isaliteral{5F}{\isacharunderscore}}file\isaliteral{5C3C5E697375623E}{}{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}},\\
+ \isa{Bob\ says\ del{\isaliteral{5F}{\isacharunderscore}}file\isaliteral{5C3C5E697375623E}{}}\\
+ \end{tabular}}\medskip
+
+ \textcolor{blue}{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ del{\isaliteral{5F}{\isacharunderscore}}file\isaliteral{5C3C5E697375623E}{}}}
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+
+How to prove \bl{$\Gamma \vdash F$}?\bigskip\bigskip
+
+\begin{center}
+\Large \bl{\infer{\Gamma, F\vdash F}{}}
+\end{center}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+
+\begin{center}
+\Large
+\bl{\infer{\Gamma \vdash F_1 \Rightarrow F_2}{F_1, \Gamma \vdash F_2}}
+\end{center}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+
+\begin{center}
+\Large
+\bl{\infer{\Gamma \vdash P \,\text{says}\, F}{\Gamma \vdash F}}
+\end{center}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+
+\begin{center}
+\Large
+\bl{\infer{\Gamma \vdash F_1 \vee F_2}{\Gamma \vdash F_1}}\qquad
+\bl{\infer{\Gamma \vdash F_1 \vee F_2}{\Gamma \vdash F_2}}\
+\end{center}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+
+\begin{center}
+\Large
+\bl{\infer{\Gamma \vdash F_1 \wedge F_2}{\Gamma \vdash F_1 \quad \Gamma \vdash F_2}}
+\end{center}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+
+I want to prove \bl{$\Gamma \vdash \text{Pred}$}\bigskip\bigskip\pause
+
+\begin{enumerate}
+\item I found that \bl{$\Gamma$} contains the assumption \bl{$F_1 \Rightarrow F_2$}\bigskip\pause
+\item If I can prove \bl{$\Gamma \vdash F_1$},\pause{} then I can prove
+\begin{center}
+\bl{$\Gamma \vdash F_2$}
+\end{center}\bigskip\pause
+
+\item So better I try to prove \bl{$\Gamma \vdash \text{Pred}$} with the additional assumption
+\bl{$F_2$}.\bigskip
+\begin{center}
+\bl{$F_2, \Gamma \vdash \text{Pred}$}
+\end{center}
+\end{enumerate}
+
+\only<4>{
+\begin{textblock}{11}(1,10.5)
+\bl{\infer{\Gamma\vdash F_2}{\Gamma\vdash F_1\Rightarrow F_2 & \Gamma\vdash F_1}}
+\end{textblock}}
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\newcommand{\dn}{\stackrel{\mbox{\scriptsize def}}{=}}% for definitions
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+
+\begin{itemize}
+\item \bl{$P$} is entitled to do \bl{$F$}\smallskip\\
+\bl{$P \,\text{controls}\, F \,\dn\, (P\,\text{says}\, F) \Rightarrow F$}\medskip
+
+\begin{center}
+\bl{\infer{\Gamma \vdash F}{\Gamma \vdash P\,\text{controls}\, F & \Gamma \vdash P\,\text{says}\,F}}
+\end{center}
+
+\item \bl{$P$} speaks for \bl{$Q$}\smallskip\\
+\bl{$P \mapsto Q \,\dn\, \forall F. (P\,\text{says}\, F) \Rightarrow (Q \,\text{says}\,F)$}\medskip
+
+\begin{center}
+\bl{\infer{\Gamma \vdash Q\,\text{says}\,F}{\Gamma \vdash P\mapsto Q & \Gamma \vdash P\,\text{says}\,F}}
+\medskip\\
+\bl{\infer{\Gamma \vdash P\,\text{controls}\,F}{\Gamma \vdash P\mapsto Q & \Gamma \vdash Q\,\text{controls}\,F}}\\
+
+\end{center}
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Protocol Specifications}
+
+The Needham-Schroeder Protocol:
+
+\begin{center}
+\begin{tabular}{@ {\hspace{-7mm}}l@{\hspace{2mm}}r@ {\hspace{1mm}}l}
+Message 1 & \bl{$A \rightarrow S :$} & \bl{$A, B, N_A$}\\
+Message 2 & \bl{$S \rightarrow A :$} & \bl{$\{N_A, B, K_{AB},\{K_{AB}, A\}_{K_{BS}} \}_{K_{AS}}$}\\
+Message 3 & \bl{$A \rightarrow B :$} & \bl{$\{K_{AB}, A\}_{K_{BS}} $}\\
+Message 4 & \bl{$B \rightarrow A :$} & \bl{$\{N_B\}_{K_{AB}}$}\\
+Message 5 & \bl{$A \rightarrow B :$} & \bl{$\{N_B-1\}_{K_{AB}}$}\\
+\end{tabular}
+\end{center}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Trusted Third Party}
+
+Simple protocol for establishing a secure connection via a mutually
+trusted 3rd party (server):
+
+\begin{center}
+\begin{tabular}{@ {\hspace{-7mm}}l@{\hspace{2mm}}r@ {\hspace{1mm}}l}
+Message 1 & \bl{$A \rightarrow S :$} & \bl{$A, B$}\\
+Message 2 & \bl{$S \rightarrow A :$} & \bl{$\{K_{AB}\}_{K_{AS}}$} and \bl{$\{\{K_{AB}\}_{K_{BS}} \}_{K_{AS}}$}\\
+Message 3 & \bl{$A \rightarrow B :$} & \bl{$\{K_{AB}\}_{K_{BS}} $}\\
+Message 4 & \bl{$A \rightarrow B :$} & \bl{$\{m\}_{K_{AB}}$}\\
+\end{tabular}
+\end{center}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[c]
+ \frametitle{Sending Messages}
+
+ \begin{itemize}
+ \item Alice sends a message \bl{$m$}
+ \begin{center}
+ \bl{Alice says $m$}
+ \end{center}\medskip\pause
+
+ \item Alice sends an encrypted message \bl{$m$}\\ (with key \bl{$K$})
+ \begin{center}
+ \bl{Alice says $\{m\}_K$}
+ \end{center}\medskip\pause
+
+ \item Decryption of Alice's message\smallskip
+ \begin{center}
+ \bl{\mbox{\infer{\Gamma \vdash \text{Alice}\;\text{says}\;m}
+ {\Gamma \vdash \text{Alice}\;\text{says}\;\{m\}_K & \Gamma \vdash \text{Alice}\,\text{says}\,K}}}
+ \end{center}
+ \end{itemize}
+
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[c]
+ \frametitle{Encryption}
+
+ \begin{itemize}
+ \item Encryption of a message\smallskip
+ \begin{center}
+ \bl{\mbox{\infer{\Gamma \vdash \text{Alice}\;\text{says}\;\{m\}_K}
+ {\Gamma \vdash \text{Alice}\;\text{says}\;m & \Gamma \vdash \text{Alice}\,\text{says}\,K}}}
+ \end{center}
+ \end{itemize}
+
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[c]
+ \frametitle{Public/Private Keys}
+
+ \begin{itemize}
+ \item Bob has a private and public key: \bl{$K_{Bob}^{pub}$}, \bl{$K_{Bob}^{priv}$}\bigskip
+ \begin{center}
+ \bl{\mbox{\infer{\Gamma \vdash \text{Alice}\;\text{says}\;m}
+ {\Gamma \vdash \text{Alice}\;\text{says}\;\{m\}_{K_{Bob}^{pub}} &
+ \Gamma \vdash K_{Bob}^{priv}}}}
+ \end{center}\bigskip\pause
+
+ \item this is {\bf not} a derived rule!
+ \end{itemize}
+
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[c]
+ \frametitle{Trusted Third Party}
+
+ \begin{itemize}
+ \item Alice calls Sam for a key to communicate with Bob
+ \item Sam responds with a key that Alice can read and a key Bob can read (pre-shared)
+ \item Alice sends the message encrypted with the key and the second key it recieved
+ \end{itemize}\bigskip
+
+ \begin{center}
+ \bl{\begin{tabular}{lcl}
+ $A$ sends $S$ &:& $\textit{Connect}(A,B)$\\
+ $S$ sends $A$ &:& $\{K_{AB}\}_{K_{AS}}$ \textcolor{black}{and} $\{\{K_{AB}\}_{K_{BS}}\}_{K_{AS}}$\\
+ $A$ sends $B$ &:& $\{K_{AB}\}_{K_{BS}}$\\
+ $A$ sends $B$ &:& $\{m\}_{K_{AB}}$
+ \end{tabular}}
+ \end{center}
+
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[c]
+ \frametitle{Sending Rule}
+
+ \bl{\begin{center}
+ \mbox{\infer{\Gamma \vdash Q \;\textit{says}\; F}
+ {\Gamma \vdash P \;\textit{says}\; F & \Gamma \vdash P \;\textit{sends}\; Q : F}}
+ \end{center}}\bigskip\pause
+
+ \bl{$P \,\text{sends}\, Q : F \dn$}\\
+ \hspace{6mm}\bl{$(P \,\text{says}\, F) \Rightarrow (Q \,\text{says}\, F)$}
+
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[c]
+ \frametitle{Trusted Third Party}
+
+ \begin{center}
+ \bl{\begin{tabular}{l}
+ $A$ sends $S$ : $\textit{Connect}(A,B)$\\
+ \bl{$S \,\text{says}\, (\textit{Connect}(A,B) \Rightarrow$}\\
+ \hspace{2.5cm}\bl{$\{K_{AB}\}_{K_{AS}} \wedge
+ \{\{K_{AB}\}_{K_{BS}}\}_{K_{AS}})$}\\
+ $S$ sends $A$ : $\{K_{AB}\}_{K_{AS}}$ \bl{$\wedge$} $\{\{K_{AB}\}_{K_{BS}}\}_{K_{AS}}$\\
+ $A$ sends $B$ : $\{K_{AB}\}_{K_{BS}}$\\
+ $A$ sends $B$ : $\{m\}_{K_{AB}}$
+ \end{tabular}}
+ \end{center}\bigskip\pause
+
+
+ \bl{$\Gamma \vdash B \,\text{says} \, m$}?
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\end{document}
+
+%%% Local Variables:
+%%% mode: latex
+%%% TeX-master: t
+%%% End:
+
Binary file slides/slides07.pdf has changed
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/slides/slides07.tex Sun Sep 22 15:22:11 2013 +0100
@@ -0,0 +1,976 @@
+\documentclass[dvipsnames,14pt,t]{beamer}
+\usepackage{proof}
+\usepackage{beamerthemeplainculight}
+\usepackage[T1]{fontenc}
+\usepackage[latin1]{inputenc}
+\usepackage{mathpartir}
+\usepackage{isabelle}
+\usepackage{isabellesym}
+\usepackage[absolute,overlay]{textpos}
+\usepackage{ifthen}
+\usepackage{tikz}
+\usepackage{courier}
+\usepackage{listings}
+\usetikzlibrary{arrows}
+\usetikzlibrary{positioning}
+\usetikzlibrary{calc}
+\usepackage{graphicx}
+\usetikzlibrary{shapes}
+\usetikzlibrary{shadows}
+\usetikzlibrary{plotmarks}
+
+
+\isabellestyle{rm}
+\renewcommand{\isastyle}{\rm}%
+\renewcommand{\isastyleminor}{\rm}%
+\renewcommand{\isastylescript}{\footnotesize\rm\slshape}%
+\renewcommand{\isatagproof}{}
+\renewcommand{\endisatagproof}{}
+\renewcommand{\isamarkupcmt}[1]{#1}
+
+% Isabelle characters
+\renewcommand{\isacharunderscore}{\_}
+\renewcommand{\isacharbar}{\isamath{\mid}}
+\renewcommand{\isasymiota}{}
+\renewcommand{\isacharbraceleft}{\{}
+\renewcommand{\isacharbraceright}{\}}
+\renewcommand{\isacharless}{$\langle$}
+\renewcommand{\isachargreater}{$\rangle$}
+\renewcommand{\isasymsharp}{\isamath{\#}}
+\renewcommand{\isasymdots}{\isamath{...}}
+\renewcommand{\isasymbullet}{\act}
+
+
+
+\definecolor{javared}{rgb}{0.6,0,0} % for strings
+\definecolor{javagreen}{rgb}{0.25,0.5,0.35} % comments
+\definecolor{javapurple}{rgb}{0.5,0,0.35} % keywords
+\definecolor{javadocblue}{rgb}{0.25,0.35,0.75} % javadoc
+
+\lstset{language=Java,
+ basicstyle=\ttfamily,
+ keywordstyle=\color{javapurple}\bfseries,
+ stringstyle=\color{javagreen},
+ commentstyle=\color{javagreen},
+ morecomment=[s][\color{javadocblue}]{/**}{*/},
+ numbers=left,
+ numberstyle=\tiny\color{black},
+ stepnumber=1,
+ numbersep=10pt,
+ tabsize=2,
+ showspaces=false,
+ showstringspaces=false}
+
+\lstdefinelanguage{scala}{
+ morekeywords={abstract,case,catch,class,def,%
+ do,else,extends,false,final,finally,%
+ for,if,implicit,import,match,mixin,%
+ new,null,object,override,package,%
+ private,protected,requires,return,sealed,%
+ super,this,throw,trait,true,try,%
+ type,val,var,while,with,yield},
+ otherkeywords={=>,<-,<\%,<:,>:,\#,@},
+ sensitive=true,
+ morecomment=[l]{//},
+ morecomment=[n]{/*}{*/},
+ morestring=[b]",
+ morestring=[b]',
+ morestring=[b]"""
+}
+
+\lstset{language=Scala,
+ basicstyle=\ttfamily,
+ keywordstyle=\color{javapurple}\bfseries,
+ stringstyle=\color{javagreen},
+ commentstyle=\color{javagreen},
+ morecomment=[s][\color{javadocblue}]{/**}{*/},
+ numbers=left,
+ numberstyle=\tiny\color{black},
+ stepnumber=1,
+ numbersep=10pt,
+ tabsize=2,
+ showspaces=false,
+ showstringspaces=false}
+
+% beamer stuff
+\renewcommand{\slidecaption}{APP 07, King's College London, 13 November 2012}
+\newcommand{\dn}{\stackrel{\mbox{\scriptsize def}}{=}}% for definitions
+\newcommand{\bl}[1]{\textcolor{blue}{#1}}
+
+
+% The data files, written on the first run.
+\begin{filecontents}{re-python.data}
+1 0.029
+5 0.029
+10 0.029
+15 0.032
+16 0.042
+17 0.042
+18 0.055
+19 0.084
+20 0.136
+21 0.248
+22 0.464
+23 0.899
+24 1.773
+25 3.505
+26 6.993
+27 14.503
+28 29.307
+#29 58.886
+\end{filecontents}
+
+\begin{filecontents}{re1.data}
+1 0.00179
+2 0.00011
+3 0.00014
+4 0.00026
+5 0.00050
+6 0.00095
+7 0.00190
+8 0.00287
+9 0.00779
+10 0.01399
+11 0.01894
+12 0.03666
+13 0.07994
+14 0.08944
+15 0.02377
+16 0.07392
+17 0.22798
+18 0.65310
+19 2.11360
+20 6.31606
+21 21.46013
+\end{filecontents}
+
+\begin{filecontents}{re2.data}
+1 0.00240
+2 0.00013
+3 0.00020
+4 0.00030
+5 0.00049
+6 0.00083
+7 0.00146
+8 0.00228
+9 0.00351
+10 0.00640
+11 0.01217
+12 0.02565
+13 0.01382
+14 0.02423
+15 0.05065
+16 0.06522
+17 0.02140
+18 0.05176
+19 0.18254
+20 0.51898
+21 1.39631
+22 2.69501
+23 8.07952
+\end{filecontents}
+
+\begin{filecontents}{re-internal.data}
+1 0.00069
+301 0.00700
+601 0.00297
+901 0.00470
+1201 0.01301
+1501 0.01175
+1801 0.01761
+2101 0.01787
+2401 0.02717
+2701 0.03932
+3001 0.03470
+3301 0.04349
+3601 0.05411
+3901 0.06181
+4201 0.07119
+4501 0.08578
+\end{filecontents}
+
+\begin{filecontents}{re3.data}
+1 0.001605
+501 0.131066
+1001 0.057885
+1501 0.136875
+2001 0.176238
+2501 0.254363
+3001 0.37262
+3501 0.500946
+4001 0.638384
+4501 0.816605
+5001 1.00491
+5501 1.232505
+6001 1.525672
+6501 1.757502
+7001 2.092784
+7501 2.429224
+8001 2.803037
+8501 3.463045
+9001 3.609
+9501 4.081504
+10001 4.54569
+\end{filecontents}
+
+
+\begin{document}
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}<1>[t]
+\frametitle{%
+ \begin{tabular}{@ {}c@ {}}
+ \\
+ \LARGE Access Control and \\[-3mm]
+ \LARGE Privacy Policies (7)\\[-6mm]
+ \end{tabular}}\bigskip\bigskip\bigskip
+
+ %\begin{center}
+ %\includegraphics[scale=1.3]{pics/barrier.jpg}
+ %\end{center}
+
+\normalsize
+ \begin{center}
+ \begin{tabular}{ll}
+ Email: & christian.urban at kcl.ac.uk\\
+ Of$\!$fice: & S1.27 (1st floor Strand Building)\\
+ Slides: & KEATS (also homework is there)\\
+ \end{tabular}
+ \end{center}
+
+
+\end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Judgements}
+
+\begin{center}
+\begin{tikzpicture}[scale=1]
+
+ \draw (0.0,0.0) node {\LARGE \bl{$\Gamma \vdash F$}};
+ \onslide<2->{
+ \draw (-1,-0.3) node (X) {};
+ \draw (-2.0,-2.0) node (Y) {};
+ \draw (0.7,-3) node {\begin{tabular}{l}Gamma\\stands for a collection of formulas\\(``assumptions'')\end{tabular}};
+ \draw[red, ->, line width = 2mm] (Y) -- (X);
+
+ \draw (1.2,-0.1) node (X1) {};
+ \draw (2.8,-0.1) node (Y1) {};
+ \draw (4.5,-0.1) node {\begin{tabular}{l}a single formula\end{tabular}};
+ \draw[red, ->, line width = 2mm] (Y1) -- (X1);
+
+ \draw (-0.1,0.1) node (X2) {};
+ \draw (0.5,1.5) node (Y2) {};
+ \draw (1,1.8) node {\begin{tabular}{l}entails sign\end{tabular}};
+ \draw[red, ->, line width = 2mm] (Y2) -- (X2);}
+
+ \end{tikzpicture}
+\end{center}
+
+\pause\pause
+\footnotesize Gimel (Phoenician), Gamma (Greek), C and G (Latin), Gim (Arabic),\\[-2mm] ?? (Indian), Ge (Cyrillic)
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Inference Rules}
+
+\begin{center}
+\begin{tikzpicture}[scale=1]
+
+ \draw (0.0,0.0) node
+ {\Large\bl{\infer{\Gamma \vdash F_1 \wedge F_2}{\Gamma \vdash F_1 & \Gamma \vdash F_2}}};
+
+ \draw (-0.1,-0.7) node (X) {};
+ \draw (-0.1,-1.9) node (Y) {};
+ \draw (-0.2,-2) node {\begin{tabular}{l}conclusion\end{tabular}};
+ \draw[red, ->, line width = 2mm] (Y) -- (X);
+
+ \draw (-1,0.6) node (X2) {};
+ \draw (0.0,1.6) node (Y2) {};
+ \draw (0,1.8) node {\begin{tabular}{l}premisses\end{tabular}};
+ \draw[red, ->, line width = 2mm] (Y2) -- (X2);
+ \draw (1,0.6) node (X3) {};
+ \draw (0.0,1.6) node (Y3) {};
+ \draw[red, ->, line width = 2mm] (Y3) -- (X3);
+ \end{tikzpicture}
+\end{center}
+
+\only<2>{
+\begin{textblock}{11}(1,13)
+\small
+\bl{$P \,\text{says}\, F \vdash Q\,\text{says}\, F\wedge P \,\text{says}\, G $}
+\end{textblock}}
+\only<3>{
+\begin{textblock}{11}(1,13)
+\small
+\bl{$\underbrace{P \,\text{says}\, F}_{\Gamma} \vdash \underbrace{Q\,\text{says}\, F}_{F_1} \,\wedge
+ \underbrace{P \,\text{says}\, G}_{F_2} $}
+\end{textblock}}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+
+\begin{center}
+\Large
+\bl{\infer{\Gamma \vdash F_2}{\Gamma \vdash F_1\Rightarrow F_2 & \Gamma \vdash F_1}}\bigskip\bigskip\bigskip
+
+\bl{\infer{\Gamma\vdash P\,\text{says}\, F}{\Gamma \vdash F}}
+\end{center}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+
+We want to prove
+
+\begin{center}
+\bl{$\Gamma \vdash \text{del\_file}$}
+\end{center}\pause
+
+There is an inference rule
+
+\begin{center}
+\bl{\infer{\Gamma \vdash P \,\text{says}\, F}{\Gamma \vdash F}}
+\end{center}\pause
+
+So we can derive \bl{$\Gamma \vdash \text{Alice} \,\text{says}\,\text{del\_file}$}.\bigskip\pause
+
+\bl{$\Gamma$} contains already \bl{$\text{Alice} \,\text{says}\,\text{del\_file}$}. \\
+So we can use the rule
+
+\begin{center}
+\bl{\infer{\Gamma, F \vdash F}{}}
+\end{center}
+
+\onslide<5>{\bf\alert{What is wrong with this?}}
+\hfill{\bf Done. Qed.}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Digression: Proofs in CS}
+
+Formal proofs in CS sound like science fiction? Completely irrelevant!
+Lecturers gone mad!\pause
+
+\begin{itemize}
+\item in 2008, verification of a small C-compiler
+\begin{itemize}
+\item ``if my input program has a certain behaviour, then the compiled machine code has the same behaviour''
+\item is as good as \texttt{gcc -O1}, but less buggy
+\end{itemize}
+\medskip
+\item in 2010, verification of a micro-kernel operating system (approximately 8700 loc)
+\begin{itemize}
+\item 200k loc of proof
+\item 25 - 30 person years
+\item found 160 bugs in the C code (144 by the proof)
+\end{itemize}
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[c]
+ \frametitle{}
+
+ \begin{tabular}{c@ {\hspace{2mm}}c}
+ \\[6mm]
+ \begin{tabular}{c}
+ \includegraphics[scale=0.11]{harper.jpg}\\[-2mm]
+ {\footnotesize Bob Harper}\\[-2.5mm]
+ {\footnotesize (CMU)}
+ \end{tabular}
+ \begin{tabular}{c}
+ \includegraphics[scale=0.37]{pfenning.jpg}\\[-2mm]
+ {\footnotesize Frank Pfenning}\\[-2.5mm]
+ {\footnotesize (CMU)}
+ \end{tabular} &
+
+ \begin{tabular}{p{6cm}}
+ \raggedright
+ \color{gray}{published a proof about a specification in a journal (2005),
+ $\sim$31pages}
+ \end{tabular}\\
+
+ \pause
+ \\[0mm]
+
+ \begin{tabular}{c}
+ \includegraphics[scale=0.36]{appel.jpg}\\[-2mm]
+ {\footnotesize Andrew Appel}\\[-2.5mm]
+ {\footnotesize (Princeton)}
+ \end{tabular} &
+
+ \begin{tabular}{p{6cm}}
+ \raggedright
+ \color{gray}{relied on their proof in a\\ {\bf security} critical application}
+ \end{tabular}
+ \end{tabular}
+
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}
+ \frametitle{Proof-Carrying Code}
+
+ \begin{textblock}{10}(2.5,2.2)
+ \begin{block}{Idea:}
+ \begin{center}
+ \begin{tikzpicture}
+ \draw[help lines,cream] (0,0.2) grid (8,4);
+
+ \draw[line width=1mm, red] (5.5,0.6) rectangle (7.5,4);
+ \node[anchor=base] at (6.5,2.8)
+ {\small\begin{tabular}{@ {}p{1.9cm}@ {}}\centering user: untrusted code\end{tabular}};
+
+ \draw[line width=1mm, red] (0.5,0.6) rectangle (2.5,4);
+ \node[anchor=base] at (1.5,2.3)
+ {\small\begin{tabular}{@ {}p{1.9cm}@ {}}\centering developer ---\\ web server\end{tabular}};
+
+ \onslide<3->{
+ \draw[line width=1mm, red, fill=red] (5.5,0.6) rectangle (7.5,1.8);
+ \node[anchor=base,white] at (6.5,1.1)
+ {\small\begin{tabular}{@ {}p{1.9cm}@ {}}\bf\centering proof- checker\end{tabular}};}
+
+ \node at (3.8,3.0) [single arrow, fill=red,text=white, minimum height=3cm]{\bf code};
+ \onslide<2->{
+ \node at (3.8,1.3) [single arrow, fill=red,text=white, minimum height=3cm]{\bf certificate};
+ \node at (3.8,1.9) {\small\color{gray}{\mbox{}\hspace{-1mm}a proof}};
+ }
+
+
+ \end{tikzpicture}
+ \end{center}
+ \end{block}
+ \end{textblock}
+
+ %\begin{textblock}{15}(2,12)
+ %\small
+ %\begin{itemize}
+ %\item<4-> Appel's checker is $\sim$2700 lines of code (1865 loc of\\ LF definitions;
+ %803 loc in C including 2 library functions)\\[-3mm]
+ %\item<5-> 167 loc in C implement a type-checker
+ %\end{itemize}
+ %\end{textblock}
+
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+ \tikzstyle{every node}=[node distance=25mm,text height=1.5ex, text depth=.25ex]
+ \tikzstyle{node1}=[rectangle, minimum size=10mm, rounded corners=3mm, very thick,
+ draw=black!50, top color=white, bottom color=black!20]
+ \tikzstyle{node2}=[rectangle, minimum size=12mm, rounded corners=3mm, very thick,
+ draw=red!70, top color=white, bottom color=red!50!black!20]
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}<2->[squeeze]
+ \frametitle{}
+
+ \begin{columns}
+
+ \begin{column}{0.8\textwidth}
+ \begin{textblock}{0}(1,2)
+
+ \begin{tikzpicture}
+ \matrix[ampersand replacement=\&,column sep=7mm, row sep=5mm]
+ { \&[-10mm]
+ \node (def1) [node1] {\large\hspace{1mm}Spec\hspace{1mm}\mbox{}}; \&
+ \node (proof1) [node1] {\large Proof}; \&
+ \node (alg1) [node1] {\large\hspace{1mm}Alg\hspace{1mm}\mbox{}}; \\
+
+ \onslide<4->{\node {\begin{tabular}{c}\small 1st\\[-2.5mm] \footnotesize solution\end{tabular}};} \&
+ \onslide<4->{\node (def2) [node2] {\large Spec$^\text{+ex}$};} \&
+ \onslide<4->{\node (proof2) [node1] {\large Proof};} \&
+ \onslide<4->{\node (alg2) [node1] {\large\hspace{1mm}Alg\hspace{1mm}\mbox{}};} \\
+
+ \onslide<5->{\node {\begin{tabular}{c}\small 2nd\\[-2.5mm] \footnotesize solution\end{tabular}};} \&
+ \onslide<5->{\node (def3) [node1] {\large\hspace{1mm}Spec\hspace{1mm}\mbox{}};} \&
+ \onslide<5->{\node (proof3) [node1] {\large Proof};} \&
+ \onslide<5->{\node (alg3) [node2] {\large Alg$^\text{-ex}$};} \\
+
+ \onslide<6->{\node {\begin{tabular}{c}\small 3rd\\[-2.5mm] \footnotesize solution\end{tabular}};} \&
+ \onslide<6->{\node (def4) [node1] {\large\hspace{1mm}Spec\hspace{1mm}\mbox{}};} \&
+ \onslide<6->{\node (proof4) [node2] {\large\hspace{1mm}Proof\hspace{1mm}};} \&
+ \onslide<6->{\node (alg4) [node1] {\large\hspace{1mm}Alg\hspace{1mm}\mbox{}};} \\
+ };
+
+ \draw[->,black!50,line width=2mm] (proof1) -- (def1);
+ \draw[->,black!50,line width=2mm] (proof1) -- (alg1);
+
+ \onslide<4->{\draw[->,black!50,line width=2mm] (proof2) -- (def2);}
+ \onslide<4->{\draw[->,black!50,line width=2mm] (proof2) -- (alg2);}
+
+ \onslide<5->{\draw[->,black!50,line width=2mm] (proof3) -- (def3);}
+ \onslide<5->{\draw[->,black!50,line width=2mm] (proof3) -- (alg3);}
+
+ \onslide<6->{\draw[->,black!50,line width=2mm] (proof4) -- (def4);}
+ \onslide<6->{\draw[->,black!50,line width=2mm] (proof4) -- (alg4);}
+
+ \onslide<3->{\draw[white,line width=1mm] (1.1,3.2) -- (0.9,2.85) -- (1.1,2.35) -- (0.9,2.0);}
+ \end{tikzpicture}
+
+ \end{textblock}
+ \end{column}
+ \end{columns}
+
+
+ \begin{textblock}{3}(12,3.6)
+ \onslide<4->{
+ \begin{tikzpicture}
+ \node at (0,0) [single arrow, shape border rotate=270, fill=red,text=white]{2h};
+ \end{tikzpicture}}
+ \end{textblock}
+
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[c]
+ \frametitle{Mars Pathfinder Mission 1997}
+
+ \begin{center}
+ \includegraphics[scale=0.15]{marspath1.png}
+ \includegraphics[scale=0.16]{marspath3.png}
+ \includegraphics[scale=0.3]{marsrover.png}
+ \end{center}
+
+ \begin{itemize}
+ \item despite NASA's famous testing procedure, the lander crashed frequently on Mars
+ \item problem was an algorithm not used in the OS
+ \end{itemize}
+
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[c]
+ \frametitle{Priority Inheritance Protocol}
+
+ \begin{itemize}
+ \item \ldots a scheduling algorithm that is widely used in real-time operating systems
+ \item has been ``proved'' correct by hand in a paper in 1983
+ \item \ldots but the first algorithm turned out to be incorrect, despite its ``proof''\bigskip\pause
+
+ \item we specified the algorithm and then proved that the specification makes
+ ``sense''
+ \item we implemented our specification in C on top of PINTOS (used for teaching at Stanford)
+ \item our implementation was much more efficient than their reference implementation
+ \end{itemize}
+
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Regular Expression Matching}
+\tiny
+
+\begin{tabular}{@ {\hspace{-6mm}}cc}
+\begin{tikzpicture}[y=.1cm, x=.15cm]
+ %axis
+ \draw (0,0) -- coordinate (x axis mid) (30,0);
+ \draw (0,0) -- coordinate (y axis mid) (0,30);
+ %ticks
+ \foreach \x in {0,5,...,30}
+ \draw (\x,1pt) -- (\x,-3pt)
+ node[anchor=north] {\x};
+ \foreach \y in {0,5,...,30}
+ \draw (1pt,\y) -- (-3pt,\y)
+ node[anchor=east] {\y};
+ %labels
+ \node[below=0.3cm] at (x axis mid) {\bl{a}s};
+ \node[rotate=90, left=0.6cm] at (y axis mid) {secs};
+
+ %plots
+ \draw[color=blue] plot[mark=*, mark options={fill=white}]
+ file {re-python.data};
+ \only<1->{
+ \draw[color=red] plot[mark=triangle*, mark options={fill=white} ]
+ file {re1.data};}
+ \only<1->{
+ \draw[color=green] plot[mark=square*, mark options={fill=white} ]
+ file {re2.data};}
+
+ %legend
+ \begin{scope}[shift={(4,20)}]
+ \draw[color=blue] (0,0) --
+ plot[mark=*, mark options={fill=white}] (0.25,0) -- (0.5,0)
+ node[right]{\footnotesize Python};
+ \only<1->{\draw[yshift=6mm, color=red] (0,0) --
+ plot[mark=triangle*, mark options={fill=white}] (0.25,0) -- (0.5,0)
+ node[right]{\footnotesize Scala V1};}
+ \only<1->{
+ \draw[yshift=12mm, color=green] (0,0) --
+ plot[mark=square*, mark options={fill=white}] (0.25,0) -- (0.5,0)
+ node[right]{\footnotesize Scala V2 with simplifications};}
+ \end{scope}
+\end{tikzpicture} &
+
+\begin{tikzpicture}[y=.35cm, x=.00045cm]
+ %axis
+ \draw (0,0) -- coordinate (x axis mid) (10000,0);
+ \draw (0,0) -- coordinate (y axis mid) (0,6);
+ %ticks
+ \foreach \x in {0,2000,...,10000}
+ \draw (\x,1pt) -- (\x,-3pt)
+ node[anchor=north] {\x};
+ \foreach \y in {0,1,...,6}
+ \draw (1pt,\y) -- (-3pt,\y)
+ node[anchor=east] {\y};
+ %labels
+ \node[below=0.3cm] at (x axis mid) {\bl{a}s};
+ \node[rotate=90, left=0.6cm] at (y axis mid) {secs};
+
+ %plots
+ \draw[color=blue] plot[mark=*, mark options={fill=white}]
+ file {re-internal.data};
+ \only<1->{
+ \draw[color=red] plot[mark=triangle*, mark options={fill=white} ]
+ file {re3.data};}
+
+ %legend
+ \begin{scope}[shift={(2000,4)}]
+ \draw[color=blue] (0,0) --
+ plot[mark=*, mark options={fill=white}] (0.25,0) -- (0.5,0)
+ node[right]{\footnotesize Scala Internal};
+ \only<1->{
+ \draw[yshift=6mm, color=red] (0,0) --
+ plot[mark=triangle*, mark options={fill=white}] (0.25,0) -- (0.5,0)
+ node[right]{\footnotesize Scala V3};}
+ \end{scope}
+\end{tikzpicture}
+\end{tabular}\bigskip\pause
+\normalsize
+\begin{itemize}
+\item I needed a proof in order to make sure my program is correct
+\end{itemize}\pause
+
+\begin{center}
+\bl{End Digression.\\ (Our small proof is 0.0005\% of the OS-proof.)}
+\end{center}
+
+\end{frame}}
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{One More Thing}
+
+\begin{itemize}
+\item I arrived at King's last year
+\item Maxime Crochemore told me about a string algorithm (suffix sorting) that appeared at a
+conference in 2007 (ICALP)
+\item ``horribly incomprehensible'', no implementation, but claims to be the best \bl{$O(n + k)$} algorithm\bigskip\pause
+
+\item Jian Jiang found 1 error and 1 superfluous step in this algorithm
+\item he received 88\% for the project and won the prize for the best 7CCSMPRJ project in the department
+\item no proof \ldots{} yet
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Trusted Third Party}
+
+Simple protocol for establishing a secure connection via a mutually
+trusted 3rd party (server):
+
+\begin{center}
+\begin{tabular}{@ {\hspace{-7mm}}l@{\hspace{2mm}}r@ {\hspace{1mm}}l}
+Message 1 & \bl{$A \rightarrow S :$} & \bl{$A, B$}\\
+Message 2 & \bl{$S \rightarrow A :$} & \bl{$\{K_{AB}\}_{K_{AS}}$} and \bl{$\{\{K_{AB}\}_{K_{BS}} \}_{K_{AS}}$}\\
+Message 3 & \bl{$A \rightarrow B :$} & \bl{$\{K_{AB}\}_{K_{BS}} $}\\
+Message 4 & \bl{$A \rightarrow B :$} & \bl{$\{m\}_{K_{AB}}$}\\
+\end{tabular}
+\end{center}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[c]
+ \frametitle{Encrypted Messages}
+
+ \begin{itemize}
+ \item Alice sends a message \bl{$m$}
+ \begin{center}
+ \bl{Alice says $m$}
+ \end{center}\medskip\pause
+
+ \item Alice sends an encrypted message \bl{$m$}\\ (with key \bl{$K$})
+ \begin{center}
+ \bl{Alice says $\{m\}_K$}
+ \end{center}\medskip\pause
+
+ \item Decryption of Alice's message\smallskip
+ \begin{center}
+ \bl{\mbox{\infer{\Gamma \vdash \text{Alice}\;\text{says}\;m}
+ {\Gamma \vdash \text{Alice}\;\text{says}\;\{m\}_K & \Gamma \vdash \text{Alice}\,\text{says}\,K}}}
+ \end{center}
+ \end{itemize}
+
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[c]
+ \frametitle{Encryption}
+
+ \begin{itemize}
+ \item Encryption of a message\smallskip
+ \begin{center}
+ \bl{\mbox{\infer{\Gamma \vdash \text{Alice}\;\text{says}\;\{m\}_K}
+ {\Gamma \vdash \text{Alice}\;\text{says}\;m & \Gamma \vdash \text{Alice}\,\text{says}\,K}}}
+ \end{center}
+ \end{itemize}
+
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[c]
+ \frametitle{Trusted Third Party}
+
+ \begin{itemize}
+ \item Alice calls Sam for a key to communicate with Bob
+ \item Sam responds with a key that Alice can read and a key Bob can read (pre-shared)
+ \item Alice sends the message encrypted with the key and the second key it recieved
+ \end{itemize}\bigskip
+
+ \begin{center}
+ \bl{\begin{tabular}{lcl}
+ $A$ sends $S$ &:& $\textit{Connect}(A,B)$\\
+ $S$ sends $A$ &:& $\{K_{AB}\}_{K_{AS}}$ \textcolor{black}{and} $\{\{K_{AB}\}_{K_{BS}}\}_{K_{AS}}$\\
+ $A$ sends $B$ &:& $\{K_{AB}\}_{K_{BS}}$\\
+ $A$ sends $B$ &:& $\{m\}_{K_{AB}}$
+ \end{tabular}}
+ \end{center}
+
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[c]
+ \frametitle{Sending Rule}
+
+
+ \bl{\begin{center}
+ \mbox{\infer{\Gamma \vdash Q \;\textit{says}\; F}
+ {\Gamma \vdash P \;\textit{says}\; F & \Gamma \vdash P \;\textit{sends}\; Q : F}}
+ \end{center}}\bigskip\pause
+
+ \bl{$P \,\text{sends}\, Q : F \dn$}\\
+ \hspace{6mm}\bl{$(P \,\text{says}\, F) \Rightarrow (Q \,\text{says}\, F)$}
+
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[c]
+ \frametitle{Trusted Third Party}
+
+ \begin{center}
+ \bl{\begin{tabular}{l}
+ $A$ sends $S$ : $\textit{Connect}(A,B)$\\
+ \bl{$S \,\text{says}\, (\textit{Connect}(A,B) \Rightarrow$}\\
+ \hspace{2.5cm}\bl{$\{K_{AB}\}_{K_{AS}} \wedge
+ \{\{K_{AB}\}_{K_{BS}}\}_{K_{AS}})$}\\
+ $S$ sends $A$ : $\{K_{AB}\}_{K_{AS}}$ \bl{$\wedge$} $\{\{K_{AB}\}_{K_{BS}}\}_{K_{AS}}$\\
+ $A$ sends $B$ : $\{K_{AB}\}_{K_{BS}}$\\
+ $A$ sends $B$ : $\{m\}_{K_{AB}}$
+ \end{tabular}}
+ \end{center}\bigskip\pause
+
+
+ \bl{$\Gamma \vdash B \,\text{says} \, m$}?
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[c]
+ \frametitle{Challenge-Response Protocol}
+
+ \begin{itemize}
+ \item an engine \bl{$E$} and a transponder \bl{$T$} share a key \bl{$K$}\bigskip
+ \item \bl{$E$} sends out a \alert{nonce} \bl{$N$} (random number) to \bl{$T$}\bigskip
+ \item \bl{$T$} responds with \bl{$\{N\}_K$}\bigskip
+ \item if \bl{$E$} receives \bl{$\{N\}_K$} from \bl{$T$}, it starts engine
+ \end{itemize}
+
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[c]
+ \frametitle{Challenge-Response Protocol}
+
+ \begin{center}
+ \bl{\begin{tabular}{l}
+ $E \;\text{says}\; N$\hfill(start)\\
+ $E \;\text{sends}\; T : N$\hfill(challenge)\\
+ $(T \;\text{says}\; N) \Rightarrow (T \;\text{sends}\; E : \{N\}_K \wedge$\\
+ \hspace{3.5cm} $T \;\text{sends}\; E : \text{Id}(T))$\;\;\;\hfill(response)\\
+ $T \;\text{says}\; K$\hfill(key)\\
+ $T \;\text{says}\; \text{Id}(T)$\hfill(identity)\\
+ $(E \;\text{says}\; \{N\}_K \wedge E \;\text{says}\; \text{Id}(T)) \Rightarrow$\\
+ \hspace{5cm}$ \text{start\_engine}(T)$\hfill(engine)\\
+ \end{tabular}}
+ \end{center}\bigskip
+
+ \bl{$\Gamma \vdash \text{start\_engine}(T)$}?
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[c]
+ \frametitle{Exchange of a Fresh Key}
+
+\bl{$A$} and \bl{$B$} share a (``super-secret'') key \bl{$K_{AB}$} and want to share another key
+
+ \begin{itemize}
+ \item assumption \bl{$K_{AB}$} is only known to \bl{$A$} and \bl{$B$}\bigskip
+ \item \bl{$A \,\text{sends}\, B : A, \{N_A\}_{K_{AB}}$}
+ \item \bl{$B\,\text{sends}\, A : \{N_A + 1, N_B\}_{K_{AB}}$}
+ \item \bl{$A \,\text{sends}\, B : \{N_B + 1\}_{K_{AB}}$}
+ \item \bl{$B \,\text{sends}\, A : \{K^{new}_{AB}, N^{new}_B\}_{K_{AB}}$}
+ \item<2> \bl{$A \,\text{sends}\, B : \{msg\}_{K^{new}_{AB}}$}
+ \end{itemize}\bigskip
+
+ Assume \bl{$K^{new}_{AB}$} is compromised by \bl{$I$}
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[c]
+ \frametitle{The Attack}
+
+An intruder \bl{$I$} convinces \bl{$A$} to accept the compromised key \bl{$K^{new}_{AB}$}\medskip
+
+\begin{minipage}{1.1\textwidth}
+\begin{itemize}
+ \item \bl{$A \,\text{sends}\, B : A, \{N_A\}_{K_{AB}}$}
+ \item \bl{$B\,\text{sends}\, A : \{N_A + 1, N_B\}_{K_{AB}}$}
+ \item \bl{$A \,\text{sends}\, B : \{N_B + 1\}_{K_{AB}}$}
+ \item \bl{$B \,\text{sends}\, A : \{K^{new}_{AB}, N^{new}_B\}_{K_{AB}}$}\;\;recorded by \bl{$I$}\pause
+ \item \bl{$A \,\text{sends}\, B : A, \{M_A\}_{K_{AB}}$}
+ \item \bl{$B\,\text{sends}\, A : \{M_A + 1, M_B\}_{K_{AB}}$}
+ \item \bl{$A \,\text{sends}\, B : \{M_B + 1\}_{K_{AB}}$}
+ \item \bl{$B \,\text{sends}\, I : \{K^{newer}_{AB}, N^{newer}_B\}_{K_{AB}}$}\;intercepted by \bl{$I$}
+ \item \bl{$I \,\text{sends}\, A : \{K^{new}_{AB}, N^{new}_B\}_{K_{AB}}$}\pause
+ \item \bl{$A \,\text{sends}\, B : \{msg\}_{K^{new}_{AB}}$}\;\;\;\;\bl{$I$} can read it also
+ \end{itemize}
+ \end{minipage}
+
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[c]
+ \frametitle{Another Challenge-Response}
+
+\bl{$A$} and \bl{$B$} share the key \bl{$K_{AB}$} and want to identify
+each other\bigskip
+
+ \begin{itemize}
+ \item \bl{$A \,\text{sends}\, B : A, N_A$}
+ \item \bl{$B\,\text{sends}\, A : \{N_A, K'_{AB}\}_{K_{AB}}$}
+ \item \bl{$A \,\text{sends}\, B : \{N_A\}_{K'_{AB}}$}
+ \end{itemize}
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[c]
+ \frametitle{Another Challenge-Response}
+
+\bl{$A$} and \bl{$B$} share the key \bl{$K_{AB}$} and want to identify
+each other\bigskip
+
+ \begin{itemize}
+ \item \bl{$A \,\text{sends}\, B : A, N_A$}
+ \item \bl{$B\,\text{sends}\, A : \{N_A, K'_{AB}\}_{K_{AB}}$}
+ \item \bl{$A \,\text{sends}\, B : \{N_A\}_{K'_{AB}}$}
+ \end{itemize}
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[c]
+ \frametitle{Another Challenge-Response}
+
+Unfortunately, an intruder \bl{$I$} can impersonate \bl{$B$}.
+
+\begin{center}
+\begin{tabular}{@{\hspace{-7mm}}c@{\hspace{1mm}}c@{}}
+\begin{tabular}{@{}l@{}}
+\onslide<1->{\bl{$A \,\text{sends}\, I : A, N_A$}}\\
+\onslide<4->{\bl{$I \,\text{sends}\, A : \{N_A,\!K'_{\!AB}\}_{K_{\!AB}}$}}\\
+\onslide<5->{\bl{$A \,\text{sends}\, I : \{N_A\}_{K'_{AB}}$}}\\
+\end{tabular}
+&
+\begin{tabular}{@{}l@{}}
+\onslide<2->{\bl{$I \,\text{sends}\, A : B, N_A$}}\\
+\onslide<3->{\bl{$A \,\text{sends}\, I : \{N_A,\!K'_{\!AB}\}_{K_{\!AB}}$}}\\
+\onslide<6->{\bl{$I \,\text{sends}\, A : \{N_A\}_{K'_{AB}}$}}\\
+\end{tabular}
+\end{tabular}
+\end{center}
+
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+\end{document}
+
+%%% Local Variables:
+%%% mode: latex
+%%% TeX-master: t
+%%% End:
+
Binary file slides/slides08.pdf has changed
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/slides/slides08.tex Sun Sep 22 15:22:11 2013 +0100
@@ -0,0 +1,747 @@
+\documentclass[dvipsnames,14pt,t]{beamer}
+\usepackage{proof}
+\usepackage{beamerthemeplainculight}
+\usepackage[T1]{fontenc}
+\usepackage[latin1]{inputenc}
+\usepackage{mathpartir}
+\usepackage{isabelle}
+\usepackage{isabellesym}
+\usepackage[absolute,overlay]{textpos}
+\usepackage{ifthen}
+\usepackage{tikz}
+\usepackage{courier}
+\usepackage{listings}
+\usetikzlibrary{arrows}
+\usetikzlibrary{positioning}
+\usetikzlibrary{calc}
+\usepackage{graphicx}
+\usetikzlibrary{shapes}
+\usetikzlibrary{shadows}
+\usetikzlibrary{plotmarks}
+
+
+\isabellestyle{rm}
+\renewcommand{\isastyle}{\rm}%
+\renewcommand{\isastyleminor}{\rm}%
+\renewcommand{\isastylescript}{\footnotesize\rm\slshape}%
+\renewcommand{\isatagproof}{}
+\renewcommand{\endisatagproof}{}
+\renewcommand{\isamarkupcmt}[1]{#1}
+
+% Isabelle characters
+\renewcommand{\isacharunderscore}{\_}
+\renewcommand{\isacharbar}{\isamath{\mid}}
+\renewcommand{\isasymiota}{}
+\renewcommand{\isacharbraceleft}{\{}
+\renewcommand{\isacharbraceright}{\}}
+\renewcommand{\isacharless}{$\langle$}
+\renewcommand{\isachargreater}{$\rangle$}
+\renewcommand{\isasymsharp}{\isamath{\#}}
+\renewcommand{\isasymdots}{\isamath{...}}
+\renewcommand{\isasymbullet}{\act}
+
+
+
+\definecolor{javared}{rgb}{0.6,0,0} % for strings
+\definecolor{javagreen}{rgb}{0.25,0.5,0.35} % comments
+\definecolor{javapurple}{rgb}{0.5,0,0.35} % keywords
+\definecolor{javadocblue}{rgb}{0.25,0.35,0.75} % javadoc
+
+\lstset{language=Java,
+ basicstyle=\ttfamily,
+ keywordstyle=\color{javapurple}\bfseries,
+ stringstyle=\color{javagreen},
+ commentstyle=\color{javagreen},
+ morecomment=[s][\color{javadocblue}]{/**}{*/},
+ numbers=left,
+ numberstyle=\tiny\color{black},
+ stepnumber=1,
+ numbersep=10pt,
+ tabsize=2,
+ showspaces=false,
+ showstringspaces=false}
+
+\lstdefinelanguage{scala}{
+ morekeywords={abstract,case,catch,class,def,%
+ do,else,extends,false,final,finally,%
+ for,if,implicit,import,match,mixin,%
+ new,null,object,override,package,%
+ private,protected,requires,return,sealed,%
+ super,this,throw,trait,true,try,%
+ type,val,var,while,with,yield},
+ otherkeywords={=>,<-,<\%,<:,>:,\#,@},
+ sensitive=true,
+ morecomment=[l]{//},
+ morecomment=[n]{/*}{*/},
+ morestring=[b]",
+ morestring=[b]',
+ morestring=[b]"""
+}
+
+\lstset{language=Scala,
+ basicstyle=\ttfamily,
+ keywordstyle=\color{javapurple}\bfseries,
+ stringstyle=\color{javagreen},
+ commentstyle=\color{javagreen},
+ morecomment=[s][\color{javadocblue}]{/**}{*/},
+ numbers=left,
+ numberstyle=\tiny\color{black},
+ stepnumber=1,
+ numbersep=10pt,
+ tabsize=2,
+ showspaces=false,
+ showstringspaces=false}
+
+% beamer stuff
+\renewcommand{\slidecaption}{APP 08, King's College London, 20 November 2012}
+\newcommand{\dn}{\stackrel{\mbox{\scriptsize def}}{=}}% for definitions
+\newcommand{\bl}[1]{\textcolor{blue}{#1}}
+
+\begin{document}
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}<1>[t]
+\frametitle{%
+ \begin{tabular}{@ {}c@ {}}
+ \\
+ \LARGE Access Control and \\[-3mm]
+ \LARGE Privacy Policies (8)\\[-6mm]
+ \end{tabular}}\bigskip\bigskip\bigskip
+
+ %\begin{center}
+ %\includegraphics[scale=1.3]{pics/barrier.jpg}
+ %\end{center}
+
+\normalsize
+ \begin{center}
+ \begin{tabular}{ll}
+ Email: & christian.urban at kcl.ac.uk\\
+ Of$\!$fice: & S1.27 (1st floor Strand Building)\\
+ Slides: & KEATS (also homework is there)\\
+ \end{tabular}
+ \end{center}
+
+
+\end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[c]
+ \frametitle{Last Week}
+
+Andrew Secure RPC Protocol:
+\bl{$A$} and \bl{$B$} share a key private \bl{$K_{AB}$} and want to identify
+each other\bigskip
+
+ \begin{itemize}
+ \item \bl{$A \,\text{sends}\, B : A, N_A$}
+ \item \bl{$B\,\text{sends}\, A : \{N_A, K'_{AB}\}_{K_{AB}}$}
+ \item \bl{$A \,\text{sends}\, B : \{N_A\}_{K'_{AB}}$}
+ \end{itemize}
+
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[t]
+ \frametitle{Protocols}
+
+\mbox{}
+
+\begin{tabular}{l}
+{\Large \bl{$A\;\text{sends}\; B : \ldots$}}\\
+\onslide<2->{\Large \bl{$B\;\text{sends}\; A : \ldots$}}\\
+\onslide<2->{\Large \;\;\;\;\;\bl{$:$}}\bigskip
+\end{tabular}
+
+ \begin{itemize}
+ \item by convention \bl{$A$}, \bl{$B$} are named principals \bl{Alice\ldots}\\
+ but most likely they are programs, which just follow some instructions (they are more like roles)\bigskip
+\item<2-> indicates one ``protocol run'', or session, which specifies some
+order in the communication
+\item<2-> there can be several sessions in parallel (think of wifi routers)
+\end{itemize}
+
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[c]
+ \frametitle{Last Week}
+
+
+\bl{$A$} and \bl{$B$} share the key \bl{$K_{AB}$} and want to identify
+each other\bigskip
+
+ \begin{itemize}
+ \item \bl{$A \,\text{sends}\, B : A, N_A$}
+ \item \bl{$B\,\text{sends}\, A : \{N_A, K'_{AB}\}_{K_{AB}}$}
+ \item \bl{$A \,\text{sends}\, B : \{N_A\}_{K'_{AB}}$}
+ \end{itemize}
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[c]
+ \frametitle{Defeating Challenge-Response}
+
+\noindent
+A \alert{reflection attack}: an intruder \bl{$I$} impersonates \bl{$B$}.
+
+\begin{center}
+\begin{tabular}{@{\hspace{-7mm}}c@{\hspace{1mm}}c@{}}
+\begin{tabular}{@{}l@{}}
+\onslide<1->{\bl{$A \,\text{sends}\, I : A, N_A$}}\\
+\onslide<4->{\bl{$I \,\text{sends}\, A : \{N_A,\!K'_{\!AB}\}_{K_{\!AB}}$}}\\
+\onslide<5->{\bl{$A \,\text{sends}\, I : \{N_A\}_{K'_{AB}}$}}\\
+\end{tabular}
+&
+\begin{tabular}{@{}l@{}}
+\onslide<2->{\bl{$I \,\text{sends}\, A : B, N_A$}}\\
+\onslide<3->{\bl{$A \,\text{sends}\, I : \{N_A,\!K'_{\!AB}\}_{K_{\!AB}}$}}\\
+\onslide<6->{\bl{$I \,\text{sends}\, A : \{N_A\}_{K'_{AB}}$}}\\
+\end{tabular}
+\end{tabular}
+\end{center}\bigskip
+
+\onslide<7->{Sounds stupid: ``\ldots answering a question with a counter question''\medskip\\
+was originally developed at CMU for terminals to connect to
+workstations (e.g., file servers)}
+
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Identify Friend or Foe}
+
+\begin{center}
+\onslide<3->{\mbox{}\hspace{3.4cm}\includegraphics[scale=0.55]{pics/MigInMiddle.jpg}}
+\end{center}
+
+\begin{textblock}{6}(0.3,2)
+\onslide<2->{
+198?: war between Angola (supported by Cuba)
+and Namibia (supported by SA)}
+\end{textblock}
+
+\begin{textblock}{3}(12.5,4.6)
+ \onslide<3->{
+ \begin{tikzpicture}
+ \node at (0,0) [single arrow, fill=red,text=white, rotate=-50, shape border rotate=180]{``bystander''};
+ \end{tikzpicture}}
+ \end{textblock}
+
+\begin{textblock}{3}(10.9,10)
+ \onslide<3->{
+ \begin{tikzpicture}
+ \node at (0,0) [single arrow, fill=red,text=white, rotate=-40, shape border rotate=180]{attacker};
+ \end{tikzpicture}}
+ \end{textblock}
+
+\only<4->{
+\begin{textblock}{6}(0.3,9)
+being outsmarted by Angola/Cuba
+ended SA involvement (?)
+\end{textblock}}
+\only<5->{
+\begin{textblock}{6}(0.3,13)
+IFF opened up a nice side-channel attack
+\end{textblock}}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[c]
+ \frametitle{Encryption to the Rescue?}
+
+
+ \begin{itemize}
+ \item \bl{$A \,\text{sends}\, B : \{A, N_A\}_{K_{AB}}$}\hspace{1cm} encrypted\bigskip
+ \item \bl{$B\,\text{sends}\, A : \{N_A, K'_{AB}\}_{K_{AB}}$}\bigskip
+ \item \bl{$A \,\text{sends}\, B : \{N_A\}_{K'_{AB}}$}\bigskip
+ \end{itemize}\pause
+
+means you need to send separate ``Hello'' signals (bad), or worse
+share a single key between many entities
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Protocol Attacks}
+
+\begin{itemize}
+\item replay attacks
+\item reflection attacks
+\item man-in-the-middle attacks
+\item timing attacks
+\item parallel session attacks
+\item binding attacks (public key protocols)
+\item changing environment / changing assumptions\bigskip
+
+\item (social engineering attacks)
+\end{itemize}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Replay Attacks}
+
+Schroeder-Needham protocol: exchange of a symmetric key with a trusted 3rd-party \bl{$S$}:
+
+\begin{center}
+\begin{tabular}{r@ {\hspace{1mm}}l}
+\bl{$A \rightarrow S :$} & \bl{$A, B, N_A$}\\
+\bl{$S \rightarrow A :$} & \bl{$\{N_A, B, K_{AB},\{K_{AB}, A\}_{K_{BS}} \}_{K_{AS}}$}\\
+\bl{$A \rightarrow B :$} & \bl{$\{K_{AB}, A\}_{K_{BS}} $}\\
+\bl{$B \rightarrow A :$} & \bl{$\{N_B\}_{K_{AB}}$}\\
+\bl{$A \rightarrow B :$} & \bl{$\{N_B-1\}_{K_{AB}}$}\\
+\end{tabular}
+\end{center}\bigskip\pause
+
+at the end of the protocol both \bl{$A$} and \bl{$B$} should be in the possession of the secret key
+\bl{$K_{AB}$} and know that the other principal has the key
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Nonces}
+
+\begin{enumerate}
+\item I generate a nonce (random number) and send it to you encrypted with a key we share
+\item you increase it by one, encrypt it under a key I know and send
+it back to me
+\end{enumerate}
+
+
+I can infer:
+
+\begin{itemize}
+\item you must have received my message
+\item you could only have generated your answer after I send you my initial
+message
+\item if only you and me know the key, the message must have come from you
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+
+\begin{center}
+\begin{tabular}{l}
+\bl{$A \rightarrow S :$} \bl{$A, B, N_A$}\\
+\bl{$S \rightarrow A :$} \bl{$\{N_A, B, K_{AB},\{K_{AB}, A\}_{K_{BS}} \}_{K_{AS}}$}\\
+\bl{$A \rightarrow B :$} \bl{$\{K_{AB}, A\}_{K_{BS}} $}\\
+\bl{$B \rightarrow A :$} \bl{$\{N_B\}_{K_{AB}}$}\\
+\bl{$A \rightarrow B :$} \bl{$\{N_B-1\}_{K_{AB}}$}\pause\\
+\hspace{5cm}compromise \bl{$K_{AB}$}\pause\\
+\bl{$A \rightarrow S :$} \bl{$A, B, N'_A$}\\
+\bl{$S \rightarrow A :$} \bl{$\{N'_A, B, K'_{AB},\{K'_{AB}, A\}_{K_{BS}} \}_{K_{AS}}$}\pause\\
+\bl{$I(A) \rightarrow B :$} \bl{$\{K_{AB}, A\}_{K_{BS}} $}\hspace{0.5cm} replay of older run\pause\\
+\bl{$B \rightarrow I(A) :$} \bl{$\{N'_B\}_{K_{AB}}$}\\
+\bl{$I(A) \rightarrow B :$} \bl{$\{N'_B-1\}_{K_{AB}}$}\
+\end{tabular}
+\end{center}\pause
+
+\bl{$B$} believes it is following the correct protocol,
+intruder \bl{$I$} can form the correct response because it knows \bl{$K_{AB}$} and
+talks to \bl{$B$} masquerading as \bl{$A$}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+
+\begin{center}
+\includegraphics[scale=0.5]{pics/dogs.jpg}
+\end{center}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Replay Attacks}
+
+Andrew Secure RPC protocol: exchanging a new key
+between \bl{$A$} and \bl{$B$}
+
+\begin{center}
+\begin{tabular}{l}
+\bl{$A \rightarrow B :$} \bl{$A, \{N_A\}_{K_{AB}}$}\\
+\bl{$B \rightarrow A :$} \bl{$\{N_A+1, N_B\}_{K_{AB}}$}\\
+\bl{$A \rightarrow B :$} \bl{$\{N_B+1\}_{K_{AB}}$}\\
+\bl{$B \rightarrow A :$} \bl{$\{K^{new}_{AB}, N^{new}_B\}_{K_{AB}}$}\\
+\end{tabular}
+\end{center}\bigskip\pause
+
+Assume nonces are represented as bit-sequences of the same length as keys
+\begin{center}
+\begin{tabular}{@{}l@{}}
+\bl{$A \rightarrow B :$} \bl{$A, \{N_A\}_{K_{AB}}$}\\
+\bl{$B \rightarrow A :$} \bl{$\{N_A+1, N_B\}_{K_{AB}}$}\\
+\bl{$A \rightarrow I(B) :$} \bl{$\{N_B+1\}_{K_{AB}}$}\hspace{0.5mm}intercepts\\
+\bl{$I(B) \rightarrow A :$} \bl{$\{N_A+1, N_B\}_{K_{AB}}$}\hspace{0.5mm}resend 2nd msg\\
+\end{tabular}
+\end{center}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Time-Stamps}
+
+The Schroeder-Needham protocol can be fixed by including a time-stamp (e.g., in Kerberos):
+
+\begin{center}
+\begin{tabular}{r@ {\hspace{1mm}}l}
+\bl{$A \rightarrow S :$} & \bl{$A, B, N_A$}\\
+\bl{$S \rightarrow A :$} & \bl{$\{N_A, B, K_{AB},\{K_{AB}, A, T_S\}_{K_{BS}} \}_{K_{AS}}$}\\
+\bl{$A \rightarrow B :$} & \bl{$\{K_{AB}, A, T_S\}_{K_{BS}} $}\\
+\bl{$B \rightarrow A :$} & \bl{$\{N_B\}_{K_{AB}}$}\\
+\bl{$A \rightarrow B :$} & \bl{$\{N_B-1\}_{K_{AB}}$}\\
+\end{tabular}
+\end{center}\bigskip\pause
+
+but nothing is for free: then you need to synchronise time and possibly become a victim to
+timing attacks
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+
+It can also be fixed by including another nonce:
+
+\begin{center}
+\begin{tabular}{r@ {\hspace{1mm}}l}
+\bl{$A \rightarrow B :$} & \bl{$A$}\\
+\bl{$B \rightarrow A :$} & \bl{$\{A, N_B\}_{K_{BS}}$}\\
+\bl{$A \rightarrow S :$} & \bl{$A, B, N_A, \{A, N_B\}_{K_{BS}}$}\\
+\bl{$S \rightarrow A :$} & \bl{$\{N_A, B, K_{AB},\{K_{AB}, A, N_B\}_{K_{BS}} \}_{K_{AS}}$}\\
+\bl{$A \rightarrow B :$} & \bl{$\{K_{AB}, A, N_B\}_{K_{BS}} $}\\
+\bl{$B \rightarrow A :$} & \bl{$\{N_B\}_{K_{AB}}$}\\
+\bl{$A \rightarrow B :$} & \bl{$\{N_B-1\}_{K_{AB}}$}\\
+\end{tabular}
+\end{center}\bigskip\pause
+
+but nothing is for free: then you need to synchronise time and possibly become victim to
+timing attacks
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Binding Attacks}
+
+with public-private keys it is important that the public key is \alert{bound}
+to the right owner (verified by a certification authority \bl{$CA$})
+
+\begin{center}
+\begin{tabular}{l}
+\bl{$A \rightarrow CA :$} \bl{$A, B, N_A$}\\
+\bl{$CA \rightarrow A :$} \bl{$CA, \{CA, A, N_A, K^{pub}_{B}\}_{K^{pub}_{A}}$}\\
+\end{tabular}
+\end{center}\bigskip
+
+\bl{$A$} knows \bl{$K^{priv}_A$} and can verify the message came from \bl{$CA$}
+in response to \bl{$A$}'s message and trusts \bl{$K^{pub}_{B}$} is \bl{$B$}'s public key
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Binding Attacks}
+
+\begin{center}
+\begin{tabular}{l}
+\bl{$A \rightarrow I(CA) :$} \bl{$A, B, N_A$}\\
+\bl{$I(A) \rightarrow CA :$} \bl{$A, I, N_A$}\\
+\bl{$CA \rightarrow I(A) :$} \bl{$CA, \{CA, A, N_A, K^{pub}_{I}\}_{K^{pub}_{A}}$}\\
+\bl{$I(CA) \rightarrow A :$} \bl{$CA, \{CA, A, N_A, K^{pub}_{I}\}_{K^{pub}_{A}}$}\\
+\end{tabular}
+\end{center}\pause
+
+\bl{$A$} now encrypts messages for \bl{$B$} with the public key of \bl{$I$}
+(which happily decrypts them with its private key)
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+
+There are plenty of other protocols and attacks. This could go on ``forever''.\pause\bigskip
+
+We look here on one more kind of attacks that are because of a changing environment.
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{Changing Environment Attacks}
+
+\begin{itemize}
+\item all protocols rely on some assumptions about the environment
+(e.g., cryptographic keys cannot be broken)\bigskip\pause
+\end{itemize}
+
+\only<2>{
+\begin{itemize}
+\item in the ``good olden days'' (1960/70) rail transport was cheap, so fraud was not
+worthwhile
+\end{itemize}}
+
+\only<3>{
+\begin{itemize}
+\item when it got expensive, some people bought cheaper monthly tickets for a suburban
+station and a nearby one, and one for the destination and a nearby one
+\item a large investment later all barriers were automatic and tickets could record state
+\end{itemize}}
+
+\only<4>{
+\begin{itemize}
+\item but suddenly the environment changed: rail transport got privatised creating many
+competing companies
+potentially cheating each other
+\item revenue from monthly tickets was distributed according to a formula involving where the ticket was bought\ldots
+\end{itemize}}
+
+\only<5>{
+\begin{itemize}
+\item apart from bad outsiders (passengers), you also had bad insiders (rail companies)
+\item chaos and litigation ensued
+\end{itemize}}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+
+A Man-in-the-middle attack in real life:
+
+\begin{itemize}
+\item the card only says yes or no to the terminal if the PIN is correct
+\item trick the card in thinking transaction is verified by signature
+\item trick the terminal in thinking the transaction was verified by PIN
+\end{itemize}
+
+\begin{minipage}{1.1\textwidth}
+\begin{center}
+\mbox{}\hspace{-6mm}\includegraphics[scale=0.5]{pics/chip-attack.png}
+\includegraphics[scale=0.3]{pics/chipnpinflaw.png}
+\end{center}
+\end{minipage}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Problems with EMV}
+
+\begin{itemize}
+\item it is a wrapper for many protocols
+\item specification by consensus (resulted unmanageable complexity)
+\item its specification is 700 pages in English plus 2000+ pages for testing, additionally some
+further parts are secret
+\item other attacks have been found
+
+\item one solution might be to require always online verification of the PIN with the bank
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Problems with WEP (Wifi)}
+
+\begin{itemize}
+\item a standard ratified in 1999
+\item the protocol was designed by a committee not including cryptographers
+\item it used the RC4 encryption algorithm which is a stream cipher requiring a unique nonce
+\item WEP did not allocate enough bits for the nonce
+\item for authenticating packets it used CRC checksum which can be easily broken
+\item the network password was used to directly encrypt packages (instead of a key negotiation protocol)\bigskip
+\item encryption was turned of by default
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Protocols are Difficult}
+
+\begin{itemize}
+\item even the systems designed by experts regularly fail\medskip
+\item try to make everything explicit (you need to authenticate all data you might rely on)\medskip
+\item the one who can fix a system should also be liable for the losses\medskip
+\item cryptography is often not {\bf the} answer\bigskip\bigskip
+\end{itemize}
+
+logic is one way protocols are studied in academia
+(you can use computers to search for attacks)
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Public-Key Infrastructure}
+
+\begin{itemize}
+\item the idea is to have a certificate authority (CA)
+\item you go to the CA to identify yourself
+\item CA: ``I, the CA, have verified that public key \bl{$P^{pub}_{Bob}$} belongs to Bob''\bigskip
+\item CA must be trusted by everybody
+\item What happens if CA issues a false certificate? Who pays in case of loss? (VeriSign
+explicitly limits liability to \$100.)
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Privacy, Anonymity et al}
+
+Some terminology:
+
+\begin{itemize}
+\item \alert{secrecy} is the mechanism used to limit the number of
+principals with access to information (eg, cryptography or access controls)
+
+\item \alert{confidentiality} is the obligation to protect the secrets of other people
+or organizations (secrecy for the benefit of an organisation)
+
+\item \alert{anonymity} is the ability to leave no evidence of an activity (eg, sharing a secret)
+
+\item \alert{privacy} is the ability or right to protect your personal secrets
+(secrecy for the benefit of an individual)
+
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{Privacy vs Anonymity}
+
+\begin{itemize}
+\item everybody agrees that anonymity has its uses (e.g., voting, whistleblowers, peer-review)
+\end{itemize}\bigskip\bigskip\pause
+
+
+But privacy?\bigskip\bigskip
+
+``You have zero privacy anyway. Get over it.''\\
+\hfill{}Scott Mcnealy (CEO of Sun)\bigskip\\
+
+
+If you have nothing to hide, you have nothing to fear.
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{Privacy}
+
+private data can be often used against me
+
+\begin{itemize}
+\item if my location data becomes public, thieves will switch off their phones and help themselves in my home
+\item if supermarkets can build a profile of what I buy, they can use it to their advantage (banks - mortgages)
+\item my employer might not like my opinions\bigskip\pause
+
+\item one the other hand, Freedom-of-Information Act
+\item medical data should be private, but medical research needs data
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{Privacy Problems}
+
+\begin{itemize}
+\item Apple takes note of every dictation (send over the Internet to Apple)
+\item markets often only work, if data is restricted (to build trust)
+\item Social network can reveal data about you
+\item have you tried the collusion extension for FireFox?
+\item I do use Dropbox, store cards\bigskip
+\item next week: anonymising data
+\end{itemize}
+
+\begin{textblock}{5}(12,8.9)
+\includegraphics[scale=0.3]{pics/gattaca.jpg}\\
+\small Gattaca (1997)
+\end{textblock}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+\end{document}
+
+%%% Local Variables:
+%%% mode: latex
+%%% TeX-master: t
+%%% End:
+
Binary file slides/slides09.pdf has changed
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/slides/slides09.tex Sun Sep 22 15:22:11 2013 +0100
@@ -0,0 +1,554 @@
+\documentclass[dvipsnames,14pt,t]{beamer}
+\usepackage{proof}
+\usepackage{beamerthemeplainculight}
+\usepackage[T1]{fontenc}
+\usepackage[latin1]{inputenc}
+\usepackage{mathpartir}
+\usepackage{isabelle}
+\usepackage{isabellesym}
+\usepackage[absolute,overlay]{textpos}
+\usepackage{ifthen}
+\usepackage{tikz}
+\usepackage{courier}
+\usepackage{listings}
+\usetikzlibrary{arrows}
+\usetikzlibrary{positioning}
+\usetikzlibrary{calc}
+\usepackage{graphicx}
+\usetikzlibrary{shapes}
+\usetikzlibrary{shadows}
+\usetikzlibrary{plotmarks}
+
+
+\isabellestyle{rm}
+\renewcommand{\isastyle}{\rm}%
+\renewcommand{\isastyleminor}{\rm}%
+\renewcommand{\isastylescript}{\footnotesize\rm\slshape}%
+\renewcommand{\isatagproof}{}
+\renewcommand{\endisatagproof}{}
+\renewcommand{\isamarkupcmt}[1]{#1}
+
+% Isabelle characters
+\renewcommand{\isacharunderscore}{\_}
+\renewcommand{\isacharbar}{\isamath{\mid}}
+\renewcommand{\isasymiota}{}
+\renewcommand{\isacharbraceleft}{\{}
+\renewcommand{\isacharbraceright}{\}}
+\renewcommand{\isacharless}{$\langle$}
+\renewcommand{\isachargreater}{$\rangle$}
+\renewcommand{\isasymsharp}{\isamath{\#}}
+\renewcommand{\isasymdots}{\isamath{...}}
+\renewcommand{\isasymbullet}{\act}
+
+
+
+\definecolor{javared}{rgb}{0.6,0,0} % for strings
+\definecolor{javagreen}{rgb}{0.25,0.5,0.35} % comments
+\definecolor{javapurple}{rgb}{0.5,0,0.35} % keywords
+\definecolor{javadocblue}{rgb}{0.25,0.35,0.75} % javadoc
+
+\lstset{language=Java,
+ basicstyle=\ttfamily,
+ keywordstyle=\color{javapurple}\bfseries,
+ stringstyle=\color{javagreen},
+ commentstyle=\color{javagreen},
+ morecomment=[s][\color{javadocblue}]{/**}{*/},
+ numbers=left,
+ numberstyle=\tiny\color{black},
+ stepnumber=1,
+ numbersep=10pt,
+ tabsize=2,
+ showspaces=false,
+ showstringspaces=false}
+
+\lstdefinelanguage{scala}{
+ morekeywords={abstract,case,catch,class,def,%
+ do,else,extends,false,final,finally,%
+ for,if,implicit,import,match,mixin,%
+ new,null,object,override,package,%
+ private,protected,requires,return,sealed,%
+ super,this,throw,trait,true,try,%
+ type,val,var,while,with,yield},
+ otherkeywords={=>,<-,<\%,<:,>:,\#,@},
+ sensitive=true,
+ morecomment=[l]{//},
+ morecomment=[n]{/*}{*/},
+ morestring=[b]",
+ morestring=[b]',
+ morestring=[b]"""
+}
+
+\lstset{language=Scala,
+ basicstyle=\ttfamily,
+ keywordstyle=\color{javapurple}\bfseries,
+ stringstyle=\color{javagreen},
+ commentstyle=\color{javagreen},
+ morecomment=[s][\color{javadocblue}]{/**}{*/},
+ numbers=left,
+ numberstyle=\tiny\color{black},
+ stepnumber=1,
+ numbersep=10pt,
+ tabsize=2,
+ showspaces=false,
+ showstringspaces=false}
+
+% beamer stuff
+\renewcommand{\slidecaption}{APP 09, King's College London, 27 November 2012}
+\newcommand{\dn}{\stackrel{\mbox{\scriptsize def}}{=}}% for definitions
+\newcommand{\bl}[1]{\textcolor{blue}{#1}}
+
+\begin{document}
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}<1>[t]
+\frametitle{%
+ \begin{tabular}{@ {}c@ {}}
+ \\
+ \LARGE Access Control and \\[-3mm]
+ \LARGE Privacy Policies (9)\\[-6mm]
+ \end{tabular}}\bigskip\bigskip\bigskip
+
+ %\begin{center}
+ %\includegraphics[scale=1.3]{pics/barrier.jpg}
+ %\end{center}
+
+\normalsize
+ \begin{center}
+ \begin{tabular}{ll}
+ Email: & christian.urban at kcl.ac.uk\\
+ Of$\!$fice: & S1.27 (1st floor Strand Building)\\
+ Slides: & KEATS (also homework is there)\\
+ \end{tabular}
+ \end{center}
+
+\end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Last Week}
+
+Recall, the Schroeder-Needham (1978) protocol is vulnerable to replay attacks.
+
+\begin{center}
+\begin{tabular}{@{}r@ {\hspace{1mm}}l@{}}
+\bl{$A \rightarrow S :$} & \bl{$A, B, N_A$}\\
+\bl{$S \rightarrow A :$} & \bl{$\{N_A, B, K_{AB},\{K_{AB}, A\}_{K_{BS}} \}_{K_{AS}}$}\\
+\bl{$A \rightarrow B :$} & \bl{$\{K_{AB}, A\}_{K_{BS}} $}\\
+\bl{$B \rightarrow A :$} & \bl{$\{N_B\}_{K_{AB}}$}\\
+\bl{$A \rightarrow B :$} & \bl{$\{N_B-1\}_{K_{AB}}$}\\
+\end{tabular}
+\end{center}\pause
+
+Fix: Replace messages 2 and 3 to include a timestamp:\bigskip
+
+\begin{minipage}{1.1\textwidth}
+\begin{center}
+\begin{tabular}{@{\hspace{-2mm}}r@ {\hspace{1mm}}l@{}}
+\bl{$S \rightarrow A :$} & \bl{$\{B, K_{\!AB}, T_S, \!\{K_{\!AB}, A, T_S\}_{K_{BS}} \}_{K_{AS}}$}\\
+\bl{$A \rightarrow B :$} & \bl{$\{K_{AB}, A, T_S\}_{K_{BS}} $}\\
+\end{tabular}
+\end{center}
+\end{minipage}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{Denning-Sacco Fix}
+
+Denning-Sacco (1981) suggested to add the timestamp, but omit the handshake:\bigskip
+
+\begin{minipage}{1.1\textwidth}
+\begin{center}
+\begin{tabular}{@{\hspace{-2mm}}r@ {\hspace{1mm}}l@{}}
+\bl{$A \rightarrow S :$} & \bl{$A, B$}\\
+\bl{$S \rightarrow A :$} & \bl{$\{B, K_{\!AB}, T_S, \!\{K_{\!AB}, A, T_S\}_{K_{BS}} \}_{K_{AS}}$}\\
+\bl{$A \rightarrow B :$} & \bl{$\{K_{AB}, A, T_S\}_{K_{BS}} $}\\
+\textcolor{lightgray}{$B \rightarrow A :$} & \textcolor{lightgray}{$\{N_B\}_{K_{AB}}$}\\
+\textcolor{lightgray}{$A \rightarrow B :$} & \textcolor{lightgray}{$\{N_B-1\}_{K_{AB}}$}\\
+\end{tabular}
+\end{center}
+\end{minipage}\bigskip
+
+they argue \bl{$A$} and \bl{$B$} can check that the messages are not replays of earlier
+runs, by checking the time difference with when the protocol is last used
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{\begin{tabular}{@{}c@{}}Denning-Sacco-Lowe Fix of Fix\end{tabular}}
+
+Lowe (1997) disagreed and said the handshake should be kept,
+otherwise:\bigskip
+
+\begin{minipage}{1.1\textwidth}
+\begin{center}
+\begin{tabular}{@{\hspace{-7mm}}r@ {\hspace{1mm}}l@{}}
+\bl{$A \rightarrow S :$} & \bl{$A, B$}\\
+\bl{$S \rightarrow A :$} & \bl{$\{B, K_{\!AB}, T_S, \!\{K_{\!AB}, A, T_S\}_{K_{BS}} \}_{K_{AS}}$}\\
+\bl{$A \rightarrow B :$} & \bl{$\{K_{AB}, A, T_S\}_{K_{BS}} $}\\
+\bl{$I(A) \rightarrow B :$} & \bl{$\{K_{AB}, A, T_S\}_{K_{BS}} $}\hspace{5mm}\textcolor{black}{replay}\\
+\end{tabular}
+\end{center}
+\end{minipage}\bigskip
+
+When is this a problem?\pause\medskip
+
+Assume \bl{$B$} is a bank and the message is ``Draw \pounds{1000} from \bl{$A$}'s
+account and transfer it to \bl{$I$}.''
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{Privacy}
+
+\begin{minipage}{1.05\textwidth}
+\begin{itemize}
+\item we \alert{do} want that government data is made public (free maps for example)
+\item we \alert{do not} want that medical data becomes public (similarly tax data, school
+records, job offers)\bigskip
+\item personal information can potentially lead to fraud
+(identity theft)
+\end{itemize}\pause
+
+{\bf ``The reality'':}
+\only<2>{\begin{itemize}
+\item London Health Programmes lost in June unencrypted details of more than 8 million people
+(no names, but postcodes and details such as gender, age and ethnic origin)
+\end{itemize}}
+\only<3>{\begin{itemize}
+\item also in June Sony, got hacked: over 1M users' personal information, including passwords, email addresses, home addresses, dates of birth, and all Sony opt-in data associated with their accounts.
+\end{itemize}}
+\end{minipage}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Privacy and Big Data}
+
+Selected sources of ``Big Data'':\smallskip{}
+
+\begin{itemize}
+\item Facebook
+\begin{itemize}
+\item 40+ Billion photos (100 PB)
+\item 6 Billion messages daily (5 - 10 TB)
+\item 900 Million users
+\end{itemize}
+\item Common Crawl
+\begin{itemize}
+\item covers 3.8 Billion webpages (2012 dataset)
+\item 50 TB of data
+\end{itemize}
+\item Google
+\begin{itemize}
+\item 20 PB daily (2008)
+\end{itemize}
+\item Twitter
+\begin{itemize}
+\item 7 Million users in the UK
+\item a company called Datasift is allowed to mine all tweets since 2010
+\item they charge 10k per month for other companies to target advertisement
+\end{itemize}
+\end{itemize}\pause
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Cookies\ldots}
+
+``We have published a new cookie policy. It explains what cookies are
+and how we use them on our site. To learn more about cookies and
+their benefits, please view our cookie policy.\medskip
+
+If you'd like to disable cookies on this device, please view our information
+pages on 'How to manage cookies'. Please be aware that parts of the
+site will not function correctly if you disable cookies. \medskip
+
+By closing this
+message, you consent to our use of cookies on this device in accordance
+with our cookie policy unless you have disabled them.''
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Scare Tactics}
+
+The actual policy reads:\bigskip
+
+``As we explain in our Cookie Policy, cookies help you to get the most
+out of our websites.\medskip
+
+If you do disable our cookies you may find that certain sections of our
+website do not work. For example, you may have difficulties logging in
+or viewing articles.''
+
+
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Netflix Prize}
+
+Anonymity is \alert{necessary} for privacy, but \alert{not} enough!\bigskip
+
+\begin{itemize}
+\item Netflix offered in 2006 (and every year until 2010) a 1 Mio \$ prize for improving their movie rating algorithm
+\item dataset contained 10\% of all Netflix users (appr.~500K)
+\item names were removed, but included numerical ratings as well as times of rating
+\item some information was \alert{perturbed} (i.e., slightly modified)
+\end{itemize}
+
+\hfill{\bf\alert{All OK?}}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Re-identification Attack}
+
+Two researchers analysed the data:
+
+\begin{itemize}
+\item with 8 ratings (2 of them can be wrong) and corresponding dates that can have a margin 14-day error, 98\% of the
+records can be identified
+\item for 68\% only two ratings and dates are sufficient (for movie ratings outside the top 500)\bigskip\pause
+\item they took 50 samples from IMDb (where people can reveal their identity)
+\item 2 of them uniquely identified entries in the Netflix database (either by movie rating or by dates)
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{}
+
+\begin{itemize}
+\item Birth data, postcode and gender (unique for\\ 87\% of the US population)
+\item Preferences in movies (99\% of 500K for 8 ratings)
+\end{itemize}\bigskip
+
+Therefore best practices / or even law (HIPAA, EU):
+
+\begin{itemize}
+\item only year dates (age group for 90 years or over),
+\item no postcodes (sector data is OK, similarly in the US)\\
+\textcolor{gray}{no names, addresses, account numbers, licence plates}
+\item disclosure information needs to be retained for 5 years
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{How to Safely Disclose Information?}
+
+\only<1>{
+\begin{itemize}
+\item Assume you make a survey of 100 randomly chosen people.
+\item Say 99\% of the surveyed people in the 10 - 40 age group have seen the
+Gangnam video on youtube.\bigskip
+
+\item What can you infer about the rest of the population?
+\end{itemize}}
+\only<2>{
+\begin{itemize}
+\item Is it possible to re-identify data later, if more data is released. \bigskip\bigskip\pause
+
+\item Not even releasing only aggregate information prevents re-identification attacks.
+(GWAS was a public database of gene-frequency studies linked to diseases;
+you only needed partial DNA information in order
+to identify whether an individual was part of the study --- DB closed in 2008)
+\end{itemize}}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Differential Privacy}
+
+\begin{center}
+User\;\;\;\;
+\begin{tabular}{c}
+tell me \bl{$f(x)$} $\Rightarrow$\\
+$\Leftarrow$ \bl{$f(x) + \text{noise}$}
+\end{tabular}
+\;\;\;\;\begin{tabular}{@{}c}
+Database\\
+\bl{$x_1, \ldots, x_n$}
+\end{tabular}
+\end{center}
+
+
+\begin{itemize}
+\item \bl{$f(x)$} can be released, if \bl{$f$} is insensitive to
+individual entries \bl{$x_1, \ldots, x_n$}\\
+\item Intuition: whatever is learned from the dataset would be learned regardless of whether
+\bl{$x_i$} participates\bigskip\pause
+
+\item Noised needed in order to prevent queries:\\ Christian's salary $=$
+\begin{center}
+\bl{\large$\Sigma$} all staff $-$ \bl{\large$\Sigma$} all staff $\backslash$ Christian
+\end{center}
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Adding Noise}
+
+Adding noise is not as trivial as one would wish:
+
+\begin{itemize}
+\item If I ask how many of three have seen the Gangnam video and get a result
+as follows
+
+\begin{center}
+\begin{tabular}{l|c}
+Alice & yes\\
+Bob & no\\
+Charlie & yes\\
+\end{tabular}
+\end{center}
+
+then I have to add a noise of \bl{$1$}. So answers would be in the
+range of \bl{$1$} to \bl{$3$}
+
+\bigskip
+\item But if I ask five questions for all the dataset (has seen Gangnam video, is male, below 30, \ldots),
+then one individual can change the dataset by \bl{$5$}
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{\begin{tabular}{@{}c@{}}Tor, Anonymous Webbrowsing\end{tabular}}
+
+\begin{itemize}
+\item initially developed by US Navy Labs, but then opened up to the world
+\item network of proxy nodes
+\item a Tor client establishes a ``random'' path to the destination server (you cannot trace back where the information came from)\bigskip\pause
+\end{itemize}
+
+\only<2>{
+\begin{itemize}
+\item malicious exit node attack: someone set up 5 Tor exit nodes and monitored the traffic:
+\begin{itemize}
+\item a number of logons and passwords used by embassies (Usbekistan `s1e7u0l7c', while
+Tunesia `Tunesia' and India `1234')
+\end{itemize}
+\end{itemize}}
+\only<3>{
+\begin{itemize}
+\item bad apple attack: if you have one insecure application, your IP can be tracked through Tor
+\begin{itemize}
+\item background: 40\% of traffic on Tor is generated by BitTorrent
+\end{itemize}
+\end{itemize}}
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{\begin{tabular}{@{}c@{}}Skype Secure Communication\end{tabular}}
+
+\begin{itemize}
+\item Skype used to be known as a secure online communication (encryption cannot be disabled),
+but \ldots\medskip
+
+\item it is impossible to verify whether crypto algorithms are correctly used, or whether there are backdoors.\bigskip
+
+\item recently someone found out that you can reset the password of somebody else's
+account, only knowing their email address (needed to suspended the password reset feature temporarily)
+\end{itemize}
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@{}c@{}}Take Home Point\end{tabular}}
+
+According to Ross Anderson: \bigskip
+\begin{itemize}
+\item Privacy in a big hospital is just about doable.\medskip
+\item How do you enforce privacy in something as big as Google
+or complex as Facebook? No body knows.\bigskip
+
+Similarly, big databases imposed by government
+\end{itemize}
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@{}c@{}}Next Week\end{tabular}}
+
+Homework: Which areas should I focus on?
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+\end{document}
+
+%%% Local Variables:
+%%% mode: latex
+%%% TeX-master: t
+%%% End:
+
Binary file slides/slides10.pdf has changed
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/slides/slides10.tex Sun Sep 22 15:22:11 2013 +0100
@@ -0,0 +1,217 @@
+\documentclass[dvipsnames,14pt,t]{beamer}
+\usepackage{proof}
+\usepackage{beamerthemeplainculight}
+\usepackage[T1]{fontenc}
+\usepackage[latin1]{inputenc}
+\usepackage{mathpartir}
+\usepackage{isabelle}
+\usepackage{isabellesym}
+\usepackage[absolute,overlay]{textpos}
+\usepackage{ifthen}
+\usepackage{tikz}
+\usepackage{courier}
+\usepackage{listings}
+\usetikzlibrary{arrows}
+\usetikzlibrary{positioning}
+\usetikzlibrary{calc}
+\usepackage{graphicx}
+\usetikzlibrary{shapes}
+\usetikzlibrary{shadows}
+\usetikzlibrary{plotmarks}
+
+
+\isabellestyle{rm}
+\renewcommand{\isastyle}{\rm}%
+\renewcommand{\isastyleminor}{\rm}%
+\renewcommand{\isastylescript}{\footnotesize\rm\slshape}%
+\renewcommand{\isatagproof}{}
+\renewcommand{\endisatagproof}{}
+\renewcommand{\isamarkupcmt}[1]{#1}
+
+% Isabelle characters
+\renewcommand{\isacharunderscore}{\_}
+\renewcommand{\isacharbar}{\isamath{\mid}}
+\renewcommand{\isasymiota}{}
+\renewcommand{\isacharbraceleft}{\{}
+\renewcommand{\isacharbraceright}{\}}
+\renewcommand{\isacharless}{$\langle$}
+\renewcommand{\isachargreater}{$\rangle$}
+\renewcommand{\isasymsharp}{\isamath{\#}}
+\renewcommand{\isasymdots}{\isamath{...}}
+\renewcommand{\isasymbullet}{\act}
+
+
+
+\definecolor{javared}{rgb}{0.6,0,0} % for strings
+\definecolor{javagreen}{rgb}{0.25,0.5,0.35} % comments
+\definecolor{javapurple}{rgb}{0.5,0,0.35} % keywords
+\definecolor{javadocblue}{rgb}{0.25,0.35,0.75} % javadoc
+
+\lstset{language=Java,
+ basicstyle=\ttfamily,
+ keywordstyle=\color{javapurple}\bfseries,
+ stringstyle=\color{javagreen},
+ commentstyle=\color{javagreen},
+ morecomment=[s][\color{javadocblue}]{/**}{*/},
+ numbers=left,
+ numberstyle=\tiny\color{black},
+ stepnumber=1,
+ numbersep=10pt,
+ tabsize=2,
+ showspaces=false,
+ showstringspaces=false}
+
+\lstdefinelanguage{scala}{
+ morekeywords={abstract,case,catch,class,def,%
+ do,else,extends,false,final,finally,%
+ for,if,implicit,import,match,mixin,%
+ new,null,object,override,package,%
+ private,protected,requires,return,sealed,%
+ super,this,throw,trait,true,try,%
+ type,val,var,while,with,yield},
+ otherkeywords={=>,<-,<\%,<:,>:,\#,@},
+ sensitive=true,
+ morecomment=[l]{//},
+ morecomment=[n]{/*}{*/},
+ morestring=[b]",
+ morestring=[b]',
+ morestring=[b]"""
+}
+
+\lstset{language=Scala,
+ basicstyle=\ttfamily,
+ keywordstyle=\color{javapurple}\bfseries,
+ stringstyle=\color{javagreen},
+ commentstyle=\color{javagreen},
+ morecomment=[s][\color{javadocblue}]{/**}{*/},
+ numbers=left,
+ numberstyle=\tiny\color{black},
+ stepnumber=1,
+ numbersep=10pt,
+ tabsize=2,
+ showspaces=false,
+ showstringspaces=false}
+
+% beamer stuff
+\renewcommand{\slidecaption}{APP 09, King's College London, 27 November 2012}
+\newcommand{\dn}{\stackrel{\mbox{\scriptsize def}}{=}}% for definitions
+\newcommand{\bl}[1]{\textcolor{blue}{#1}}
+
+\begin{document}
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}<1>[t]
+\frametitle{%
+ \begin{tabular}{@ {}c@ {}}
+ \\
+ \LARGE Access Control and \\[-3mm]
+ \LARGE Privacy Policies (10)\\[-6mm]
+ \end{tabular}}\bigskip\bigskip\bigskip
+
+ %\begin{center}
+ %\includegraphics[scale=1.3]{pics/barrier.jpg}
+ %\end{center}
+
+\normalsize
+ \begin{center}
+ \begin{tabular}{ll}
+ Email: & christian.urban at kcl.ac.uk\\
+ Of$\!$fice: & S1.27 (1st floor Strand Building)\\
+ Slides: & KEATS (also homework is there)\\
+ \end{tabular}
+ \end{center}
+
+\end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Revision: Proofs}
+
+\begin{center}
+\includegraphics[scale=0.4]{pics/river-stones.jpg}
+\end{center}
+
+\begin{textblock}{5}(11.7,5)
+goal
+\end{textblock}
+
+\begin{textblock}{5}(11.7,14)
+start
+\end{textblock}
+
+\begin{textblock}{5}(0,7)
+\begin{center}
+\bl{\infer[\small\textcolor{black}{\text{axiom}}]{\quad\vdash\quad}{}}\\[8mm]
+\bl{\infer{\vdash}{\quad\vdash\quad}}\\[8mm]
+\bl{\infer{\vdash}{\quad\vdash\qquad\vdash\quad}}
+\end{center}
+\end{textblock}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Proof Example Proof}
+
+\begin{center}
+\bl{\infer{P\;\text{says}\;F_1 \wedge Q\;\text{says}\;F_2 \vdash Q\;\text{says}\;F_2 \wedge P\;\text{says}\;F_1}
+ {\raisebox{2mm}{\text{\LARGE $?$}}}}
+\end{center}
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Proof Example Proof}
+
+\begin{tabular}{@{\hspace{-6mm}}l}
+\begin{minipage}{1.1\textwidth}
+We have (by axiom)
+
+\begin{center}
+\begin{tabular}{@{}ll@{}}
+(1) & \bl{$P\;\text{says}\;F_1 \wedge Q\;\text{says}\;F_2 \vdash P\;\text{says}\;F_1 \wedge Q\;\text{says}\;F_2$}
+\end{tabular}
+\end{center}
+
+From (1) we get
+
+\begin{center}
+\begin{tabular}{@{}ll@{}}
+(2) & \bl{$P\;\text{says}\;F_1 \wedge Q\;\text{says}\;F_2 \vdash P\;\text{says}\;F_1$}\\
+(3) & \bl{$P\;\text{says}\;F_1 \wedge Q\;\text{says}\;F_2 \vdash Q\;\text{says}\;F_2$}\\
+\end{tabular}
+\end{center}
+
+From (3) and (2) we get
+
+\begin{center}
+\begin{tabular}{@{}ll@{}}
+\bl{$P\;\text{says}\;F_1 \wedge Q\;\text{says}\;F_2 \vdash Q\;\text{says}\;F_2 \wedge P\;\text{says}\;F_1$}
+\end{tabular}
+\end{center}
+
+Done.
+\end{minipage}
+\end{tabular}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+\end{document}
+
+%%% Local Variables:
+%%% mode: latex
+%%% TeX-master: t
+%%% End:
+
Binary file slides01.pdf has changed
--- a/slides01.tex Sun Dec 09 13:00:33 2012 +0000
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,1028 +0,0 @@
-\documentclass[dvipsnames,14pt,t]{beamer}
-\usepackage{beamerthemeplainculight}
-\usepackage[T1]{fontenc}
-\usepackage[latin1]{inputenc}
-\usepackage{mathpartir}
-\usepackage[absolute,overlay]{textpos}
-\usepackage{ifthen}
-\usepackage{tikz}
-\usepackage{pgf}
-\usepackage{calc}
-\usepackage{ulem}
-\usepackage{courier}
-\usepackage{listings}
-\renewcommand{\uline}[1]{#1}
-\usetikzlibrary{arrows}
-\usetikzlibrary{automata}
-\usetikzlibrary{shapes}
-\usetikzlibrary{shadows}
-\usetikzlibrary{positioning}
-\usetikzlibrary{calc}
-\usepackage{graphicx}
-
-\definecolor{javared}{rgb}{0.6,0,0} % for strings
-\definecolor{javagreen}{rgb}{0.25,0.5,0.35} % comments
-\definecolor{javapurple}{rgb}{0.5,0,0.35} % keywords
-\definecolor{javadocblue}{rgb}{0.25,0.35,0.75} % javadoc
-
-\lstset{language=Java,
- basicstyle=\ttfamily,
- keywordstyle=\color{javapurple}\bfseries,
- stringstyle=\color{javagreen},
- commentstyle=\color{javagreen},
- morecomment=[s][\color{javadocblue}]{/**}{*/},
- numbers=left,
- numberstyle=\tiny\color{black},
- stepnumber=1,
- numbersep=10pt,
- tabsize=2,
- showspaces=false,
- showstringspaces=false}
-
-\lstdefinelanguage{scala}{
- morekeywords={abstract,case,catch,class,def,%
- do,else,extends,false,final,finally,%
- for,if,implicit,import,match,mixin,%
- new,null,object,override,package,%
- private,protected,requires,return,sealed,%
- super,this,throw,trait,true,try,%
- type,val,var,while,with,yield},
- otherkeywords={=>,<-,<\%,<:,>:,\#,@},
- sensitive=true,
- morecomment=[l]{//},
- morecomment=[n]{/*}{*/},
- morestring=[b]",
- morestring=[b]',
- morestring=[b]"""
-}
-
-\lstset{language=Scala,
- basicstyle=\ttfamily,
- keywordstyle=\color{javapurple}\bfseries,
- stringstyle=\color{javagreen},
- commentstyle=\color{javagreen},
- morecomment=[s][\color{javadocblue}]{/**}{*/},
- numbers=left,
- numberstyle=\tiny\color{black},
- stepnumber=1,
- numbersep=10pt,
- tabsize=2,
- showspaces=false,
- showstringspaces=false}
-
-% beamer stuff
-\renewcommand{\slidecaption}{APP 01, King's College London, 25.~September 2012}
-
-
-\begin{document}
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}<1>[t]
-\frametitle{%
- \begin{tabular}{@ {}c@ {}}
- \LARGE Access Control and \\[-3mm]
- \LARGE Privacy Policies (1)\\[-6mm]
- \end{tabular}}
-
- \begin{center}
- \includegraphics[scale=1.3]{pics/barrier.jpg}
- \end{center}
-
-\normalsize
- \begin{center}
- \begin{tabular}{ll}
- Email: & christian.urban at kcl.ac.uk\\
- Of$\!$fice: & S1.27 (1st floor Strand Building)\\
- Slides: & KEATS
- \end{tabular}
- \end{center}
-
-
-\end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}
-
-\begin{center}
-\includegraphics[scale=2.1]{pics/barrier.jpg}
-\end{center}
-
-\end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Security Engineers\end{tabular}}
-
-According to Bruce Schneier, {\bf security engineers} require
-a particular {\bf mindset}:\bigskip
-
-\begin{tikzpicture}
-\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
-{\normalsize\color{darkgray}
-\begin{minipage}{10cm}\raggedright\small
-``Security engineers --- at least the good ones --- see the world dif$\!$ferently.
-They can't walk into a store without noticing how they might shoplift. They can't
-use a computer without wondering about the security vulnerabilities. They can't
-vote without trying to figure out how to vote twice. They just can't help it.''
-\end{minipage}};
-\end{tikzpicture}
-
-\begin{flushright}
-\includegraphics[scale=0.0087]{pics/schneierbook1.jpg}\;
-\includegraphics[scale=0.0087]{pics/schneierbook2.jpg}\;
-\includegraphics[scale=0.85]{pics/schneier.png}
-\end{flushright}
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Chip-and-PIN\end{tabular}}
-
-\begin{center}
-\includegraphics[scale=0.3]{pics/creditcard1.jpg}\;
-\includegraphics[scale=0.3]{pics/creditcard2.jpg}
-\end{center}
-
-\begin{itemize}
-\item Chip-and-PIN was introduced in the UK in 2004
-\item before that customers had to sign a receipt\medskip
-\item Is Chip-and-PIN a more secure system?
-\end{itemize}
-
-\begin{flushright}
-\small\textcolor{gray}{(Some other countries still use the old method.)}
-\end{flushright}
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Yes \ldots\end{tabular}}
-
-\begin{tikzpicture}
-\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
-{\normalsize\color{darkgray}
-\begin{minipage}{10cm}\raggedright\small
-``Chip-and-PIN is so effective in this country [UK] that fraudsters are starting to move their activities overseas,''
-said Emile Abu-Shakra, spokesman for Lloyds TSB (in the Guardian, 2006).
-\end{minipage}};
-\end{tikzpicture}\bigskip
-
-
-\begin{itemize}
-\item mag-stripe cards cannot be cloned anymore
-\item stolen or cloned cards need to be used abroad
-\item fraud on lost, stolen and counterfeit credit cards was down \pounds{}60m (24\%) on 2004's figure
-\end{itemize}
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{c}But let's see \ldots\end{tabular}}
-
-
-\begin{textblock}{1}(3,4)
-\begin{tabular}{c}
-\includegraphics[scale=0.3]{pics/bank.png}\\[-2mm]
-\small Bank
-\end{tabular}
-\end{textblock}
-
-\begin{textblock}{1}(7,4.5)
-\begin{tabular}{c}
-\includegraphics[scale=3]{pics/store.png}\\[-2mm]
-\end{tabular}
-\end{textblock}
-
-\begin{textblock}{1}(4.5,9.9)
-\begin{tabular}{c}
-\includegraphics[scale=0.16]{pics/rman.png}\\[-1mm]
-\small costumer / you
-\end{tabular}
-\end{textblock}
-
-\only<2->{
-\begin{textblock}{1}(4.5,7.5)
- \begin{tikzpicture}[scale=1.3]
- \draw[white] (0,0) node (X) {};
- \draw[white] (1,-1) node (Y) {};
- \draw[red, ->, line width = 2mm] (X) -- (Y);
- \node [inner sep=5pt,label=above:\textcolor{black}{}] at ($ (X)!.5!(Y) $) {};
- \end{tikzpicture}
-\end{textblock}}
-
-\only<3->{
-\begin{textblock}{1}(6.8,7.5)
- \begin{tikzpicture}[scale=1.3]
- \draw[white] (0,0) node (X) {};
- \draw[white] (1,1) node (Y) {};
- \draw[red, ->, line width = 2mm] (X) -- (Y);
- \node [inner sep=5pt,label=above:\textcolor{black}{}] at ($ (X)!.5!(Y) $) {};
- \end{tikzpicture}
-\end{textblock}
-
-\begin{textblock}{1}(4.8,5.9)
- \begin{tikzpicture}[scale=1.3]
- \draw[white] (0,0) node (X) {};
- \draw[white] (1.4,0) node (Y) {};
- \draw[red, <->, line width = 2mm] (X) -- (Y);
- \node [inner sep=5pt,label=above:\textcolor{black}{}] at ($ (X)!.5!(Y) $) {};
- \end{tikzpicture}
-\end{textblock}}
-
-\only<4->{
-\begin{textblock}{1}(12,6.5)
-\begin{tabular}{c}
-\includegraphics[scale=0.8]{pics/factory.png}\\[-1mm]
-\small card\\[-2mm]\small terminal\\[-2mm] \small producer
-\end{tabular}
-\end{textblock}
-
-\begin{textblock}{1}(10,7)
- \begin{tikzpicture}[scale=1.6]
- \draw[white] (0,0) node (X) {};
- \draw[white] (-1,0.6) node (Y) {};
- \draw[red, ->, line width = 2mm] (X) -- (Y);
- \node [inner sep=5pt,label=above:\textcolor{black}{}] at ($ (X)!.5!(Y) $) {};
- \end{tikzpicture}
-\end{textblock}}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Chip-and-PIN\end{tabular}}
-
-
-\begin{itemize}
-\item A ``tamperesitant'' terminal playing Tetris on
-\textcolor{blue}{\href{http://www.youtube.com/watch?v=wWTzkD9M0sU}{youtube}}.\\
-\textcolor{lightgray}{\footnotesize(\url{http://www.youtube.com/watch?v=wWTzkD9M0sU})}
-\end{itemize}
-
-
-\includegraphics[scale=0.2]{pics/tetris.jpg}
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Chip-and-PIN\end{tabular}}
-
-
-\begin{itemize}
-\item in 2006, Shell petrol stations stopped accepting Chip-and-PIN after \pounds{}1m had been stolen from customer accounts\smallskip
-\item in 2008, hundreds of card readers for use in Britain, Ireland, the Netherlands, Denmark, and Belgium had been
-expertly tampered with shortly after manufacture so that details and PINs of credit cards were sent during the 9 months
-before over mobile phone networks to criminals in Lahore, Pakistan
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Chip-and-PIN is Broken\end{tabular}}
-
-\begin{flushright}
-\includegraphics[scale=0.01]{pics/andersonbook1.jpg}\;
-\includegraphics[scale=1.5]{pics/anderson.jpg}
-\end{flushright}
-
-\begin{itemize}
-\item man-in-the-middle attacks by the group around Ross Anderson\medskip
-\end{itemize}
-
-\begin{center}
-\mbox{}\hspace{-20mm}\includegraphics[scale=0.5]{pics/chip-attack.png}
-\end{center}
-
-
-\begin{textblock}{1}(11.5,13.7)
-\begin{tabular}{l}
-\footnotesize on BBC Newsnight\\[-2mm]
-\footnotesize in 2010 or \textcolor{blue}{\href{http://www.youtube.com/watch?v=JPAX32lgkrw}{youtube}}
-\end{tabular}
-\end{textblock}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Chip-and-PIN is Really Broken\end{tabular}}
-
-\begin{flushright}
-\includegraphics[scale=0.01]{pics/andersonbook1.jpg}\;
-\includegraphics[scale=1.5]{pics/anderson.jpg}
-\end{flushright}
-
-\begin{itemize}
-\item same group successfully attacked this year card readers and ATM machines
-\item the problem: several types of ATMs generate poor random numbers, which are used as nonces
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{c}The Problem \ldots\end{tabular}}
-
-
-\begin{textblock}{1}(3,4)
-\begin{tabular}{c}
-\includegraphics[scale=0.3]{pics/bank.png}\\[-2mm]
-\small Bank
-\end{tabular}
-\end{textblock}
-
-\begin{textblock}{1}(7,4.5)
-\begin{tabular}{c}
-\includegraphics[scale=3]{pics/store.png}\\[-2mm]
-\end{tabular}
-\end{textblock}
-
-\begin{textblock}{1}(12,6.5)
-\begin{tabular}{c}
-\includegraphics[scale=0.8]{pics/factory.png}\\[-1mm]
-\small terminal\\[-2mm] \small producer
-\end{tabular}
-\end{textblock}
-
-\begin{textblock}{1}(4.5,9.9)
-\begin{tabular}{c}
-\includegraphics[scale=0.13]{pics/rman.png}\\[-1mm]
-\small costumer / you
-\end{tabular}
-\end{textblock}
-
-\begin{textblock}{1}(4.5,7.5)
- \begin{tikzpicture}[scale=1.3]
- \draw[white] (0,0) node (X) {};
- \draw[white] (1,-1) node (Y) {};
- \draw[gray, ->, line width = 2mm] (X) -- (Y);
- \node [inner sep=5pt,label=above:\textcolor{black}{}] at ($ (X)!.5!(Y) $) {};
- \end{tikzpicture}
-\end{textblock}
-
-\begin{textblock}{1}(6.8,7.5)
- \begin{tikzpicture}[scale=1.3]
- \draw[white] (0,0) node (X) {};
- \draw[white] (1,1) node (Y) {};
- \draw[gray, ->, line width = 2mm] (X) -- (Y);
- \node [inner sep=5pt,label=above:\textcolor{black}{}] at ($ (X)!.5!(Y) $) {};
- \end{tikzpicture}
-\end{textblock}
-
-\begin{textblock}{1}(4.8,5.9)
- \begin{tikzpicture}[scale=1.3]
- \draw[white] (0,0) node (X) {};
- \draw[white] (1.4,0) node (Y) {};
- \draw[gray, <->, line width = 2mm] (X) -- (Y);
- \node [inner sep=5pt,label=above:\textcolor{black}{}] at ($ (X)!.5!(Y) $) {};
- \end{tikzpicture}
-\end{textblock}
-
-\begin{textblock}{1}(10,7)
- \begin{tikzpicture}[scale=1.6]
- \draw[white] (0,0) node (X) {};
- \draw[white] (-1,0.6) node (Y) {};
- \draw[gray, ->, line width = 2mm] (X) -- (Y);
- \node [inner sep=5pt,label=above:\textcolor{black}{}] at ($ (X)!.5!(Y) $) {};
- \end{tikzpicture}
-\end{textblock}
-
-\begin{textblock}{14}(1,13.5)
-\begin{itemize}
-\item the burden of proof for fraud and financial liability was shifted to the costumer
-\end {itemize}
-\end{textblock}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Being Screwed Again\end{tabular}}
-
-
-\begin{flushright}
-\includegraphics[scale=0.3]{pics/rbssecure.jpg}
-\end{flushright}
-
-\begin{itemize}
-\item {\bf Responsibility}\\
-``You understand that you are financially responsible for all uses of RBS Secure.''\\
-\textcolor{lightgray}{\footnotesize\url{https://www.rbssecure.co.uk/rbs/tdsecure/terms_of_use.jsp}}
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Web Applications\end{tabular}}
-
-
-\begin{textblock}{1}(2,5)
-\begin{tabular}{c}
-\includegraphics[scale=0.15]{pics/servers.png}\\[-2mm]
-\small Servers from\\[-2mm]
-\small Dot.com Inc.
-\end{tabular}
-\end{textblock}
-
-\begin{textblock}{1}(5.6,6)
- \begin{tikzpicture}[scale=2.5]
- \draw[white] (0,0) node (X) {};
- \draw[white] (1,0) node (Y) {};
- \only<2>{\draw[red, <-, line width = 2mm] (X) -- (Y);
- \node [inner sep=5pt,label=above:\textcolor{black}{GET request}] at ($ (X)!.5!(Y) $) {};}
- \only<3>{\draw[red, ->, line width = 2mm] (X) -- (Y);
- \node [inner sep=5pt,label=above:\textcolor{black}{webpage}] at ($ (X)!.5!(Y) $) {};}
- \only<4>{\draw[red, <-, line width = 2mm] (X) -- (Y);
- \node [inner sep=7pt,label=above:\textcolor{black}{POST data}] at ($ (X)!.5!(Y) $) {};}
- \end{tikzpicture}
-\end{textblock}
-
-
-\begin{textblock}{1}(9,5.5)
-\begin{tabular}{c}
-\includegraphics[scale=0.15]{pics/laptop.png}\\[-2mm]
-\small Client(s)
-\end{tabular}
-\end{textblock}
-
-\begin{textblock}{13}(1,13)
-\begin{itemize}
-\item What are pitfalls and best practices?
-\end{itemize}
-\end{textblock}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Scala + Play\end{tabular}}
-
-\footnotesize a simple response from the server:
-
-{\lstset{language=Scala}\fontsize{8}{10}\selectfont
-\texttt{\lstinputlisting{app0.scala}}}\bigskip
-
-\footnotesize
-alternative response:\\
-
-{\lstset{language=Scala}\fontsize{8}{10}\selectfont
-\texttt{\lstinline{Ok("<H1>Hello world!</H1>").as(HTML)}}}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-
-{\lstset{language=Scala}\fontsize{8}{10}\selectfont
-\texttt{\lstinputlisting{app1.scala}}}
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Cookies\end{tabular}}
-
-
-\begin{textblock}{1}(1.5,5)
-\begin{tabular}{c}
-\includegraphics[scale=0.15]{pics/servers.png}\\[-2mm]
-\small Servers from\\[-2mm]
-\small Dot.com Inc.
-\end{tabular}
-\end{textblock}
-
-\begin{textblock}{1}(5.6,5.6)
- \begin{tikzpicture}[scale=2.5]
- \draw[white] (0,0) node (X) {};
- \draw[white] (1,0) node (Y) {};
- \draw[white] (0.05,-0.3) node (X1) {};
- \draw[white] (0.95,-0.3) node (Y1) {};
- \only<1-2>{\draw[red, <-, line width = 2mm] (X) -- (Y);
- \node [inner sep=5pt,label=above:\textcolor{black}{GET request}] at ($ (X)!.5!(Y) $) {};}
- \only<1>{\draw[white, <-, line width = 1mm] (X1) -- (Y1);
- \node [inner sep=2pt,label=below:\textcolor{white}{read a cookie}] at ($ (X1)!.5!(Y1) $) {};}
- \only<2>{\draw[red, <-, line width = 1mm] (X1) -- (Y1);
- \node [inner sep=2pt,label=below:\textcolor{black}{read a cookie}] at ($ (X1)!.5!(Y1) $) {};}
- \only<3->{\draw[red, ->, line width = 2mm] (X) -- (Y);
- \node [inner sep=5pt,label=above:\textcolor{black}{webpage}] at ($ (X)!.5!(Y) $) {};}
- \only<3->{\draw[red, ->, line width = 1mm] (X1) -- (Y1);
- \node [inner sep=2pt,label=below:\textcolor{black}{write a cookie}] at ($ (X1)!.5!(Y1) $) {};}
- \end{tikzpicture}
-\end{textblock}
-
-
-\begin{textblock}{1}(9.5,5.5)
-\begin{tabular}{c}
-\includegraphics[scale=0.15]{pics/laptop.png}\\[-2mm]
-\small Client
-\end{tabular}
-\end{textblock}
-
-\only<4->{
-\begin{textblock}{13}(1,11)
-\small\begin{itemize}
-\item cookies: max 4KB data\\[-2mm]
-\item cookie theft, cross-site scripting attacks\\[-2mm]
-\item session cookies, persistent cookies, HttpOnly cookies, third-party cookies, zombie cookies
-\end{itemize}
-\end{textblock}}
-
-\only<5>{
-\begin{textblock}{11}(1,3)
-\begin{tikzpicture}
-\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
-{\normalsize\color{darkgray}
-\begin{minipage}{10cm}\raggedright\small
-{\bf EU Privacy Directive about Cookies:}\smallskip\\
-``In May 2011, a European Union law was passed stating that websites that leave non-essential cookies on visitors' devices have to alert the visitor and get acceptance from them. This law applies to both individuals and businesses based in the EU regardless of the nationality of their website's visitors or the location of their web host. It is not enough to simply update a website's terms and conditions or privacy policy. The deadline to comply with the new EU cookie law was 26th May 2012 and failure to do so could mean a fine of up to \pounds{}500,000.''
-\hfill\small\textcolor{gray}{$\rightarrow$BBC News}
-\end{minipage}};
-\end{tikzpicture}
-\end{textblock}}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-\begin{itemize}
-\item While cookies are per web-page, this can be easily circumvented.
-\end{itemize}
-
-\begin{textblock}{1}(1.5,4.5)
-\begin{tabular}{c}
-\includegraphics[scale=0.07]{pics/servers.png}\\[-2mm]
-\small Pet Store\\[-2mm]
-\small Dot.com\\[-2mm]
-\end{tabular}
-\end{textblock}
-
-\begin{textblock}{1}(1.5,8)
-\begin{tabular}{c}
-\includegraphics[scale=0.07]{pics/servers.png}\\[-2mm]
-\small Dating.com
-\end{tabular}
-\end{textblock}
-
-\begin{textblock}{1}(10.5,7.5)
-\begin{tabular}{c}
-\includegraphics[scale=0.07]{pics/servers.png}\\[-2mm]
-\small Evil-Ad-No\\[-2mm]
-\small Privacy.com
-\end{tabular}
-\end{textblock}
-
-\begin{textblock}{1}(6,10.5)
-\begin{tabular}{c}
-\includegraphics[scale=0.16]{pics/rman.png}\\[-1mm]
-\small you
-\end{tabular}
-\end{textblock}
-
-\begin{textblock}{1}(4,5)
- \begin{tikzpicture}[scale=1]
- \draw[white] (0,0.5) node (X) {};
- \draw[white] (5.7,-1) node (Y) {};
- \draw[red, ->, line width = 0.5mm] (X) -- (Y);
- \node [inner sep=5pt,label=above:\textcolor{black}{}] at ($ (X)!.5!(Y) $) {};
- \end{tikzpicture}
-\end{textblock}
-
-\begin{textblock}{1}(4,7.9)
- \begin{tikzpicture}[scale=1]
- \draw[white] (0,0) node (X) {};
- \draw[white] (5.7,0) node (Y) {};
- \draw[red, ->, line width = 0.5mm] (X) -- (Y);
- \node [inner sep=5pt,label=above:\textcolor{black}{}] at ($ (X)!.5!(Y) $) {};
- \end{tikzpicture}
-\end{textblock}
-
-\begin{textblock}{1}(3.3,9.3)
- \begin{tikzpicture}[scale=1.2]
- \draw[white] (0,0) node (X) {};
- \draw[white] (1.5,-1) node (Y) {};
- \draw[red, <->, line width = 2mm] (X) -- (Y);
- \node [inner sep=5pt,label=above:\textcolor{black}{}] at ($ (X)!.5!(Y) $) {};
- \draw[white] (0.9,0.3) node (X1) {};
- \draw[white] (1.9,-1) node (Y1) {};
- \draw[red, <->, line width = 2mm] (X1) -- (Y1);
- \node [inner sep=5pt,label=above:\textcolor{black}{}] at ($ (X1)!.5!(Y1) $) {};
- \end{tikzpicture}
-\end{textblock}
-
-\begin{textblock}{1}(8.6,10.1)
- \begin{tikzpicture}[scale=0.9]
- \draw[white] (0,0) node (X) {};
- \draw[white] (-2,-1) node (Y) {};
- \draw[red, <->, line width = 0.5mm] (X) -- (Y);
- \node [inner sep=5pt,label=above:\textcolor{black}{}] at ($ (X)!.5!(Y) $) {};
- \end{tikzpicture}
-\end{textblock}
-
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{c}My First Webapp\end{tabular}}
-
-{\bf GET request:}\smallskip
-\begin{enumerate}
-\item read the cookie from client
-\item if none is present, set \texttt{visits} to \textcolor{blue}{$0$}
-\item if cookie is present, extract \texttt{visits} counter
-\item if \texttt{visits} is greater or equal \textcolor{blue}{$10$}, \\
-print a valued customer message\\
-otherwise just a normal message
-\item increase \texttt{visits} by \textcolor{blue}{$1$} and store new cookie with client
-\end{enumerate}
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\mbox{}\\[-9mm]
-
-{\lstset{language=Scala}\fontsize{8}{10}\selectfont
-\texttt{\lstinputlisting{app2.scala}}}
-
-\footnotesize
-\begin{itemize}
-\item cookie value encoded as hash
-\end{itemize}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-
-\begin{center}
-\includegraphics[scale=1.8]{pics/barrier.jpg}
-\end{center}
-
-\begin{itemize}
-\item data integrity needs to be ensured
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\mbox{}\\[-7mm]
-
-{\lstset{language=Scala}\fontsize{8}{10}\selectfont
-\texttt{\lstinputlisting{app3.scala}}}
-
-\small
-\begin{itemize}
-\item the counter/hash pair is intended to prevent tampering
-\end{itemize}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{c}SHA-1\end{tabular}}
-
-\begin{itemize}
-\item SHA-1 is a cryptographic hash function\\
-(MD5, SHA-256, SHA-512, \ldots)
-\item message $\rightarrow$ digest
-\item no known attack exists, except brute force\bigskip\pause
-\item but dictionary attacks are very ef$\!$fective for extracting passwords (later)
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\mbox{}\\[-9mm]
-
-{\lstset{language=Scala}\fontsize{8}{10}\selectfont
-\texttt{\lstinputlisting{app4.scala}}}
-
-\begin{textblock}{1}(9,1)
- \begin{tikzpicture}[scale=1.3]
- \draw[white] (0,0) node (X) {};
- \draw[white] (3,0) node (Y) {};
- \draw[red, <-, line width = 2mm] (X) -- (Y);
- \node [inner sep=5pt,label=above:\textcolor{black}{\small should be random}] at ($ (X)!.5!(Y) $) {};
- \end{tikzpicture}
-\end{textblock}
-
-\begin{textblock}{1}(6.6,4.9)
- \begin{tikzpicture}[scale=1.3]
- \draw[white] (0,0) node (X) {};
- \draw[white] (1,-1) node (Y) {};
- \draw[red, <-, line width = 2mm] (X) -- (Y);
- \node [inner sep=5pt,label=above:{}] at ($ (X)!.5!(Y) $) {};
- \end{tikzpicture}
-\end{textblock}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Unix Passwords\end{tabular}}
-
-\begin{itemize}
-\item passwords are \alert{\bf not} stored in clear text
-\item instead \texttt{/etc/shadow} contains
-\end{itemize}
-
-{\small
-\texttt{name:\$1\$QIGCa\$/ruJs8AvmrknzKTzM2TYE.:other\_info}
-}
-
-\begin{itemize}
-\item \texttt{\$} is separator
-\item \texttt{1} is MD5 (actually SHA-512 is used nowadays, \texttt{6})
-\item \texttt{QIGCa} is salt
-\item \texttt{ruJs8AvmrknzKTzM2TYE} $\rightarrow$ password + salt
-\end{itemize}
-
-\textcolor{gray}{\small
-(\texttt{openssl passwd -1 -salt QIGCa pippo})
-}
-% Unix password
-% http://ubuntuforums.org/showthread.php?p=5318038
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Password Blunders\end{tabular}}
-
-
-\begin{itemize}
-\item in late 2009, when an SQL injection attack against online games
-service RockYou.com exposed 32 million \alert{plaintext} passwords
-
-\item 1.3 million Gawker credentials exposed in December 2010 containing
-unsalted(?) \alert{MD5} hashes
-
-\item June 6th, 2012, 6 million unsalted SHA-1 passwords were leaked from linkedIn
-% linkedIn password
-% http://erratasec.blogspot.co.uk/2012/06/confirmed-linkedin-6mil-password-dump.html
-\end{itemize}\medskip
-
-\small
-Web user maintains 25 separate accounts but uses just 6.5 passwords
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%For instance, SHA512crypt, which is included in Mac OS X and most Unix-based operating systems, passes text through 5,000 iterations, a %hurdle that would have limited Gosney to slightly less than 2,600 guesses per second. The Bcrypt algorithm is even more computationally %expensive, in large part because it subjects text to multiple iterations of the Blowfish cipher that was deliberately modified to increase the %time required to generate a hash. PBKDF2, a function built into Microsoft's .Net software developer framework, offers similar benefits.
-
-
-% rainbow tables
-% http://en.wikipedia.org/wiki/Rainbow_table
-
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Brute Forcing Passwords\end{tabular}}
-
-\begin{itemize}
-\item How fast can hackers crack SHA-1 passwords? \pause
-
-\item The answer is 2 billion attempts per second\\
-using a Radeon HD 7970
-\end{itemize}
-
-\begin{center}
-\begin{tabular}{@ {\hspace{-12mm}}rl}
-password length & time\smallskip\\\hline
-5 letters & 5 secs\\
-6 letters & 500 secs\\
-7 letters & 13 hours\\
-8 letters & 57 days\\
-9 letters & 15 years\\
-\end{tabular}
-\end{center}
-
-\small
-5 letters $\approx$ 100$^5$ $=$ 10 billion combinations\\
-(1 letter - upper case, lower case, digits, symbols $\approx$ 100)
-
-\only<2->{
-\begin{textblock}{1}(12,5)
-\begin{tabular}{c}
-\includegraphics[scale=0.3]{pics/radeon.jpg}\\[-6mm]
-\footnotesize graphics card\\[-1mm]
-\footnotesize ca.~\pounds{}300
-\end{tabular}
-\end{textblock}}
-
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Passwords\end{tabular}}
-
-How to recover from a breakin?\pause\medskip
-
-\begin{itemize}
-\item Do not send passwords in plain text.
-\item Security questions are tricky to get right.
-\item QQ (Chinese Skype) authenticates you via contacts.
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{c}This Course\end{tabular}}
-
-\begin{itemize}
-\item break-ins (buffer overflows)
-\item access control\\ (role based, data security / data integrity)
-\item protocols\\
-(specification)
-\item access control logic
-\item privacy
-\begin{quote}
-Scott McNealy: \\``You have zero privacy anyway. Get over it.''
-\end{quote}
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Books + Homework\end{tabular}}
-
-\begin{itemize}
-\item there is no single book I am following
-\begin{center}
-\includegraphics[scale=0.012]{pics/andersonbook1.jpg}
-\includegraphics[scale=0.23]{pics/accesscontrolbook.jpg}
-\end{center}\medskip\pause
-
-\item The question ``Is this relevant for the exams'' is not appreciated!\medskip\\
-
-Whatever is in the homework sheets (and is not marked optional) is relevant for the
-exam. No code needs to be written.
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Take-Home Points\end{tabular}}
-
-\begin{itemize}
-\item Never store passwords in plain text.\medskip
-\item Always salt your hashes!\medskip
-\item Use an existing algorithm; do not write your own!
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Thinking as a Defender\end{tabular}}
-
-\begin{itemize}
-\item What are you trying to protect?
-\item What properties are you trying to enforce?\medskip
-
-\item Who are the attackers? Capabilities? Motivations?
-\item What kind of attack are we trying to protect?
-\item Who can fix any vulnerabilities?\medskip
-
-\item What are the weaknesses of the system?
-\item What will successful attacks cost us?
-\item How likely are the attacks?
-\end{itemize}
-
-\small
-\textcolor{gray}{Security almost always is {\bf not} free!}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{c}The Security Mindset\end{tabular}}
-
-\begin{itemize}
-\item How things can go wrong.
-\item Think outside the box.
-\end{itemize}\bigskip
-
-The difference between being criminal is to only \alert{\bf think} about how things can go wrong.
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-\frametitle{\begin{tabular}{c}Maps in Scala\end{tabular}}
-
-\begin{itemize}
-\item {\bf\texttt{map}} takes a function, say f, and applies it to every element of the list:
-\end{itemize}
-
-\begin{textblock}{15}(2,7)
-\fontsize{13}{14}\selectfont
-\bf\texttt{List(1, 2, 3, 4, 5, 6, 7, 8, 9)}
-\end{textblock}
-
-\begin{textblock}{15}(2,10)
-\fontsize{13}{14}\selectfont
-\bf\texttt{List(1, 4, 9, 16, 25, 36, 49, 64, 81)}
-\end{textblock}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-\end{document}
-
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: t
-%%% End:
-
Binary file slides02.pdf has changed
--- a/slides02.tex Sun Dec 09 13:00:33 2012 +0000
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,454 +0,0 @@
-\documentclass[dvipsnames,14pt,t]{beamer}
-\usepackage{beamerthemeplainculight}
-\usepackage[T1]{fontenc}
-\usepackage[latin1]{inputenc}
-\usepackage{mathpartir}
-\usepackage[absolute,overlay]{textpos}
-\usepackage{ifthen}
-\usepackage{tikz}
-\usepackage{pgf}
-\usepackage{calc}
-\usepackage{ulem}
-\usepackage{courier}
-\usepackage{listings}
-\renewcommand{\uline}[1]{#1}
-\usetikzlibrary{arrows}
-\usetikzlibrary{automata}
-\usetikzlibrary{shapes}
-\usetikzlibrary{shadows}
-\usetikzlibrary{positioning}
-\usetikzlibrary{calc}
-\usepackage{graphicx}
-
-\definecolor{javared}{rgb}{0.6,0,0} % for strings
-\definecolor{javagreen}{rgb}{0.25,0.5,0.35} % comments
-\definecolor{javapurple}{rgb}{0.5,0,0.35} % keywords
-\definecolor{javadocblue}{rgb}{0.25,0.35,0.75} % javadoc
-
-\lstset{language=Java,
- basicstyle=\ttfamily,
- keywordstyle=\color{javapurple}\bfseries,
- stringstyle=\color{javagreen},
- commentstyle=\color{javagreen},
- morecomment=[s][\color{javadocblue}]{/**}{*/},
- numbers=left,
- numberstyle=\tiny\color{black},
- stepnumber=1,
- numbersep=10pt,
- tabsize=2,
- showspaces=false,
- showstringspaces=false}
-
-\lstdefinelanguage{scala}{
- morekeywords={abstract,case,catch,class,def,%
- do,else,extends,false,final,finally,%
- for,if,implicit,import,match,mixin,%
- new,null,object,override,package,%
- private,protected,requires,return,sealed,%
- super,this,throw,trait,true,try,%
- type,val,var,while,with,yield},
- otherkeywords={=>,<-,<\%,<:,>:,\#,@},
- sensitive=true,
- morecomment=[l]{//},
- morecomment=[n]{/*}{*/},
- morestring=[b]",
- morestring=[b]',
- morestring=[b]"""
-}
-
-\lstset{language=Scala,
- basicstyle=\ttfamily,
- keywordstyle=\color{javapurple}\bfseries,
- stringstyle=\color{javagreen},
- commentstyle=\color{javagreen},
- morecomment=[s][\color{javadocblue}]{/**}{*/},
- numbers=left,
- numberstyle=\tiny\color{black},
- stepnumber=1,
- numbersep=10pt,
- tabsize=2,
- showspaces=false,
- showstringspaces=false}
-
-% beamer stuff
-\renewcommand{\slidecaption}{APP 02, King's College London, 2 October 2012}
-
-
-\begin{document}
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}<1>[t]
-\frametitle{%
- \begin{tabular}{@ {}c@ {}}
- \\
- \LARGE Access Control and \\[-3mm]
- \LARGE Privacy Policies (2)\\[-6mm]
- \end{tabular}}\bigskip\bigskip\bigskip
-
- %\begin{center}
- %\includegraphics[scale=1.3]{pics/barrier.jpg}
- %\end{center}
-
-\normalsize
- \begin{center}
- \begin{tabular}{ll}
- Email: & christian.urban at kcl.ac.uk\\
- Of$\!$fice: & S1.27 (1st floor Strand Building)\\
- Slides: & KEATS (also home work is there)
- \end{tabular}
- \end{center}
-
-
-\end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Homework\end{tabular}}
-
-
-\ldots{} I have a question about the homework.\\[3mm]
-Is it required to submit the homework before\\
-the next lecture?\\[5mm]
-
-Thank you!\\
-Anonymous
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-
-\begin{center}
-\begin{tabular}[t]{c}
-\includegraphics[scale=1.2]{pics/barrier.jpg}\\
-future lectures
-\end{tabular}\;\;\;
-\onslide<2>{
-\begin{tabular}[t]{c}
-\includegraphics[scale=0.32]{pics/trainwreck.jpg}\\
-today
-\end{tabular}
-}
-\end{center}
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}SmartWater\end{tabular}}
-
-\begin{textblock}{1}(1,3)
-\begin{tabular}{c}
-\includegraphics[scale=0.15]{pics/SmartWater}
-\end{tabular}
-\end{textblock}
-
-
-\begin{textblock}{8.5}(7,3)
-\begin{itemize}
-\item seems helpful for preventing cable theft\medskip
-\item wouldn't be helpful to make your property safe, because of possible abuse\medskip
-
-\item security is always a tradeoff
-\end{itemize}
-\end{textblock}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Plain-text Passwords at IEEE\end{tabular}}
-
-\small\textcolor{gray}{On 25 September 2012, a report on a data breach at IEEE:}
-
-
-\begin{itemize}
-\item IEEE is a standards organisation (not-for-profit)
-\item many standards in CS are by IEEE\medskip
-\item 100k plain-text passwords were recorded in logs
-\item the logs were openly accessible on their FTP server
-\end{itemize}\bigskip
-
-\begin{flushright}\small
-\textcolor{gray}{\url{http://ieeelog.com}}
-\end{flushright}
-
-\only<2>{
-\begin{textblock}{11}(3,2)
-\begin{tikzpicture}
-\draw (0,0) node[inner sep=2mm,fill=white, ultra thick, draw=red, rounded corners=2mm]
-{\normalsize\color{darkgray}
-\begin{minipage}{7.5cm}\raggedright\small
-\includegraphics[scale=0.6]{pics/IEEElog.jpg}
-\end{minipage}};
-\end{tikzpicture}
-\end{textblock}}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Virgin Mobile (USA)\end{tabular}}
-
-\begin{flushright}\small
-\textcolor{gray}{\url{http://arstechnica.com/security/2012/09/virgin-mobile-password-crack-risk/}}
-\end{flushright}
-
-\begin{itemize}
-\item for online accounts passwords must be 6 digits
-\item you must cycle through 1M combinations (online)\pause\bigskip
-
-\item he limited the attack on his own account to 1 guess per second, \alert{\bf and}
-\item wrote a script that cleared the cookie set after each guess\pause
-\item has been fixed now
-\end{itemize}
-
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Smash the Stack for Fun \ldots\end{tabular}}
-
-\begin{itemize}
-\item ``smashing the stack attacks'' or ``buffer overflow attacks''
-\item one of the most popular attacks;\\ attack of the (last) decade\\ ($>$ 50\% of security incidents reported at CERT are related to buffer overflows)
-\begin{flushright}\small
-\textcolor{gray}{\url{http://www.kb.cert.org/vuls}}
-\end{flushright}
-\medskip
-\item made popular in an article by Elias Levy\\ (also known as Aleph One):\\
-\begin{center}
-{\bf ``Smashing The Stack For Fun and Profit''}
-\end{center}\medskip
-
-\begin{flushright}
-\small\textcolor{gray}{\url{http://www.phrack.org}, Issue 49, Article 14}
-\end{flushright}
-
-\end{itemize}
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{c}The Problem\end{tabular}}
-
-\begin{itemize}
-\item The basic problem is that library routines in C look as follows:
-\begin{center}
-{\lstset{language=Java}\fontsize{8}{10}\selectfont%
-\texttt{\lstinputlisting{app5.c}}}
-\end{center}
-\item the resulting problems are often remotely exploitable
-\item can be used to circumvents all access control
-(botnets for further attacks)
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Variants\end{tabular}}
-
-There are many variants:
-
-\begin{itemize}
-\item return-to-lib-C attacks
-\item heap-smashing attacks\\
-\textcolor{gray}{\small(Slammer Worm in 2003 infected 90\% of vulnerable systems within 10 minutes)}\bigskip
-
-\item ``zero-days-attacks'' (new unknown vulnerability)
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-
-\small
-\texttt{my\_float} is printed twice:\bigskip
-
-{\lstset{language=Java}\fontsize{8}{10}\selectfont%
-\texttt{\lstinputlisting{C1.c}}}
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-
-\begin{center}
-\only<1>{\includegraphics[scale=0.9]{pics/stack1}\;\;}
-\only<2>{\includegraphics[scale=0.9]{pics/stack2}\;\;}
-\only<3>{\includegraphics[scale=0.9]{pics/stack3}\;\;}
-\end{center}
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-
-{\lstset{language=Java}\fontsize{8}{10}\selectfont%
-\texttt{\lstinputlisting{C2.c}}}
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-
-\small
-A programmer might be careful, but still introduce vulnerabilities:\bigskip
-
-{\lstset{language=Java}\fontsize{8}{10}\selectfont%
-\texttt{\lstinputlisting{C2a.c}}}
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Payloads\end{tabular}}
-
-\begin{itemize}
-\item the idea is you store some code as part to the buffer
-\item you then override the return address to execute this payload\medskip
-\item normally you start a root-shell\pause
-\item difficulty is to guess the right place where to ``jump''
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Payloads (2)\end{tabular}}
-
-\begin{itemize}
-\item another difficulty is that the code is not allowed to contain \texttt{$\backslash$x00}:
-
-\begin{center}
-\texttt{xorl \%eax, \%eax}
-\end{center}
-\end{itemize}\bigskip\bigskip
-
-{\lstset{language=Java}\fontsize{8}{10}\selectfont%
-\texttt{\lstinputlisting{app5.c}}}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Format String Vulnerability\end{tabular}}
-
-\small
-\texttt{string} is nowhere used:\bigskip
-
-{\lstset{language=Java}\fontsize{8}{10}\selectfont%
-\texttt{\lstinputlisting{programs/C4.c}}}\bigskip
-
-this vulnerability can be used to read out the stack
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Protections against BO Attacks\end{tabular}}
-
-\begin{itemize}
-\item use safe library functions
-\item ensure stack data is not executable (can be defeated)
-\item address space randomisation (makes one-size-fits-all more difficult)
-\item choice of programming language (one of the selling points of Java)
-
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Security Goals\end{tabular}}
-
-\begin{itemize}
-\item Prevent common vulnerabilities from occurring (e.g. buffer overflows)\pause
-\item Recover from attacks (traceability and auditing of security-relevant actions)\pause
-\item Monitoring (detect attacks)\pause
-\item Privacy, confidentiality, anonymity (to protect secrets)\pause
-\item Authenticity (needed for access control)\pause
-\item Integrity (prevent unwanted modification or tampering)\pause
-\item Availability and reliability (reduce the risk of DoS attacks)
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Homework\end{tabular}}
-
-\begin{itemize}
-\item Assume format string attacks allow you to read out the stack. What can you do
- with this information?\bigskip
-
-\item Assume you can crash a program remotely. Why is this a problem?
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-\end{document}
-
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: t
-%%% End:
-
Binary file slides03.pdf has changed
--- a/slides03.tex Sun Dec 09 13:00:33 2012 +0000
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,727 +0,0 @@
-\documentclass[dvipsnames,14pt,t]{beamer}
-\usepackage{beamerthemeplainculight}
-\usepackage[T1]{fontenc}
-\usepackage[latin1]{inputenc}
-\usepackage{mathpartir}
-\usepackage[absolute,overlay]{textpos}
-\usepackage{ifthen}
-\usepackage{tikz}
-\usepackage{pgf}
-\usepackage{calc}
-\usepackage{ulem}
-\usepackage{courier}
-\usepackage{listings}
-\renewcommand{\uline}[1]{#1}
-\usetikzlibrary{arrows}
-\usetikzlibrary{automata}
-\usetikzlibrary{shapes}
-\usetikzlibrary{shadows}
-\usetikzlibrary{positioning}
-\usetikzlibrary{calc}
-\usepackage{graphicx}
-
-\definecolor{javared}{rgb}{0.6,0,0} % for strings
-\definecolor{javagreen}{rgb}{0.25,0.5,0.35} % comments
-\definecolor{javapurple}{rgb}{0.5,0,0.35} % keywords
-\definecolor{javadocblue}{rgb}{0.25,0.35,0.75} % javadoc
-
-\lstset{language=Java,
- basicstyle=\ttfamily,
- keywordstyle=\color{javapurple}\bfseries,
- stringstyle=\color{javagreen},
- commentstyle=\color{javagreen},
- morecomment=[s][\color{javadocblue}]{/**}{*/},
- numbers=left,
- numberstyle=\tiny\color{black},
- stepnumber=1,
- numbersep=10pt,
- tabsize=2,
- showspaces=false,
- showstringspaces=false}
-
-\lstdefinelanguage{scala}{
- morekeywords={abstract,case,catch,class,def,%
- do,else,extends,false,final,finally,%
- for,if,implicit,import,match,mixin,%
- new,null,object,override,package,%
- private,protected,requires,return,sealed,%
- super,this,throw,trait,true,try,%
- type,val,var,while,with,yield},
- otherkeywords={=>,<-,<\%,<:,>:,\#,@},
- sensitive=true,
- morecomment=[l]{//},
- morecomment=[n]{/*}{*/},
- morestring=[b]",
- morestring=[b]',
- morestring=[b]"""
-}
-
-\lstset{language=Scala,
- basicstyle=\ttfamily,
- keywordstyle=\color{javapurple}\bfseries,
- stringstyle=\color{javagreen},
- commentstyle=\color{javagreen},
- morecomment=[s][\color{javadocblue}]{/**}{*/},
- numbers=left,
- numberstyle=\tiny\color{black},
- stepnumber=1,
- numbersep=10pt,
- tabsize=2,
- showspaces=false,
- showstringspaces=false}
-
-% beamer stuff
-\renewcommand{\slidecaption}{APP 03, King's College London, 9 October 2012}
-
-
-\begin{document}
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}<1>[t]
-\frametitle{%
- \begin{tabular}{@ {}c@ {}}
- \\
- \LARGE Access Control and \\[-3mm]
- \LARGE Privacy Policies (3)\\[-6mm]
- \end{tabular}}\bigskip\bigskip\bigskip
-
- %\begin{center}
- %\includegraphics[scale=1.3]{pics/barrier.jpg}
- %\end{center}
-
-\normalsize
- \begin{center}
- \begin{tabular}{ll}
- Email: & christian.urban at kcl.ac.uk\\
- Of$\!$fice: & S1.27 (1st floor Strand Building)\\
- Slides: & KEATS (also home work is there)\\
- & \alert{\bf (I have put a temporary link in there.)}\\
- \end{tabular}
- \end{center}
-
-
-\end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-
-\begin{center}
-\includegraphics[scale=0.45]{pics/trainwreck.jpg}\\
-one general defence mechanism is\\\alert{\bf defence in depth}
-\end{center}
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}<1-2>[c]
-\frametitle{Defence in Depth}
-
-\begin{itemize}
-\item \alt<1>{overlapping}{{\LARGE\bf overlapping}} systems designed to provide\\ security even if one of them fails.
-\end{itemize}
-
-\only<2->{
-\begin{textblock}{11}(2,12)
-\small otherwise your ``added security'' can become the point of failure
-\end{textblock}}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{PALs}
-
-\begin{itemize}
-\item \alert{Permissive Action Links} prevent unauthorised use of nuclear weapons (so the theory)
-\end{itemize}
-
-\begin{center}
-\includegraphics[scale=0.25]{pics/nuclear1.jpg}\hspace{3mm}
-\includegraphics[scale=0.25]{pics/nuclear2.jpg}
-\end{center}
-
-
-\onslide<3->{
-modern PALs also include a 2-person rule
-}
-
- \only<2->{
-\begin{textblock}{11}(3,2)
-\begin{tikzpicture}
-\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
-{\begin{minipage}{8cm}
-US Air Force's Strategic Air Command worried that in times of need the
-codes would not be available, so until 1977 quietly decided to set them
-to 00000000\ldots
-\end{minipage}};
-\end{tikzpicture}
-\end{textblock}}
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-
-\begin{itemize}
-\item until 1998, Britain had nuclear weapons that could be launched from airplanes\bigskip\pause
-
-\item these weapons were armed with a bicycle key
-
-\begin{center}
-\begin{tabular}[b]{c}
-\includegraphics[scale=1.05]{pics/britkeys1.jpg}\\
-\small nuclear weapon keys
-\end{tabular}
-\hspace{3mm}
-\begin{tabular}[b]{c}
-\includegraphics[scale=0.35]{pics/britkeys2.jpg}\\
-\small bicycle lock
-\end{tabular}
-\end{center}\bigskip\pause
-
-\item the current Trident nuclear weapons can be launched from a submarine without any code being transmitted
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Access Control in Unix}
-
-\begin{itemize}
-\item access control provided by the OS
-\item authenticate principals (login)
-\item mediate access to files, ports, processes according to \alert{roles} (user ids)\\
-\item roles get attached with privileges\bigskip\\%
-\hspace{8mm}
-\begin{tikzpicture}
-\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
-{\begin{minipage}{8cm}
-\alert{principle of least privilege:}\\
-programs should only have as much privilege as they need
-\end{minipage}};
-\end{tikzpicture}
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Access Control in Unix (2)}
-
-\begin{itemize}
-\item the idea is to restrict access to files and therefore lower the consequences of an attack\\[1cm]\mbox{}
-\end{itemize}
-
-\begin{textblock}{1}(2.5,9.5)
- \begin{tikzpicture}[scale=1]
-
- \draw[line width=1mm] (-.3, 0) rectangle (1.5,2);
- \draw (4.7,1) node {Internet};
- \draw (0.6,1.7) node {\footnotesize Interface};
- \draw (0.6,-0.4) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] process\end{tabular}};
- \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}};
-
- \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2);
-
- \draw[white] (1.7,1) node (X) {};
- \draw[white] (3.7,1) node (Y) {};
- \draw[red, <->, line width = 2mm] (X) -- (Y);
-
- \draw[red, <->, line width = 1mm] (-0.6,1) -- (-1.6,1);
- \end{tikzpicture}
-\end{textblock}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-\frametitle{Process Ownership}
-
-\begin{itemize}
-\item access control in Unix is very coarse
-\end{itemize}\bigskip\bigskip\bigskip
-
-\begin{center}
-\begin{tabular}{c}
-root\\
-\hline
-
-user$_1$ user$_2$ \ldots www, mail, lp
-\end{tabular}
-\end{center}\bigskip\bigskip\bigskip
-
-
-\textcolor{gray}{\small root has UID $=$ 0}\\\pause
-\textcolor{gray}{\small you also have groups that can share access to a file}\\
-\textcolor{gray}{\small but it is difficult to exclude access selectively}\\
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Access Control in Unix (2)}
-
-
-\begin{itemize}
-\item privileges are specified by file access permissions (``everything is a file'')
-\item there are 9 (plus 2) bits that specify the permissions of a file
-
-\begin{center}
-\begin{tabular}{l}
-\texttt{\$ ls - la}\\
-\texttt{-rwxrw-r-{}- \hspace{3mm} foo\_file.txt}
-\end{tabular}
-\end{center}
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Login Process}
-
-
-\begin{itemize}
-\item login processes run under UID $=$ 0\medskip
-\begin{center}
-\texttt{ps -axl | grep login}
-\end{center}\medskip
-
-\item after login, shells run under UID $=$ user (e.g.~501)\medskip
-\begin{center}
-\texttt{id cu}
-\end{center}\medskip\pause
-
-\item non-root users are not allowed to change the UID --- would break
-access control
-\item but needed for example for \texttt{passwd}
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Setuid and Setgid}
-
-The solution is that unix file permissions are 9 + \underline{2 Bits}:
-\alert{Setuid} and \alert{Setgid} Bits
-
-\begin{itemize}
-\item When a file with setuid is executed, the resulting process will assume the UID given to the owner of the file.
-\item This enables users to create processes as root (or another user).\bigskip
-
-\item Essential for changing passwords, for example.
-\end{itemize}
-
-\begin{center}
-\texttt{chmod 4755 fobar\_file}
-\end{center}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Privilege Separation in\\ OpenSSH\end{tabular}}
-
-\begin{center}
-\begin{tikzpicture}[scale=1]
-
- \draw[line width=1mm] (0, 1.1) rectangle (1.2,2);
- \draw (4.7,1) node {Internet};
- \draw (0.6,1.7) node {\footnotesize Slave};
- \draw[line width=1mm] (0, 0) rectangle (1.2,0.9);
- \draw (0.6,1.7) node {\footnotesize Slave};
- \draw (0.6,0.6) node {\footnotesize Slave};
- \draw (0.6,-0.5) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] processes\end{tabular}};
- \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}};
-
- \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2);
- \draw (-2.9,1.7) node {\footnotesize Monitor};
-
- \draw[white] (1.7,1) node (X) {};
- \draw[white] (3.7,1) node (Y) {};
- \draw[red, <->, line width = 2mm] (X) -- (Y);
-
- \draw[red, <->, line width = 1mm] (-0.4,1.4) -- (-1.4,1.1);
- \draw[red, <->, line width = 1mm] (-0.4,0.6) -- (-1.4,0.9);
-
- \end{tikzpicture}
-\end{center}
-
-\begin{itemize}
-\item pre-authorisation slave
-\item post-authorisation\bigskip
-\item 25\% codebase is privileged, 75\% is unprivileged
-\end{itemize}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Network Applications}
-
-ideally network application in Unix should be designed as follows:
-
-\begin{itemize}
-\item need two distinct processes
-\begin{itemize}
-\item one that listens to the network; has no privilege
-\item one that is privileged and listens to the latter only (but does not trust it)
-
-\end{itemize}
-
-\item to implement this you need a parent process, which forks a child process
-\item this child process drops privileges and listens to hostile data\medskip
-
-\item after authentication the parent forks again and the new child becomes the user
-\end{itemize}
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Famous Security Flaws in Unix\end{tabular}}
-
-
-\begin{itemize}
-\item \texttt{lpr} unfortunately runs with root privileges; you had the option to delete files after printing \ldots\pause\pause
-\item for debugging purposes (FreeBSD) Unix provides a ``core dump'', but allowed to follow links \ldots\pause
-\item \texttt{mkdir foo} is owned by root\medskip
-\begin{center}
-\texttt{-rwxr-xr-x 1 root wheel /bin/mkdir}
-\end{center}\medskip
-it first creates an i-node as root and then changes to ownership to the user's id\\ \textcolor{gray}{\small (automated with a shell script)}
-\end{itemize}
-
-\only<1>{
-\begin{textblock}{1}(3,3)
-\begin{tikzpicture}
-\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
-{\begin{minipage}{8cm}
-Only failure makes us experts.
- -- Theo de Raadt (OpenBSD, OpenSSH)
-\end{minipage}};
-\end{tikzpicture}
-\end{textblock}}
-
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Other Problems\end{tabular}}
-
-There are thing's you just cannot solve on the programming side:\bigskip
-
-\begin{itemize}
-\item for system maintenance you often have \texttt{cron}-jobs cleaning \texttt{/tmp}\medskip
-\begin{itemize}
-\item attacker:\\
-\texttt{mkdir /tmp/a; cat > /tmp/a/passwd}
-\item root:\\\texttt{rm /tmp/*/*}:
-\item attacker:\\
-\texttt{rm /tmp/a/passwd; rmdir /tmp/a;}\\\texttt{ln -s /etc /tmp/a}
-\end{itemize}
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Security Levels\end{tabular}}
-
-Unix essentially can only distinguish between two security levels (root and non-root).
-
-\begin{itemize}
-\item In military applications you often have many security levels (top-secret, secret, confidential, unclassified)\bigskip\pause
-
-\item Information flow: Bell --- La Padula model
-
-\begin{itemize}
-\item read: your own level and below
-\item write: your own level and above
-\end{itemize}
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Security Levels (2)\end{tabular}}
-
-\begin{itemize}
-\item Bell --- La Padula preserves data secrecy, but not data integrity\bigskip\pause
-
-\item Biba model is for data integrity
-
-\begin{itemize}
-\item read: your own level and above
-\item write: your own level and below
-\end{itemize}
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Access Control in 2000\end{tabular}}
-
-According to Ross Anderson (1st edition of his book), some senior Microsoft people held the
-following view:
-
-\begin{center}
-\begin{tikzpicture}
-\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
-{\begin{minipage}{10.5cm}
-\small Access control does not matter. Computers are becoming single-purpose
-or single-user devices. Single-purpose devices, such as Web servers that deliver a single service, don't
-need much in the way of access control as there's nothing for operating system access controls
-to do; the job of separating users from each other is best left to application code. As for the PC
-on your desk, if all the software on it comes from a single source, then again there's no need
-for the operating system to provide separation. \hfill{}\textcolor{gray}{(in 2000)}
-\end{minipage}};
-\end{tikzpicture}
-\end{center}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-\frametitle{\begin{tabular}{@ {}c@ {}}Research Problems\end{tabular}}
-
-\begin{itemize}
-\item with access control we are back to 1970s\bigskip
-
-\only<1>{
-\begin{tikzpicture}
-\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
-{\begin{minipage}{10cm}
-\small Going all the way back to early time-sharing systems we systems people regarded the users, and any code they wrote, as the mortal enemies of us and each other. We were like the police force in a violent slum.\\
-\mbox{}\hfill--- Roger Needham
-\end{minipage}};
-\end{tikzpicture}}\pause
-
-\item the largest research area in access control in 2000-07 has been ``Trusted Computing'', but thankfully it
-is dead now\bigskip
-\item a useful research area is to not just have robust access control, but also usable access control --- by programmers and users\\
-(one possible answer is operating system virtualisation, e.g.~Xen, VMWare)\medskip\pause
-
-\item electronic voting
-\end{itemize}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-\frametitle{\begin{tabular}{@ {}c@ {}}Mobile OS\end{tabular}}
-
-\begin{itemize}
-\item iOS and Android solve the defence-in-depth problem by \alert{sandboxing} applications\bigskip
-
-\item you as developer have to specify the resources an application needs
-\item the OS provides a sandbox where access is restricted to only these resources
-\end{itemize}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Security Theatre\end{tabular}}
-
-
-Security theatre is the practice of investing in countermeasures intended to provide the
-\underline{feeling} of improved security while doing little or nothing to actually achieve it.\hfill{}\textcolor{gray}{Bruce Schneier}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Security Theatre\end{tabular}}
-
-\begin{itemize}
-\item for example, usual locks and strap seals are security theatre
-\end{itemize}
-
-\begin{center}
-\includegraphics[scale=0.45]{pics/seal.jpg}
-\end{center}
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-
-\begin{minipage}{11cm}
-From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk>\\
-To: cl-security-research@lists.cam.ac.uk\\
-Subject: Tip off\\
-Date: Tue, 02 Oct 2012 13:12:50 +0100\\
-
-I received the following tip off, and have removed the sender's
-coordinates. I suspect it is one of many security vendors who
-don't even get the basics right; if you ever go to the RSA
-conference, there are a thousand such firms in the hall, each
-with several eager but ignorant salesmen. A trying experience.\\
-
-Ross
-\end{minipage}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-
-\begin{minipage}{11cm}
-I'd like to anonymously tip you off about this\\
-product:\\
-
-{\small http://www.strongauth.com/products/key-appliance.html}\\
-
-It sounds really clever, doesn't it?\\
-\ldots\\
-
-Anyway, it occurred to me that you and your colleagues might have a
-field day discovering weaknesses in the appliance and their
-implementation of security. However, whilst I'd be willing to help
-and/or comment privately, it'd have to be off the record ;-)
-\end{minipage}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Schneier: Step 1\end{tabular}}
-
-{\bf What assets are you trying to protect?}\bigskip
-
-This question might seem basic, but a surprising number of people never ask it. The question involves understanding the scope of the problem. For example, securing an airplane, an airport, commercial aviation, the transportation system, and a nation against terrorism are all different security problems, and require different solutions.
-
-\only<2>{
-\begin{tikzpicture}
-\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
-{\begin{minipage}{10cm}
-\small You like to prevent: ``It would be terrible if this sort of attack ever happens; we need to do everything in our power to prevent it.''
-\end{minipage}};
-\end{tikzpicture}}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Schneier: Step 2\end{tabular}}
-
-{\bf What are the risks to these assets?}\bigskip
-
-Here we consider the need for security. Answering it involves understanding what is being defended, what the consequences are if it is successfully attacked, who wants to attack it, how they might attack it, and why.
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Schneier: Step 3\end{tabular}}
-
-{\bf How well does the security solution mitigate those risks?}\bigskip
-
-Another seemingly obvious question, but one that is frequently ignored. If the security solution doesnÕt solve the problem, it's no good. This is not as simple as looking at the security solution and seeing how well it works. It involves looking at how the security solution interacts with everything around it, evaluating both its operation and its failures.
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Schneier: Step 4\end{tabular}}
-
-{\bf What other risks does the security solution cause?}\bigskip
-
-This question addresses what might be called the problem of unintended consequences. Security solutions have ripple effects, and most cause new security problems. The trick is to understand the new problems and make sure they are smaller than the old ones.
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Schneier: Step 5\end{tabular}}
-
-{\bf What costs and trade-offs does the security solution impose?}\bigskip
-
-Every security system has costs and requires trade-offs. Most security costs money, sometimes substantial amounts; but other trade-offs may be more important, ranging from matters of convenience and comfort to issues involving basic freedoms like privacy. Understanding these trade-offs is essential.
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-\end{document}
-
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: t
-%%% End:
-
Binary file slides04.pdf has changed
--- a/slides04.tex Sun Dec 09 13:00:33 2012 +0000
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,1014 +0,0 @@
-\documentclass[dvipsnames,14pt,t]{beamer}
-\usepackage{beamerthemeplainculight}
-\usepackage[T1]{fontenc}
-\usepackage[latin1]{inputenc}
-\usepackage{mathpartir}
-\usepackage[absolute,overlay]{textpos}
-\usepackage{ifthen}
-\usepackage{tikz}
-\usepackage{pgf}
-\usepackage{calc}
-\usepackage{ulem}
-\usepackage{courier}
-\usepackage{listings}
-\renewcommand{\uline}[1]{#1}
-\usetikzlibrary{arrows}
-\usetikzlibrary{automata}
-\usetikzlibrary{shapes}
-\usetikzlibrary{shadows}
-\usetikzlibrary{positioning}
-\usetikzlibrary{calc}
-\usepackage{graphicx}
-
-\definecolor{javared}{rgb}{0.6,0,0} % for strings
-\definecolor{javagreen}{rgb}{0.25,0.5,0.35} % comments
-\definecolor{javapurple}{rgb}{0.5,0,0.35} % keywords
-\definecolor{javadocblue}{rgb}{0.25,0.35,0.75} % javadoc
-
-\lstset{language=Java,
- basicstyle=\ttfamily,
- keywordstyle=\color{javapurple}\bfseries,
- stringstyle=\color{javagreen},
- commentstyle=\color{javagreen},
- morecomment=[s][\color{javadocblue}]{/**}{*/},
- numbers=left,
- numberstyle=\tiny\color{black},
- stepnumber=1,
- numbersep=10pt,
- tabsize=2,
- showspaces=false,
- showstringspaces=false}
-
-\lstdefinelanguage{scala}{
- morekeywords={abstract,case,catch,class,def,%
- do,else,extends,false,final,finally,%
- for,if,implicit,import,match,mixin,%
- new,null,object,override,package,%
- private,protected,requires,return,sealed,%
- super,this,throw,trait,true,try,%
- type,val,var,while,with,yield},
- otherkeywords={=>,<-,<\%,<:,>:,\#,@},
- sensitive=true,
- morecomment=[l]{//},
- morecomment=[n]{/*}{*/},
- morestring=[b]",
- morestring=[b]',
- morestring=[b]"""
-}
-
-\lstset{language=Scala,
- basicstyle=\ttfamily,
- keywordstyle=\color{javapurple}\bfseries,
- stringstyle=\color{javagreen},
- commentstyle=\color{javagreen},
- morecomment=[s][\color{javadocblue}]{/**}{*/},
- numbers=left,
- numberstyle=\tiny\color{black},
- stepnumber=1,
- numbersep=10pt,
- tabsize=2,
- showspaces=false,
- showstringspaces=false}
-
-% beamer stuff
-\renewcommand{\slidecaption}{APP 04, King's College London, 16 October 2012}
-
-
-\begin{document}
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}<1>[t]
-\frametitle{%
- \begin{tabular}{@ {}c@ {}}
- \\
- \LARGE Access Control and \\[-3mm]
- \LARGE Privacy Policies (4)\\[-6mm]
- \end{tabular}}\bigskip\bigskip\bigskip
-
- %\begin{center}
- %\includegraphics[scale=1.3]{pics/barrier.jpg}
- %\end{center}
-
-\normalsize
- \begin{center}
- \begin{tabular}{ll}
- Email: & christian.urban at kcl.ac.uk\\
- Of$\!$fice: & S1.27 (1st floor Strand Building)\\
- Slides: & KEATS (also homework is there)\\
- \end{tabular}
- \end{center}
-
-
-\end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Unix-Style Access Control}
-
-\begin{itemize}
-\item Q: ``I am using Windows. Why should I care?'' \\ A: In Windows you have similar AC:
-
-\begin{center}
-\begin{tabular}{l}
-administrators group\\
-\hspace{5mm}(has complete control over the machine)\\
-authenticated users\\
-server operators\\
-power users\\
-network configuration operators\\
-\end{tabular}
-\end{center}\medskip
-
-\item Modern versions of Windows have more fine-grained AC than Unix; they do not have a setuid bit, but
-have \texttt{runas} (asks for a password).\pause
-
-\item OS-provided access control can \alert{\bf add} to your
-security.
-\end{itemize}
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Network Applications:\\[-1mm] Privilege Separation\end{tabular}}
-
-
-\begin{center}
- \begin{tikzpicture}[scale=1]
-
- \draw[line width=1mm] (-.3, 0) rectangle (1.5,2);
- \draw (4.7,1) node {Internet};
- \draw (-2.7,1.7) node {\footnotesize Application};
- \draw (0.6,1.7) node {\footnotesize Interface};
- \draw (0.6,-0.4) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] process\end{tabular}};
- \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}};
-
- \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2);
-
- \draw[white] (1.7,1) node (X) {};
- \draw[white] (3.7,1) node (Y) {};
- \draw[red, <->, line width = 2mm] (X) -- (Y);
-
- \draw[red, <->, line width = 1mm] (-0.6,1) -- (-1.6,1);
- \end{tikzpicture}
-\end{center}
-
-\begin{itemize}
-\item the idea is make the attack surface smaller and
-mitigate the consequences of an attack
-\end{itemize}
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Shared Access Control}
-
-\begin{center}
-\includegraphics[scale=0.7]{pics/pointsplane.jpg}
-\end{center}
-
-\begin{textblock}{11}(10.5,10.5)
-\small
-To take an action you\\[-1mm]
-need at least either:
-\begin{itemize}
-\item 1 CEO\\[-5mm]
-\item 2 MDs, or\\[-5mm]
-\item 3 Ds
-\end{itemize}
-\end{textblock}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Lessons from Access Control}
-
-Not just restricted to Unix:
-
-\begin{itemize}
-\item if you have too many roles (i.e.~too finegrained AC), then
- hierarchy is too complex\\
- \textcolor{gray}{you invite situations like\ldots let's be root}\bigskip
-
-\item you can still abuse the system\ldots
-
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}A ``Cron''-Attack\end{tabular}}
-
-The idea is to trick a privileged person to do something on your behalf:
-
-\begin{itemize}
-\item root:\\\texttt{rm /tmp/*/*}\bigskip\bigskip\pause
-
-\footnotesize
-\begin{minipage}{1.1\textwidth}
-\textcolor{gray}{the shell behind the scenes:}\\
-\textcolor{gray}{\texttt{rm /tmp/dir$_1$/file$_1$ /tmp/dir$_1$/file$_2$ /tmp/dir$_2$/file$_1$ \ldots}}\bigskip\\
-
-\textcolor{gray}{this takes time}
-\end{minipage}
-\end{itemize}
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}A ``Cron''-Attack\end{tabular}}
-
-\begin{enumerate}
-\item attacker \textcolor{gray}{(creates a fake passwd file)}\\
-\texttt{mkdir /tmp/a; cat > /tmp/a/passwd}\medskip
-\item root \textcolor{gray}{(does the daily cleaning)}\\
-\texttt{rm /tmp/*/*}\medskip\\
-\hspace{2cm}\textcolor{gray}{\small records that \texttt{/tmp/a/passwd}}\\
-\hspace{2cm}\textcolor{gray}{\small should be deleted, but does not do it yet}\medskip\\
-
-\item attacker \textcolor{gray}{(meanwhile deletes the fake passwd file, and establishes a link to
-the real passwd file)}\\
-\texttt{rm /tmp/a/passwd; rmdir /tmp/a;}\\\texttt{ln -s /etc /tmp/a}\\
-\item root now deletes the real passwd file
-\end{enumerate}
-
-\only<2>{
-\begin{textblock}{11}(2,5)
-\begin{tikzpicture}
-\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
-{\normalsize\color{darkgray}
-\begin{minipage}{9cm}\raggedright
-To prevent this kind of attack, you need additional
-policies (don't do such operations as root).
-\end{minipage}};
-\end{tikzpicture}
-\end{textblock}}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Schneier Analysis\end{tabular}}
-
-\textcolor{gray}{There is no absolutely secure system and security almost never comes for free.}
-
-\begin{itemize}
-\item What assets are you trying to protect?
-\item What are the risks to these assets?
-\item How well does the security solution mitigate those risks?
-\item What other risks does the security solution cause?
-\item What costs and trade-offs does the security solution impose?
-\end{itemize}
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-\frametitle{\begin{tabular}{@ {}c@ {}}Example: Credit Cards\end{tabular}}
-
-You might have the policy of not typing in your credit card online. Worthwhile or not?
-\begin{itemize}
-\item<2->What assets are you trying to protect?\\
-\only<2>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}your credit card number\end{tabular}}
-\item<3->What are the risks to these assets?\\
-\only<3>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright
-With credit cards you loose a fixed amount \pounds{50}. Amazon \pounds{50}. \end{tabular}}
-\item<4->How well does the security solution mitigate those risks?\\
-\only<4>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright
-Well, hackers steal credit cards from databases. They usually do not attack you individually.\end{tabular}}
-\item<5->What other risks does the security solution cause?
-\only<5>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright None (?)\end{tabular}}
-\item<6->What costs and trade-offs does the security solution impose?
-\only<6>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright Internet shopping is convenient and sometimes cheaper.\end{tabular}}
-\item<7>[]{\bf\large No!}
-\end{itemize}\pause\pause
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Example: Firewalls\end{tabular}}
-
-\begin{center}
-\includegraphics[scale=0.5]{pics/firewall.png}
-\end{center}
-
-A firewall is a piece of software that controls incoming and outgoing traffic according to some rules.
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-\frametitle{\begin{tabular}{@ {}c@ {}}Example: Firewalls\end{tabular}}
-
-\begin{itemize}
-\item<1->What assets are you trying to protect?\\
-\only<1>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}Whatever is behind the firewall
-(credit cards, passwords, blueprints, \ldots)\end{tabular}}
-\item<2->What are the risks to these assets?\\
-\only<2>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright
-With a small online shop you are already at risk. Pentagon, definitely.\end{tabular}}
-\item<3->How well does the security solution mitigate those risks?\\
-\only<3>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright
-Well, at home so not much. Everywhere else, if properly configurated then it does.\end{tabular}}
-\item<4->What other risks does the security solution cause?
-\only<4>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright There might be backdoors or bugs in the firewall,
-but generally they are secure. You choose to prevent certain traffic.\end{tabular}}
-\item<5->What costs and trade-offs does the security solution impose?
-\only<5>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright
-Minimal to modest. Firewalls are part of free software. You need a knowledgeable
-person to set them up.\end{tabular}}
-\item<7>[]{\bf\large Yes!}
-\end{itemize}\pause\pause
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-\frametitle{\begin{tabular}{@ {}c@ {}}Ex: Two-Factor Authentication\end{tabular}}
-
-Google uses nowadays two-factor authentication. But it is an old(er)
-idea. It is used for example in Germany and Netherlands for online transactions.
-
-\begin{center}
-\includegraphics[scale=0.6]{pics/tan1.jpg}\hspace{5mm}
-\includegraphics[scale=0.2]{pics/tan2.jpg}
-\end{center}
-
-\pause
-Or nowadays by SMS (restricts the validity of the numbers) or with a secure generator
-
-\begin{center}
-\includegraphics[scale=0.08]{pics/pinsentry.jpg}
-\end{center}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-\frametitle{\begin{tabular}{@ {}c@ {}}Ex: Two-Factor Authentication\end{tabular}}
-
-\begin{itemize}
-\item<1->What assets are you trying to protect?\\
-\only<1>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}Your bank account.\end{tabular}}
-\item<2->What are the risks to these assets?\\
-\only<2>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright
-Nowadays pretty high risk.\end{tabular}}
-\item<3->How well does the security solution mitigate those risks?\\
-\only<3>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright
-It prevents problems when passwords are stolen. Man-in-the-middle attacks
-still possible.\end{tabular}}
-\item<4->What other risks does the security solution cause?
-\only<4>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright Your mobile phone or credit card/pin might
-be stolen. SIM card becomes more valuable.\end{tabular}}
-\item<5->What costs and trade-offs does the security solution impose?
-\only<5>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright
-Banks need to establish an infrastructure. For you it might be inconvenient.\end{tabular}}
-\item<7>[]{\bf\large Yes!}
-\end{itemize}
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-\frametitle{\begin{tabular}{@ {}c@ {}}Security Seals\end{tabular}}
-
-According to Ross Anderson: ``\ldots is a tamper-indicating device
-designed to leave non-erasable, unambiguous evidence of unauthorized
-entry or tampering.''
-
-\begin{center}
-\includegraphics[scale=0.45]{pics/seal.jpg}
-\end{center}\mbox{}\\[-12mm]
-
-They also need some quite sophisticated policies (seal regiment).
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-\frametitle{\begin{tabular}{@ {}c@ {}}Security Seals (2)\end{tabular}}
-
-\begin{itemize}
-\item at the Argonne National Laboratory they tested 244 different security seals
-\begin{itemize}
-\item meantime to break the seals for a trained person: 100 s
-\item including 19\% that were used for safeguard of nuclear material
-\end{itemize}\bigskip
-
-\item Andrew Appel defeated all security seals which were supposed to keep
-voting machines safe
-\end{itemize}
-
-
-\only<2>{
-\begin{textblock}{11}(1,1)
-\begin{tikzpicture}
-\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
-{\normalsize
-\begin{minipage}{11cm}\raggedright\small
-\begin{center}
-\includegraphics[scale=0.25]{pics/appelseals.jpg}
-\end{center}
-\begin{center}
-\begin{minipage}{10.5cm}
-\begin{itemize}
-\item The tamper-indicating tape can be lifted using a heat gun.
-\item The security screw cap can be removed using a screwdriver, then the
-serial-numbered top can be replaced (undamaged) onto a fresh (unnumbered) base.
-\item The wire seal can be defeated using a \#4 wood screw.
-\item The plastic strap seal can be picked using a jeweler's screwdriver.
-\end{itemize}
-\end{minipage}
-\end{center}
-\end{minipage}};
-\end{tikzpicture}
-\end{textblock}}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-\frametitle{\begin{tabular}{@ {}c@ {}}Example: Security Seals\end{tabular}}
-
-\begin{itemize}
-\item<1->What assets are you trying to protect?\\
-\only<1>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}Voting machines, doors.\end{tabular}}
-\item<2->What are the risks to these assets?\\
-\only<2>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright Casual thieves, insider attacks.\end{tabular}}
-\item<3->How well does the security solution mitigate those risks?\\
-\only<3>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright
-Needs a quite complicated security regiment.\end{tabular}}
-\item<4->What other risks does the security solution cause?
-\only<4>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright You might not notice tampering.\end{tabular}}
-\item<5->What costs and trade-offs does the security solution impose?
-\only<5>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright
-The ``hardware'' is cheap, but indirect costs can be quite high.\end{tabular}}
-\item<7>[]{\bf\large No!} {\textcolor{gray}{Though in some areas they work: airports, swimming pools, \ldots}}
-\end{itemize}
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-\frametitle{\begin{tabular}{@ {}c@ {}}Ex: Security-by-Obscurity\end{tabular}}
-
-You might think it is a good idea to keep a security relevant algorithm or
-software secret.
-
-\begin{itemize}
-\item<1->What assets are you trying to protect?\\
-\only<1>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}Source code, an algorithm and things that depend on it\end{tabular}}
-\item<2->What are the risks to these assets?\\
-\only<2>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright
-Can be pretty high (Oystercards).\end{tabular}}
-\item<3->How well does the security solution mitigate those risks?\\
-\only<3>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright
-Not really. The source code can be reverse engineered, stolen, coerced \ldots{}\end{tabular}}
-\item<4->What other risks does the security solution cause?
-\only<4>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright You prevent
-scrutiny and independent advice. You also more likely than not to
-get it wrong.\end{tabular}}
-\item<5>[]{\bf\large No!}
-\end{itemize}
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-\frametitle{\begin{tabular}{@ {}c@ {}}Voting as Security Problem\end{tabular}}
-
-What are the security requirements of a voting system?\bigskip
-
-\begin{itemize}
-\item<2->Integrity
-\item<3->Ballot Secrecy
-\item<5->Voter Authentication
-\item<6->Enfranchisement
-\item<7->Availability
-\end{itemize}
-
-\only<2>{
-\begin{textblock}{5.5}(8,5)
-\begin{tikzpicture}
-\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm, text centered]
-{\small
-\begin{minipage}{5cm}\raggedright
-\begin{center}
-\begin{minipage}{4.5cm}
-\begin{itemize}
-\item The outcome matches with the voters' intend.
-\item There might be gigantic sums at stake and need to be defended against.
-\end{itemize}
-\end{minipage}
-\end{center}
-\end{minipage}};
-\end{tikzpicture}
-\end{textblock}}
-
-\only<4>{
-\begin{textblock}{5.5}(8,5)
-\begin{tikzpicture}
-\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm, text centered]
-{\small
-\begin{minipage}{5cm}\raggedright
-\begin{center}
-\begin{minipage}{4.5cm}
-\begin{itemize}
-\item Nobody can find out how you voted.
-\item (Stronger) Even if you try, you cannot prove how you voted.
-\end{itemize}
-\end{minipage}
-\end{center}
-\end{minipage}};
-\end{tikzpicture}
-\end{textblock}}
-
-\only<5>{
-\begin{textblock}{5.5}(8,5)
-\begin{tikzpicture}
-\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm, text centered]
-{\small
-\begin{minipage}{5cm}\raggedright
-\begin{center}
-\begin{minipage}{4.5cm}
-\begin{itemize}
-\item Only authorised voters can vote up to the permitted number of votes.
-\end{itemize}
-\end{minipage}
-\end{center}
-\end{minipage}};
-\end{tikzpicture}
-\end{textblock}}
-
-\only<6>{
-\begin{textblock}{5.5}(8,5)
-\begin{tikzpicture}
-\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm, text centered]
-{\small
-\begin{minipage}{5cm}\raggedright
-\begin{center}
-\begin{minipage}{4.5cm}
-\begin{itemize}
-\item Authorised voters should have the opportunity to vote.
-\end{itemize}
-\end{minipage}
-\end{center}
-\end{minipage}};
-\end{tikzpicture}
-\end{textblock}}
-
-\only<7>{
-\begin{textblock}{5.5}(8,5)
-\begin{tikzpicture}
-\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm, text centered]
-{\small
-\begin{minipage}{5cm}\raggedright
-\begin{center}
-\begin{minipage}{4.5cm}
-\begin{itemize}
-\item The voting system should accept all authorised votes and produce results in a timely manner.
-\end{itemize}
-\end{minipage}
-\end{center}
-\end{minipage}};
-\end{tikzpicture}
-\end{textblock}}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-\frametitle{\begin{tabular}{@ {}c@ {}}Ballot Boxes\end{tabular}}
-
-
-\begin{center}
-\includegraphics[scale=2.5]{pics/ballotbox.jpg}
-\end{center}
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-\frametitle{\begin{tabular}{@ {}c@ {}}Problems with Voting\end{tabular}}
-
-
-\begin{center}\large
-\begin{tabular}{rcl}
-Integrity & vs. & Ballot Secrecy\bigskip\\
-Authentication & vs. &Enfranchisement
-\end{tabular}
-\end{center}\bigskip\bigskip\pause
-
-Further constraints:
-
-\begin{itemize}
-\item costs
-\item accessibility
-\item convenience
-\item intelligibility
-\end{itemize}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-\frametitle{\begin{tabular}{@ {}c@ {}}E-Voting\end{tabular}}
-
-
-\begin{itemize}
-\item The Netherlands between 1997 - 2006 had electronic voting machines\\
-\textcolor{gray}{(hacktivists had found: they can be hacked and also emitted radio signals revealing how you voted)}
-
-\item Germany had used them in pilot studies\\
-\textcolor{gray}{(in 2007 a law suit has reached the highest court and it rejected electronic voting
-on the grounds of not being understandable by the general public)}
-
-\item UK used optical scan voting systems in a few polls
-\end{itemize}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-\frametitle{\begin{tabular}{@ {}c@ {}}E-Voting\end{tabular}}
-
-\mbox{}\\[-12mm]
-\begin{itemize}
-\item US used mechanical machines since the 30s, later punch cards, now DREs and
-optical scan voting machines \textcolor{gray}{(fantastic ``ecosystem'' for study)}
-
-\item Estonia used in 2007 the Internet for national elections
-\textcolor{gray}{(there were earlier pilot studies in other countries)}
-
-\item India uses e-voting devices since at least 2003\\
-\textcolor{gray}{(``keep-it-simple'' machines produced by a government owned company)}
-
-\item South Africa used software for its tallying in the 1993 elections (when Nelson Mandela was elected)
-\textcolor{gray}{(they found the tallying software was rigged, but they were able to tally manually)}
-\end{itemize}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-\frametitle{\begin{tabular}{@ {}c@ {}}A Brief History of Voting\end{tabular}}
-
-
-\begin{itemize}
-\item Athenians
-\begin{itemize}
-\item show of hands
-\item ballots on pieces of pottery
-\item different colours of stones
-\item ``facebook''-like authorisation
-\end{itemize}\bigskip
-
-\textcolor{gray}{problems with vote buying / no ballot privacy}\bigskip
-
-
-\item French Revolution and the US Constitution got things ``started'' with
-paper ballots (you first had to bring your own; later they were pre-printed by parties)
-\end{itemize}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-\frametitle{\begin{tabular}{@ {}c@ {}}Ballot Boxes\end{tabular}}
-
-Security policies involved with paper ballots:
-
-\begin{enumerate}
-\item you need to check that the ballot box is empty at the start of the poll / no false bottom (to prevent ballot stuffing)
-\item you need to guard the ballot box during the poll until counting
-\item tallied by a team at the end of the poll (independent observers)
-\end{enumerate}
-
-\begin{center}
-\includegraphics[scale=1.5]{pics/ballotbox.jpg}
-\end{center}
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-\frametitle{\begin{tabular}{@ {}c@ {}}Paper Ballots\end{tabular}}
-
-What can go wrong with paper ballots?
-
-\only<2>{
-\begin{center}
-\includegraphics[scale=0.8]{pics/tweet.jpg}\\
-\footnotesize William M.~Tweed, US Politician in 1860's\\
-``As long as I count the votes, what are you going to do about it?''
-\end{center}}
-
-\only<3>{
-\medskip
-\begin{center}
-\begin{minipage}{10cm}
-{\bf Chain Voting Attack}
-\begin{enumerate}
-\item you obtain a blank ballot and fill it out as you want
-\item you give it to a voter outside the polling station
-\item voter receives a new blank ballot
-\item voter submits prefilled ballot
-\item voter gives blank ballot to you, you give money
-\item goto 1
-\end{enumerate}
-\end{minipage}
-\end{center}
-}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-\frametitle{\begin{tabular}{@ {}c@ {}}Mechanical Voting Machines\end{tabular}}
-
-\begin{itemize}
-\item<1-> Lever Voting Machines (ca.~1930 - 1990)
-\only<1>{
-\begin{center}
-\includegraphics[scale=0.56]{pics/leavermachine.jpg}
-\end{center}
-}
-\item<2->Punch Cards (ca.~1950 - 2000)
-\only<2>{
-\begin{center}
-\includegraphics[scale=0.5]{pics/punchcard1.jpg}\;\;
-\includegraphics[scale=0.46]{pics/punchcard2.jpg}
-\end{center}
-}
-\end{itemize}
-
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-\frametitle{\begin{tabular}{@ {}c@ {}}Electronic Voting Machines\end{tabular}}
-
-\begin{center}
-\begin{tabular}{c}
-\includegraphics[scale=0.45]{pics/dre1.jpg}\;
-\includegraphics[scale=0.40]{pics/dre2.jpg}\\\hline\\
-\includegraphics[scale=0.5]{pics/opticalscan.jpg}
-\end{tabular}
-\end{center}
-
-\only<1->{
-\begin{textblock}{5.5}(1,4)
-DREs
-\end{textblock}}
-\only<1->{
-\begin{textblock}{5.5}(1,11)
-Optical Scan
-\end{textblock}}
-
-\only<2>{
-\begin{textblock}{5.5}(0.5,14.5)
-all are computers
-\end{textblock}}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}DREs\end{tabular}}
-
-Direct-recording electronic voting machines\\
-(votes are recorded for example memory cards)
-
-typically touchscreen machines
-
-usually no papertrail (hard to add: ballot secrecy)
-
-\begin{center}
-\includegraphics[scale=0.56]{pics/dre1.jpg}
-\end{center}
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Diebold Machines\end{tabular}}
-
-The work by J.~Alex Halderman:
-
-\begin{itemize}
-\item acquired a machine from an anonymous source\medskip
-\item the source code running the machine was tried to keep secret\medskip\pause
-
-\item first reversed-engineered the machine (extremely tedious)
-\item could completely reboot the machine and even install a virus that infects other Diebold machines
-\item obtained also the source code for other machines
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Diebold Machines\end{tabular}}
-
-What could go wrong?\pause \;\;Failure-in-depth.\bigskip\pause
-
-A non-obvious problem:
-
-\begin{itemize}
-\item you can nowadays get old machines, which still store old polls
-
-\item the paper ballot box needed to be secured during the voting until counting;
-e-voting machines need to be secured during the entire life-time
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Paper Trail\end{tabular}}
-
-Conclusion:\\ Any electronic solution should have a paper trail.
-
-\begin{center}
-\begin{tabular}{c}
-\includegraphics[scale=0.5]{pics/opticalscan.jpg}
-\end{tabular}
-\end{center}\pause
-
-You still have to solve problems about
-Voter registration, voter authentification, guarding against tampering
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}E-Voting in India\end{tabular}}
-
-Their underlying engineering principle is ``keep-it-simple'':
-
-\begin{center}
-\begin{tabular}{c}
-\includegraphics[scale=1.05]{pics/indiaellection.jpg}\;\;
-\includegraphics[scale=0.40]{pics/india1.jpg}
-\end{tabular}
-\end{center}\medskip\pause
-
-Official claims: ``perfect'', ``tamperproof'', ``no need for technical improvements'' , ``infallible''
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Lessons to be Learned\end{tabular}}
-
-\begin{itemize}
-\item keep a paper trail and design your system to keep this secure\medskip
-\item make the software open source (avoid security-by-obscurity))\medskip
-\item have a simple design in order to minimise the attack surface
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-
-\begin{center}
-\includegraphics[scale=0.56]{pics/Voting1.png}
-\end{center}
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-
-\begin{center}
-\includegraphics[scale=0.56]{pics/Voting2.png}
-\end{center}
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-
-\begin{center}
-\includegraphics[scale=0.56]{pics/Voting3.png}
-\end{center}
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-
-\begin{center}
-\includegraphics[scale=0.56]{pics/Voting4.png}
-\end{center}
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-\end{document}
-
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: t
-%%% End:
-
Binary file slides05.pdf has changed
--- a/slides05.tex Sun Dec 09 13:00:33 2012 +0000
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,1296 +0,0 @@
-\documentclass[dvipsnames,14pt,t]{beamer}
-\usepackage{proof}
-\usepackage{beamerthemeplainculight}
-\usepackage[T1]{fontenc}
-\usepackage[latin1]{inputenc}
-\usepackage{mathpartir}
-\usepackage{isabelle}
-\usepackage{isabellesym}
-\usepackage[absolute,overlay]{textpos}
-\usepackage{ifthen}
-\usepackage{tikz}
-\usepackage{courier}
-\usepackage{listings}
-\usetikzlibrary{arrows}
-\usetikzlibrary{positioning}
-\usetikzlibrary{calc}
-\usepackage{graphicx}
-
-\isabellestyle{rm}
-\renewcommand{\isastyle}{\rm}%
-\renewcommand{\isastyleminor}{\rm}%
-\renewcommand{\isastylescript}{\footnotesize\rm\slshape}%
-\renewcommand{\isatagproof}{}
-\renewcommand{\endisatagproof}{}
-\renewcommand{\isamarkupcmt}[1]{#1}
-
-% Isabelle characters
-\renewcommand{\isacharunderscore}{\_}
-\renewcommand{\isacharbar}{\isamath{\mid}}
-\renewcommand{\isasymiota}{}
-\renewcommand{\isacharbraceleft}{\{}
-\renewcommand{\isacharbraceright}{\}}
-\renewcommand{\isacharless}{$\langle$}
-\renewcommand{\isachargreater}{$\rangle$}
-\renewcommand{\isasymsharp}{\isamath{\#}}
-\renewcommand{\isasymdots}{\isamath{...}}
-\renewcommand{\isasymbullet}{\act}
-
-
-
-\definecolor{javared}{rgb}{0.6,0,0} % for strings
-\definecolor{javagreen}{rgb}{0.25,0.5,0.35} % comments
-\definecolor{javapurple}{rgb}{0.5,0,0.35} % keywords
-\definecolor{javadocblue}{rgb}{0.25,0.35,0.75} % javadoc
-
-\lstset{language=Java,
- basicstyle=\ttfamily,
- keywordstyle=\color{javapurple}\bfseries,
- stringstyle=\color{javagreen},
- commentstyle=\color{javagreen},
- morecomment=[s][\color{javadocblue}]{/**}{*/},
- numbers=left,
- numberstyle=\tiny\color{black},
- stepnumber=1,
- numbersep=10pt,
- tabsize=2,
- showspaces=false,
- showstringspaces=false}
-
-\lstdefinelanguage{scala}{
- morekeywords={abstract,case,catch,class,def,%
- do,else,extends,false,final,finally,%
- for,if,implicit,import,match,mixin,%
- new,null,object,override,package,%
- private,protected,requires,return,sealed,%
- super,this,throw,trait,true,try,%
- type,val,var,while,with,yield},
- otherkeywords={=>,<-,<\%,<:,>:,\#,@},
- sensitive=true,
- morecomment=[l]{//},
- morecomment=[n]{/*}{*/},
- morestring=[b]",
- morestring=[b]',
- morestring=[b]"""
-}
-
-\lstset{language=Scala,
- basicstyle=\ttfamily,
- keywordstyle=\color{javapurple}\bfseries,
- stringstyle=\color{javagreen},
- commentstyle=\color{javagreen},
- morecomment=[s][\color{javadocblue}]{/**}{*/},
- numbers=left,
- numberstyle=\tiny\color{black},
- stepnumber=1,
- numbersep=10pt,
- tabsize=2,
- showspaces=false,
- showstringspaces=false}
-
-% beamer stuff
-\renewcommand{\slidecaption}{APP 05, King's College London, 23 October 2012}
-
-\newcommand{\bl}[1]{\textcolor{blue}{#1}}
-\begin{document}
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}<1>[t]
-\frametitle{%
- \begin{tabular}{@ {}c@ {}}
- \\
- \LARGE Access Control and \\[-3mm]
- \LARGE Privacy Policies (5)\\[-6mm]
- \end{tabular}}\bigskip\bigskip\bigskip
-
- %\begin{center}
- %\includegraphics[scale=1.3]{pics/barrier.jpg}
- %\end{center}
-
-\normalsize
- \begin{center}
- \begin{tabular}{ll}
- Email: & christian.urban at kcl.ac.uk\\
- Of$\!$fice: & S1.27 (1st floor Strand Building)\\
- Slides: & KEATS (also homework is there)\\
- \end{tabular}
- \end{center}
-
-
-\end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Satan's Computer}
-
-Ross Anderson and Roger Needham wrote:\bigskip
-
-\begin{quote}
-In effect, our task is to program a computer which gives
-answers which are subtly and maliciously wrong at the most
-inconvenient possible moment\ldots{} we hope that the lessons
-learned from programming Satan's computer may be helpful
-in tackling the more common problem of programming Murphy's.
-\end{quote}
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Protocol Specifications}
-
-The Needham-Schroeder Protocol:
-
-\begin{center}
-\begin{tabular}{@ {\hspace{-7mm}}l@{\hspace{2mm}}r@ {\hspace{1mm}}l}
-Message 1 & \bl{$A \rightarrow S :$} & \bl{$A, B, N_A$}\\
-Message 2 & \bl{$S \rightarrow A :$} & \bl{$\{N_A, B, K_{AB},\{K_{AB}, A\}_{K_{BS}} \}_{K_{AS}}$}\\
-Message 3 & \bl{$A \rightarrow B :$} & \bl{$\{K_{AB}, A\}_{K_{BS}} $}\\
-Message 4 & \bl{$B \rightarrow A :$} & \bl{$\{N_B\}_{K_{AB}}$}\\
-Message 5 & \bl{$A \rightarrow B :$} & \bl{$\{N_B-1\}_{K_{AB}}$}\\
-\end{tabular}
-\end{center}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Cryptographic Protocol Failures}
-
-Again Ross Anderson and Roger Needham wrote:\bigskip
-
-\begin{quote}
-\textcolor{gray}{
-A lot of the recorded frauds were the result of this kind of blunder, or from
-management negligence pure and simple.} However, there have been a
-significant number of cases where the designers protected the right things,
-used cryptographic algorithms which were not broken, and yet found that their
-systems were still successfully attacked.
-\end{quote}
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{The Access Control Problem}
-
-
-\begin{center}
- \begin{tikzpicture}[scale=1]
-
- \draw[line width=1mm] (-.3, 0) rectangle (1.5,2);
- \draw (-2.7,1) node {\begin{tabular}{l}access\\request\end{tabular}};
- \draw (4.2,1) node {\begin{tabular}{l}granted/\\not granted\end{tabular}};
- \draw (0.6,1.2) node {\footnotesize \begin{tabular}{l}Access\\Control\\Checker\end{tabular}};
-
- \draw[red, ->, line width = 2mm] (1.7,1) -- (2.7,1);
- \draw[red,<-, line width = 2mm] (-0.6,1) -- (-1.6,1);
- \draw[red, <-, line width = 3mm] (0.6,2.2) -- (0.6,3.2);
-
- \draw (0.6,4) node {\begin{tabular}{l}\large some rules\\(access policy)\end{tabular}};
-
- \end{tikzpicture}
-\end{center}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Access Control Logic}
-
-Ross Anderson about the use of Logic:\bigskip
-
-\begin{quote}
-Formal methods can be an excellent way of finding
-bugs in security protocol designs as they force the designer
-to make everything explicit and thus confront dif$\!$ficult design
-choices that might otherwise be fudged.
-\end{quote}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-
-\begin{center}
- \begin{tikzpicture}[scale=1]
-
- \draw[line width=1mm] (-.3, 0) rectangle (1.5,2);
- \draw (-2.7,1) node {\begin{tabular}{l}access\\request\end{tabular}};
- \draw (4.2,1) node {\begin{tabular}{l}granted/\\not granted\end{tabular}};
- \draw (0.6,1.2) node {\footnotesize \begin{tabular}{l}Access\\Control\\Checker\end{tabular}};
-
- \draw[red, ->, line width = 2mm] (1.7,1) -- (2.7,1);
- \draw[red,<-, line width = 2mm] (-0.6,1) -- (-1.6,1);
- \draw[red, <-, line width = 3mm] (0.6,2.2) -- (0.6,3.2);
-
- \draw (0.6,3.7) node {\begin{tabular}{l}access policy\end{tabular}};
-
- \end{tikzpicture}
-\end{center}
-
-Assuming one file on my computer contains a virus.\smallskip\\
-\only<1>{Q: Given my access policy, can this file ``infect'' my whole computer?}%
-\only<2>{Q: Can my access policy prevent that my whole computer gets infected.}
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \small
- \begin{center}
- \mbox{
- \inferrule{\mbox{\begin{tabular}{l}
- \ldots\\
- is\_at\_library (Christian)\\
- is\_student (a) $\wedge$ is\_at\_library (a) $\Rightarrow$ may\_obtain\_email (a)\\
- is\_staff (a) $\wedge$ is\_at\_library (a) $\Rightarrow$ may\_obtain\_email (a)\medskip\\
- \onslide<2->{HoD says is\_staff (a) $\Rightarrow$ is\_staff (a)}\\
- \onslide<2->{HoD says is\_staff (Christian)}\medskip\\
- \onslide<3->{may\_obtain\_email (a) $\wedge$ sending\_spam (a) $\Rightarrow$\\}
- \onslide<3->{\hspace{6cm}$\neg$ may\_obtain\_email (a)}
- \end{tabular}
- }}
- {\mbox{? may\_obtain\_email (Christian)}}}
- \end{center}
- \end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{}
-
- There are two ways for tackling such problems:\medskip
-
- \begin{itemize}
- \item either you make up our own language in which you can describe
- the problem,\medskip
-
- \item or you use an existing language and represent the problem in
- this language.
- \end{itemize}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[t]
- \frametitle{\Large\begin{tabular}{@ {}c@ {}}Logic(s)\end{tabular}}
-
- \begin{itemize}
- \item Formulas
-
- \begin{center}\color{blue}
- \begin{tabular}{rcl@ {\hspace{10mm}}l}
- \isa{F} & \isa{{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}} & \isa{true} \\
- & \isa{{\isaliteral{7C}{\isacharbar}}} & \isa{false} \\
- & \isa{{\isaliteral{7C}{\isacharbar}}} & \isa{F\ {\isaliteral{5C3C616E643E}{\isasymand}}\ F} \\
- & \isa{{\isaliteral{7C}{\isacharbar}}} & \isa{F\ {\isaliteral{5C3C6F723E}{\isasymor}}\ F} \\
- & \isa{{\isaliteral{7C}{\isacharbar}}} & \isa{F\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ F} & \textcolor{black}{implies}\\
- & \isa{{\isaliteral{7C}{\isacharbar}}} & \isa{{\isaliteral{5C3C6E6F743E}{\isasymnot}}\ F} & \textcolor{black}{negation}\\
- & \isa{{\isaliteral{7C}{\isacharbar}}} & \isa{p\ {\isaliteral{28}{\isacharparenleft}}t\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}{\isaliteral{2C}{\isacharcomma}}{\isaliteral{5C3C646F74733E}{\isasymdots}}{\isaliteral{2C}{\isacharcomma}}t\isaliteral{5C3C5E697375623E}{}\isactrlisub n{\isaliteral{29}{\isacharparenright}}} & \textcolor{black}{predicates}\\
- & \onslide<2->{\isa{{\isaliteral{7C}{\isacharbar}}}} & \onslide<2->{\isa{{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}x{\isaliteral{2E}{\isachardot}}\ F}} &
- \onslide<2->{\textcolor{black}{forall quantification}}\\
- & \onslide<2->{\isa{{\isaliteral{7C}{\isacharbar}}}} & \onslide<2->{\isa{{\isaliteral{5C3C6578697374733E}{\isasymexists}}x{\isaliteral{2E}{\isachardot}}\ F}} &
- \onslide<2->{\textcolor{black}{exists quantification}}\\[-7mm]
- \end{tabular}
- \end{center}
-
- \end{itemize}
-
- \begin{textblock}{12}(1,14)
- Terms \textcolor{blue}{\isa{t\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ x\ {\isaliteral{5C3C646F74733E}{\isasymdots}}\ {\isaliteral{7C}{\isacharbar}}\ c\ {\isaliteral{5C3C646F74733E}{\isasymdots}}}}
- \end{textblock}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
-
-{\lstset{language=Scala}\fontsize{10}{12}\selectfont
-\texttt{\lstinputlisting{programs/formulas.scala}}}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[t]
- \frametitle{Judgements}
-
- \begin{center}
- \LARGE
- \textcolor{blue}{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ F}}
- \end{center}
-
- \textcolor{blue}{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}}} is a collection of formulas, called the \alert{assumptions}\bigskip\pause
-
- \begin{itemize}
- \item Example\mbox{}\\[-8mm]
-
- \only<2>{\begin{center}\tiny
- \textcolor{blue}{
- \begin{tabular}{l}
- \isa{is{\isaliteral{5F}{\isacharunderscore}}staff\ {\isaliteral{28}{\isacharparenleft}}Christian{\isaliteral{29}{\isacharparenright}}},\\
- \isa{is{\isaliteral{5F}{\isacharunderscore}}at{\isaliteral{5F}{\isacharunderscore}}library\ {\isaliteral{28}{\isacharparenleft}}Christian{\isaliteral{29}{\isacharparenright}}},\\
- \isa{{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}x{\isaliteral{2E}{\isachardot}}\ is{\isaliteral{5F}{\isacharunderscore}}at{\isaliteral{5F}{\isacharunderscore}}library\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ is{\isaliteral{5F}{\isacharunderscore}}staff\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ may{\isaliteral{5F}{\isacharunderscore}}obtain{\isaliteral{5F}{\isacharunderscore}}email\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{29}{\isacharparenright}}}\\
- \end{tabular}\isa{{\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ may{\isaliteral{5F}{\isacharunderscore}}obtain{\isaliteral{5F}{\isacharunderscore}}email\ {\isaliteral{28}{\isacharparenleft}}Christian{\isaliteral{29}{\isacharparenright}}}}
- \end{center}}
- \only<3>{\small
- \textcolor{blue}{
- \begin{center}
- \mbox{
- \infer{\mbox{\isa{may{\isaliteral{5F}{\isacharunderscore}}obtain{\isaliteral{5F}{\isacharunderscore}}email\ {\isaliteral{28}{\isacharparenleft}}Christian{\isaliteral{29}{\isacharparenright}}}}}
- {\mbox{\begin{tabular}{@ {}l@ {}}
- \isa{is{\isaliteral{5F}{\isacharunderscore}}staff\ {\isaliteral{28}{\isacharparenleft}}Christian{\isaliteral{29}{\isacharparenright}}}\\
- \isa{is{\isaliteral{5F}{\isacharunderscore}}at{\isaliteral{5F}{\isacharunderscore}}library\ {\isaliteral{28}{\isacharparenleft}}Christian{\isaliteral{29}{\isacharparenright}}}\\
- \isa{{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}x{\isaliteral{2E}{\isachardot}}\ is{\isaliteral{5F}{\isacharunderscore}}at{\isaliteral{5F}{\isacharunderscore}}library\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ is{\isaliteral{5F}{\isacharunderscore}}staff\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ may{\isaliteral{5F}{\isacharunderscore}}obtain{\isaliteral{5F}{\isacharunderscore}}email\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{29}{\isacharparenright}}}\\
- \end{tabular}}
- }
- }
- \end{center}
- }}
- \only<4>{\small
- \textcolor{blue}{
- \begin{center}
- \mbox{
- \infer{\mbox{\isa{may{\isaliteral{5F}{\isacharunderscore}}obtain{\isaliteral{5F}{\isacharunderscore}}email\ {\isaliteral{28}{\isacharparenleft}}Alice{\isaliteral{29}{\isacharparenright}}}}}
- {\mbox{\begin{tabular}{@ {}l@ {}}
- \isa{is{\isaliteral{5F}{\isacharunderscore}}staff\ {\isaliteral{28}{\isacharparenleft}}Alice{\isaliteral{29}{\isacharparenright}}}\\
- \isa{is{\isaliteral{5F}{\isacharunderscore}}staff\ {\isaliteral{28}{\isacharparenleft}}Christian{\isaliteral{29}{\isacharparenright}}}\\
- \isa{is{\isaliteral{5F}{\isacharunderscore}}at{\isaliteral{5F}{\isacharunderscore}}library\ {\isaliteral{28}{\isacharparenleft}}Christian{\isaliteral{29}{\isacharparenright}}}\\
- \isa{{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}x{\isaliteral{2E}{\isachardot}}\ is{\isaliteral{5F}{\isacharunderscore}}at{\isaliteral{5F}{\isacharunderscore}}library\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ is{\isaliteral{5F}{\isacharunderscore}}staff\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ may{\isaliteral{5F}{\isacharunderscore}}obtain{\isaliteral{5F}{\isacharunderscore}}email\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{29}{\isacharparenright}}}\\
- \end{tabular}}
- }
- }
- \end{center}
- }}
-
- \end{itemize}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
-
-{\lstset{language=Scala}\fontsize{10}{12}\selectfont
-\texttt{\lstinputlisting{programs/judgement.scala}}}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[t]
- \frametitle{Inference Rules}
-
- \textcolor{blue}{
- \begin{center}
- \Large
- \mbox{
- \infer{\mbox{\isa{conclusion}}}
- {\mbox{\isa{premise\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}}} & \mbox{\isa{{\isaliteral{5C3C646F74733E}{\isasymdots}}}} & \mbox{\isa{premise\isaliteral{5C3C5E697375623E}{}\isactrlisub n}}}}
- \end{center}}
-
- The conlusion and premises are judgements\bigskip\pause
-
- \begin{itemize}
- \item Examples
- \textcolor{blue}{
- \begin{center}
- \mbox{
- \infer{\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ F\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ F\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{2}}}}}
- {\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ F\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}}} & \mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ F\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{2}}}}}}
- \end{center}}\pause
-
- \textcolor{blue}{
- \begin{center}
- \mbox{
- \infer{\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ F\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}\ {\isaliteral{5C3C6F723E}{\isasymor}}\ F\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{2}}}}}
- {\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ F\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}}}}}
- \hspace{10mm}
- \mbox{
- \infer{\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ F\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}\ {\isaliteral{5C3C6F723E}{\isasymor}}\ F\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{2}}}}}
- {\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ F\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{2}}}}}}
- \end{center}}
- \end{itemize}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[t]
- \frametitle{Implication}
- \Large
-
- \textcolor{blue}{
- \begin{center}
- \mbox{
- \infer{\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ F\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ F\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{2}}}}}
- {\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}{\isaliteral{2C}{\isacharcomma}}\ F\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ F\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{2}}}}}}
- \end{center}}
-
- \textcolor{blue}{
- \begin{center}
- \mbox{
- \infer{\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ F\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{2}}}}}
- {\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ F\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ F\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{2}}}} & \mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ F\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}}}}}
- \end{center}}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[t]
- \frametitle{Universal Quantification}
- \Large
-
- \textcolor{blue}{
- \begin{center}
- \mbox{
- \infer{\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ F{\isaliteral{5B}{\isacharbrackleft}}x\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ t{\isaliteral{5D}{\isacharbrackright}}}}}
- {\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}x{\isaliteral{2E}{\isachardot}}\ F}}}}
- \end{center}}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[t]
- \frametitle{Start Rules / Axioms}
-
- \normalsize
- \alert{if \textcolor{blue}{\isa{F\ {\isaliteral{5C3C696E3E}{\isasymin}}\ {\isaliteral{5C3C47616D6D613E}{\isasymGamma}}}}}
-
- \textcolor{blue}{\Large
- \begin{center}
- \mbox{
- \infer{\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ F}}}{}}
- \end{center}}\bigskip\pause
-
- \normalsize
- Also written as:
- \textcolor{blue}{\Large
- \begin{center}
- \mbox{
- \infer{\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}{\isaliteral{2C}{\isacharcomma}}\ F\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ F}}}{}}
- \end{center}}\pause
-
- \textcolor{blue}{\Large
- \begin{center}
- \mbox{
- \infer{\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ true}}}{}}
- \end{center}}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[t]
- \frametitle{}
-
- \begin{minipage}{1.1\textwidth}
- Let \textcolor{blue}{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{3D}{\isacharequal}}}\footnotesize\begin{tabular}{l}
- \isa{is{\isaliteral{5F}{\isacharunderscore}}staff\ {\isaliteral{28}{\isacharparenleft}}Christian{\isaliteral{29}{\isacharparenright}}},\\
- \isa{is{\isaliteral{5F}{\isacharunderscore}}at{\isaliteral{5F}{\isacharunderscore}}library\ {\isaliteral{28}{\isacharparenleft}}Christian{\isaliteral{29}{\isacharparenright}}},\\
- \isa{{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}x{\isaliteral{2E}{\isachardot}}\ is{\isaliteral{5F}{\isacharunderscore}}at{\isaliteral{5F}{\isacharunderscore}}library\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ is{\isaliteral{5F}{\isacharunderscore}}staff\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ may{\isaliteral{5F}{\isacharunderscore}}obtain{\isaliteral{5F}{\isacharunderscore}}email\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{29}{\isacharparenright}}}\\
- \end{tabular}}
- \end{minipage}
-
- \only<2>{
- \begin{textblock}{12}(4,3)\footnotesize
- \textcolor{blue}{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ is{\isaliteral{5F}{\isacharunderscore}}staff\ {\isaliteral{28}{\isacharparenleft}}Christian{\isaliteral{29}{\isacharparenright}}}}\hspace{10mm}
- \textcolor{blue}{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ is{\isaliteral{5F}{\isacharunderscore}}at{\isaliteral{5F}{\isacharunderscore}}library\ {\isaliteral{28}{\isacharparenleft}}Christian{\isaliteral{29}{\isacharparenright}}}}
- \end{textblock}}
-
- \only<3->{
- \begin{textblock}{12}(4,3)\footnotesize
- \mbox{\textcolor{blue}{
- \infer{\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ is{\isaliteral{5F}{\isacharunderscore}}staff\ {\isaliteral{28}{\isacharparenleft}}Christian{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ is{\isaliteral{5F}{\isacharunderscore}}at{\isaliteral{5F}{\isacharunderscore}}library\ {\isaliteral{28}{\isacharparenleft}}Christian{\isaliteral{29}{\isacharparenright}}}}}
- {\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ is{\isaliteral{5F}{\isacharunderscore}}staff\ {\isaliteral{28}{\isacharparenleft}}Christian{\isaliteral{29}{\isacharparenright}}}} &\hspace{10mm}
- \mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ is{\isaliteral{5F}{\isacharunderscore}}at{\isaliteral{5F}{\isacharunderscore}}library\ {\isaliteral{28}{\isacharparenleft}}Christian{\isaliteral{29}{\isacharparenright}}}}}
- }}
- \end{textblock}}
-
- \only<4>{
- \begin{textblock}{14}(0.5,6)\footnotesize
- \textcolor{blue}{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}x{\isaliteral{2E}{\isachardot}}\ is{\isaliteral{5F}{\isacharunderscore}}staff\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ is{\isaliteral{5F}{\isacharunderscore}}at{\isaliteral{5F}{\isacharunderscore}}library\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ may{\isaliteral{5F}{\isacharunderscore}}obtain{\isaliteral{5F}{\isacharunderscore}}email\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{29}{\isacharparenright}}}}
- \end{textblock}}
-
- \only<5->{
- \begin{textblock}{14}(0.5,6)\footnotesize
- \textcolor{blue}{
- \infer{\mbox{\begin{tabular}{l}\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ is{\isaliteral{5F}{\isacharunderscore}}staff\ {\isaliteral{28}{\isacharparenleft}}Christian{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ is{\isaliteral{5F}{\isacharunderscore}}at{\isaliteral{5F}{\isacharunderscore}}library\ {\isaliteral{28}{\isacharparenleft}}Christian{\isaliteral{29}{\isacharparenright}}}\\
- \hspace{40mm}\isa{{\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ may{\isaliteral{5F}{\isacharunderscore}}obtain{\isaliteral{5F}{\isacharunderscore}}email\ {\isaliteral{28}{\isacharparenleft}}Christian{\isaliteral{29}{\isacharparenright}}}\end{tabular}}}
- {\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}x{\isaliteral{2E}{\isachardot}}\ is{\isaliteral{5F}{\isacharunderscore}}staff\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ is{\isaliteral{5F}{\isacharunderscore}}at{\isaliteral{5F}{\isacharunderscore}}library\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ may{\isaliteral{5F}{\isacharunderscore}}obtain{\isaliteral{5F}{\isacharunderscore}}email\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{29}{\isacharparenright}}}}}}
- \end{textblock}}
-
- \only<6->{
- \begin{textblock}{14}(5,10)\footnotesize
- \textcolor{blue}{
- \infer{\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ may{\isaliteral{5F}{\isacharunderscore}}obtain{\isaliteral{5F}{\isacharunderscore}}email\ {\isaliteral{28}{\isacharparenleft}}Christian{\isaliteral{29}{\isacharparenright}}}}}
- {\vdots & \hspace{30mm} \vdots}}
- \end{textblock}}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[t]
- \frametitle{Access Control}
- \Large
-
- \textcolor{blue}{
- \begin{center}
- \isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ F}
- \end{center}}\bigskip
-
- \normalsize
- \begin{itemize}
- \item If there is a proof \isa{{\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}} yes (granted)
- \item If there isn't \isa{{\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}} no (denied)
- \end{itemize}\bigskip\pause
-
-\begin{minipage}{1.1\textwidth}
- \small
- \textcolor{blue}{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{3D}{\isacharequal}}}\small\begin{tabular}{l}
- \isa{is{\isaliteral{5F}{\isacharunderscore}}staff\ {\isaliteral{28}{\isacharparenleft}}Christian{\isaliteral{29}{\isacharparenright}}},\\
- \isa{is{\isaliteral{5F}{\isacharunderscore}}at{\isaliteral{5F}{\isacharunderscore}}library\ {\isaliteral{28}{\isacharparenleft}}Christian{\isaliteral{29}{\isacharparenright}}},\\
- \isa{{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}x{\isaliteral{2E}{\isachardot}}\ is{\isaliteral{5F}{\isacharunderscore}}at{\isaliteral{5F}{\isacharunderscore}}library\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ is{\isaliteral{5F}{\isacharunderscore}}staff\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ may{\isaliteral{5F}{\isacharunderscore}}obtain{\isaliteral{5F}{\isacharunderscore}}email\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{29}{\isacharparenright}}}\\
- \end{tabular}}\medskip
-
- \textcolor{blue}{
- \mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}} $\not\vdash$ \isa{may{\isaliteral{5F}{\isacharunderscore}}obtain{\isaliteral{5F}{\isacharunderscore}}email\ {\isaliteral{28}{\isacharparenleft}}Alice{\isaliteral{29}{\isacharparenright}}}}}
-\end{minipage}
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{The Access Control Problem}
-
-
-\begin{center}
- \begin{tikzpicture}[scale=1]
-
- \draw[line width=1mm] (-.3, 0) rectangle (1.5,2);
- \draw (-2.7,1) node {\begin{tabular}{l}access\\request\\ (\bl{$F$})\end{tabular}};
- \draw (4.2,1) node {\begin{tabular}{l}granted/\\not granted\end{tabular}};
- \draw (0.6,1.2) node {\footnotesize \begin{tabular}{l}Access\\Control\\Checker\end{tabular}};
-
- \draw[red, ->, line width = 2mm] (1.7,1) -- (2.7,1);
- \draw[red,<-, line width = 2mm] (-0.6,1) -- (-1.6,1);
- \draw[red, <-, line width = 3mm] (0.6,2.2) -- (0.6,3.2);
-
- \draw (0.6,4) node {\begin{tabular}{l}\large Access Policy (\bl{$\Gamma$})\end{tabular}};
-
- \end{tikzpicture}
-\end{center}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Bad News}
-
- \begin{itemize}
- \item We introduced (roughly) first-order logic. \bigskip\pause
-
- \item Judgements
- \begin{center}
- \textcolor{blue}
- {\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ F}}}
- \end{center}
-
- are in general \alert{undecidable}.\pause\medskip\\
-
- The problem is \alert{semi-decidable}.
-
- \end{itemize}
-
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[t]
- \frametitle{\Large\begin{tabular}{@ {}c@ {}}Access Control Logic\end{tabular}}
-
- \begin{itemize}
- \item[]
-
- \begin{center}\color{blue}
- \begin{tabular}[t]{rcl@ {\hspace{10mm}}l}
- \isa{F} & \isa{{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}} & \isa{true} \\
- & \isa{{\isaliteral{7C}{\isacharbar}}} & \isa{false} \\
- & \isa{{\isaliteral{7C}{\isacharbar}}} & \isa{F\ {\isaliteral{5C3C616E643E}{\isasymand}}\ F} \\
- & \isa{{\isaliteral{7C}{\isacharbar}}} & \isa{F\ {\isaliteral{5C3C6F723E}{\isasymor}}\ F} \\
- & \isa{{\isaliteral{7C}{\isacharbar}}} & \isa{F\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ F}\\
- & \isa{{\isaliteral{7C}{\isacharbar}}} & \isa{p\ {\isaliteral{28}{\isacharparenleft}}t\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}{\isaliteral{2C}{\isacharcomma}}{\isaliteral{5C3C646F74733E}{\isasymdots}}{\isaliteral{2C}{\isacharcomma}}t\isaliteral{5C3C5E697375623E}{}\isactrlisub n{\isaliteral{29}{\isacharparenright}}} \\
- & \isa{{\isaliteral{7C}{\isacharbar}}} & \alert{\isa{P\ says\ F}} & \textcolor{black}{``saying predicate''}\\
- \end{tabular}
- \end{center}
-
- where \textcolor{blue}{\isa{P\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ Alice{\isaliteral{2C}{\isacharcomma}}\ Bob{\isaliteral{2C}{\isacharcomma}}\ Christian{\isaliteral{2C}{\isacharcomma}}\ {\isaliteral{5C3C646F74733E}{\isasymdots}}}} (principals)\bigskip\pause
-
- \item \textcolor{blue}{\isa{HoD\ says\ is{\isaliteral{5F}{\isacharunderscore}}staff\ {\isaliteral{28}{\isacharparenleft}}Christian{\isaliteral{29}{\isacharparenright}}}}
- \end{itemize}
-
-
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
-
-{\lstset{language=Scala}\fontsize{10}{12}\selectfont
-\texttt{\lstinputlisting{programs/formulas1.scala}}}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[t]
- \frametitle{Rules about Says}
-
- \textcolor{blue}{
- \begin{center}
- \mbox{
- \infer{\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ P\ says\ F}}}
- {\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ F}}}}
- \end{center}}
-
- \textcolor{blue}{
- \begin{center}
- \mbox{
- \infer{\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ P\ says\ F\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{2}}}}}
- {\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ P\ says\ {\isaliteral{28}{\isacharparenleft}}F\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ F\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{2}}{\isaliteral{29}{\isacharparenright}}}} & \hspace{10mm}\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ P\ says\ F\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}}}}}
- \end{center}}
-
- \textcolor{blue}{
- \begin{center}
- \mbox{
- \infer{\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ P\ says\ F}}}
- {\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ P\ says\ {\isaliteral{28}{\isacharparenleft}}P\ says\ F{\isaliteral{29}{\isacharparenright}}}}}}
- \end{center}}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{}
-
- Consider the following scenario:
-
- \begin{itemize}
- \item If \textcolor{blue}{Admin} says that \textcolor{blue}{\isa{file\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}}}
- should be deleted, then this file must be deleted.
- \item \textcolor{blue}{Admin} trusts \textcolor{blue}{Bob} to decide whether
- \textcolor{blue}{\isa{file\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}}} should be deleted.
- \item \textcolor{blue}{Bob} wants to delete \textcolor{blue}{\isa{file\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}}}.
- \end{itemize}\bigskip\pause
-
- \small
- \textcolor{blue}{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{3D}{\isacharequal}}}\small\begin{tabular}{l}
- \isa{{\isaliteral{28}{\isacharparenleft}}Admin\ says\ del{\isaliteral{5F}{\isacharunderscore}}file\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ del{\isaliteral{5F}{\isacharunderscore}}file\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}},\\
- \isa{{\isaliteral{28}{\isacharparenleft}}Admin\ says\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{28}{\isacharparenleft}}Bob\ says\ del{\isaliteral{5F}{\isacharunderscore}}file\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ del{\isaliteral{5F}{\isacharunderscore}}file\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}},\\
- \isa{Bob\ says\ del{\isaliteral{5F}{\isacharunderscore}}file\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}}\\
- \end{tabular}}\medskip\pause
-
- \textcolor{blue}{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ del{\isaliteral{5F}{\isacharunderscore}}file\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}}}
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{}
-
- \textcolor{blue}{
- \begin{center}
- \mbox{
- \infer{\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ P\ says\ F}}}
- {\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ F}}}}\\\bigskip
- \mbox{
- \infer{\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ P\ says\ F\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{2}}}}}
- {\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ P\ says\ {\isaliteral{28}{\isacharparenleft}}F\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ F\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{2}}{\isaliteral{29}{\isacharparenright}}}} & \hspace{5mm}\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ P\ says\ F\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}}}}}
- \end{center}}\bigskip
-
- \small
- \textcolor{blue}{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{3D}{\isacharequal}}}\small\begin{tabular}{l}
- \isa{{\isaliteral{28}{\isacharparenleft}}Admin\ says\ del{\isaliteral{5F}{\isacharunderscore}}file\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ del{\isaliteral{5F}{\isacharunderscore}}file\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}},\\
- \isa{{\isaliteral{28}{\isacharparenleft}}Admin\ says\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{28}{\isacharparenleft}}Bob\ says\ del{\isaliteral{5F}{\isacharunderscore}}file\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ del{\isaliteral{5F}{\isacharunderscore}}file\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}},\\
- \isa{Bob\ says\ del{\isaliteral{5F}{\isacharunderscore}}file\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}}\\
- \end{tabular}}\medskip
-
- \textcolor{blue}{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ del{\isaliteral{5F}{\isacharunderscore}}file\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}}}
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[t]
- \frametitle{}
- \small
-
- \textcolor{blue}{
- \begin{center}
- \only<1>{$ \underbrace{
- \mbox{\infer{\Gamma \vdash \mbox{Admin says (Bob says del\_file)}}
- {\infer{\Gamma \vdash \mbox{Bob says del\_file}}{}}}}_{X}$}
- \end{center}}
-
- \textcolor{blue}{
- \begin{center}
- \only<1>{
- $ \underbrace{
- \mbox{\infer{\Gamma \vdash \mbox{Admin says del\_file}}
- {\infer{\Gamma \vdash \mbox{Admin says (Bob says del\_file \isa{{\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}} del\_file)}}{}
- &
- \deduce[$\vdots$]{X}{}
- }}}_{Y}$}
- \end{center}}
-
- \textcolor{blue}{
- \begin{center}
- \only<1>{\mbox{\infer{\Gamma \vdash \mbox{del\_file}}
- {\infer{\Gamma \vdash \mbox{(Admin says del\_file) \isa{{\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}} del\_file}}{}
- &
- \deduce[$\vdots$]{Y}{}
- }}}
- \end{center}}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Controls}
- \small
-
- \begin{itemize}
- \item \bl{\isa{P\ controls\ F\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ {\isaliteral{28}{\isacharparenleft}}P\ says\ F{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ F}}
-
- \item its meaning ``\bl{P} is entitled to do \bl{F}''
- \item if \bl{P controls F} and \bl{P says F} then \bl{F}\pause
-
- \begin{center}
- \bl{\mbox{
- \infer{\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ F}}}
- {\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ P\ controls\ F}} & \mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ P\ says\ F}}}
- }}
- \end{center}\pause
-
- \begin{center}
- \bl{\mbox{
- \infer{\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ F}}}
- {\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ {\isaliteral{28}{\isacharparenleft}}P\ says\ F{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ F}} & \mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ P\ says\ F}}}
- }}
- \end{center}
- \end{itemize}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Speaks For}
- \small
-
- \begin{itemize}
- \item \bl{\isa{P\ {\isaliteral{5C3C6D617073746F3E}{\isasymmapsto}}\ Q\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}F{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}P\ says\ F{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}Q\ says\ F{\isaliteral{29}{\isacharparenright}}}}
-
- \item its meaning ``\bl{P} speaks for \bl{Q}''
-
-
- \begin{center}
- \bl{\mbox{
- \infer{\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ Q\ says\ F}}}
- {\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ P\ {\isaliteral{5C3C6D617073746F3E}{\isasymmapsto}}\ Q}} & \mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ P\ says\ F}}}
- }}
- \end{center}\pause
-
- \begin{center}
- \bl{\mbox{
- \infer{\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ P\ controls\ F}}}
- {\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ P\ {\isaliteral{5C3C6D617073746F3E}{\isasymmapsto}}\ Q}} & \mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ Q\ controls\ F}}}
- }}
- \end{center}
-
- \begin{center}
- \bl{\mbox{
- \infer{\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ P\ {\isaliteral{5C3C6D617073746F3E}{\isasymmapsto}}\ R}}}
- {\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ P\ {\isaliteral{5C3C6D617073746F3E}{\isasymmapsto}}\ Q}} & \mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ Q\ {\isaliteral{5C3C6D617073746F3E}{\isasymmapsto}}\ R}}}
- }}
- \end{center}
- \end{itemize}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Tickets}
-
- \begin{itemize}
- \item Tickets control access to restricted objects.\bigskip
- \end{itemize}
- \small
-
- Example: \bl{Permitted (Bob, enter\_flight)} ? \bigskip
-
- \begin{minipage}{1.1\textwidth}
- \begin{itemize}
- \item \bl{Bob says Permitted (Bob, enter\_flight)}\\ (access request)
- \item \bl{Ticket says (Bob controls Permitted (Bob, enter\_flight))}
- \item \bl{Airline controls (Bob controls Permitted (Bob, enter\_flight))} (access policy)\pause
- \item \bl{\isa{Ticket\ {\isaliteral{5C3C6D617073746F3E}{\isasymmapsto}}\ Airline}}\\
- (trust assumption)
- \end{itemize}
- \end{minipage}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Tickets}
- \small
-
- \begin{minipage}{1.1\textwidth}
- \begin{enumerate}
- \item \bl{Bob says Permitted (Bob, enter\_flight)}
- \item \bl{Ticket says (Bob controls Permitted (Bob, enter\_flight))}
- \item \bl{Airline controls (Bob controls Permitted (Bob, enter\_flight))}
- \item \bl{\isa{Ticket\ {\isaliteral{5C3C6D617073746F3E}{\isasymmapsto}}\ Airline}}
- \end{enumerate}
- \end{minipage}\bigskip\bigskip
-
- Is \bl{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ Permitted\ {\isaliteral{28}{\isacharparenleft}}Bob{\isaliteral{2C}{\isacharcomma}}\ enter{\isaliteral{5F}{\isacharunderscore}}flight{\isaliteral{29}{\isacharparenright}}}} derivable ? \bigskip
-
-
- \small
- \begin{minipage}{1.1\textwidth}
- \begin{center}
- \bl{\mbox{
- \infer{\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ F}}}
- {\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ P\ controls\ F}} & \mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ P\ says\ F}}}
- }}
- \bl{\mbox{\hspace{6mm}
- \infer{\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ Q\ says\ F}}}
- {\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ P\ {\isaliteral{5C3C6D617073746F3E}{\isasymmapsto}}\ Q}} & \mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ P\ says\ F}}}
- }}
- \end{center}
- \end{minipage}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Tickets}
- \small
-
- \begin{minipage}{1.1\textwidth}
- \begin{itemize}
- \item Access Request:
- \begin{center}
- \bl{Person says Object}
- \end{center}
-
- \item Ticket:
- \begin{center}
- \bl{Ticket says (Person controls Object)}
- \end{center}
-
- \item Access policy:
- \begin{center}
- \bl{Authority controls (Person controls Object)}
- \end{center}
-
- \item Trust assumption:
- \begin{center}
- \bl{\isa{Ticket\ {\isaliteral{5C3C6D617073746F3E}{\isasymmapsto}}\ Authority}}
- \end{center}
- \end{itemize}
- \end{minipage}
-
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[t]
- \frametitle{\LARGE Derived Rule for Tickets}
- \small
- \mbox{}\\[2cm]
-
- \begin{center}
- \bl{\mbox{\infer{\mbox{F}}
- {\mbox{\begin{tabular}{l}
- Authority controls (Person controls F)\\
- Ticket says (Person controls F)\\
- \isa{Ticket\ {\isaliteral{5C3C6D617073746F3E}{\isasymmapsto}}\ Authority}\\
- Person says F
- \end{tabular}}
- }}}
- \end{center}
- \mbox{}\\[1cm]
-
-
- \small
- \begin{minipage}{1.1\textwidth}
- \begin{center}
- \bl{\mbox{
- \infer{\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ F}}}
- {\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ P\ controls\ F}} & \mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ P\ says\ F}}}
- }}
- \bl{\mbox{\hspace{6mm}
- \infer{\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ Q\ says\ F}}}
- {\mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ P\ {\isaliteral{5C3C6D617073746F3E}{\isasymmapsto}}\ Q}} & \mbox{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ P\ says\ F}}}
- }}
- \end{center}
- \end{minipage}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-\newcommand{\dn}{\stackrel{\mbox{\scriptsize def}}{=}}% for definitions
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Security Levels}
- \small
-
- \begin{itemize}
- \item Top secret (\bl{$T\!S$})
- \item Secret (\bl{$S$})
- \item Public (\bl{$P$})
- \end{itemize}
-
- \begin{center}
- \bl{$slev(P) < slev(S) < slev(T\!S)$}\pause
- \end{center}
-
- \begin{itemize}
- \item Bob has a clearance for ``secret''
- \item Bob can read documents that are public or sectret, but not top secret
- \end{itemize}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Reading a File}
-
- \bl{\begin{center}
- \begin{tabular}{c}
- \begin{tabular}{@ {}l@ {}}
- \only<2->{\textcolor{red}{$slev($File$)$ $<$ $slev($Bob$)$ $\Rightarrow$}}\\
- \only<2->{\hspace{3cm}}Bob controls Permitted $($File, read$)$\\
- Bob says Permitted $($File, read$)$\only<2->{\\}
- \only<2>{\textcolor{red}{$slev($File$)$ $<$ $slev($Bob$)$}}%
- \only<3>{\textcolor{red}{$slev($File$)$ $=$ $P$}\\}%
- \only<3>{\textcolor{red}{$slev($Bob$)$ $=$ $S$}\\}%
- \only<3>{\textcolor{red}{$slev(P)$ $<$ $slev(S)$}\\}%
- \end{tabular}\\
- \hline
- Permitted $($File, read$)$
- \end{tabular}
- \end{center}}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Substitution Rule}
- \small
-
- \bl{\begin{center}
- \begin{tabular}{c}
- $\Gamma \vdash slev(P) = l_1$ \hspace{4mm} $\Gamma \vdash slev(Q) = l_2$
- \hspace{4mm} $\Gamma \vdash l_1 < l_2$\\\hline
- $\Gamma \vdash slev(P) < slev(Q)$
- \end{tabular}
- \end{center}}\bigskip\pause
-
- \begin{itemize}
- \item \bl{$slev($Bob$)$ $=$ $S$}
- \item \bl{$slev($File$)$ $=$ $P$}
- \item \bl{$slev(P) < slev(S)$}
- \end{itemize}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Reading a File}
-
- \bl{\begin{center}
- \begin{tabular}{c}
- \begin{tabular}{@ {}l@ {}}
- $slev($File$)$ $<$ $slev($Bob$)$ $\Rightarrow$\\
- \hspace{3cm}Bob controls Permitted $($File, read$)$\\
- Bob says Permitted $($File, read$)$\\
- $slev($File$)$ $=$ $P$\\
- $slev($Bob$)$ $=$ $T\!S$\\
- \only<1>{\textcolor{red}{$?$}}%
- \only<2>{\textcolor{red}{$slev(P) < slev(S)$}\\}%
- \only<2>{\textcolor{red}{$slev(S) < slev(T\!S)$}}%
- \end{tabular}\\
- \hline
- Permitted $($File, read$)$
- \end{tabular}
- \end{center}}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Transitivity Rule}
- \small
-
- \bl{\begin{center}
- \begin{tabular}{c}
- $\Gamma \vdash l_1 < l_2$
- \hspace{4mm} $\Gamma \vdash l_2 < l_3$\\\hline
- $\Gamma \vdash l_1 < l_3$
- \end{tabular}
- \end{center}}\bigskip
-
- \begin{itemize}
- \item \bl{$slev(P) < slev (S)$}
- \item \bl{$slev(S) < slev (T\!S)$}
- \item[] \bl{$slev(P) < slev (T\!S)$}
- \end{itemize}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Reading Files}
-
- \begin{itemize}
- \item Access policy for reading
- \end{itemize}
-
- \bl{\begin{center}
- \begin{tabular}{c}
- \begin{tabular}{@ {}l@ {}}
- $\forall f.\;slev(f)$ \only<1>{$<$}\only<2>{\textcolor{red}{$\le$}} $slev($Bob$)$ $\Rightarrow$\\
- \hspace{3cm}Bob controls Permitted $(f$, read$)$\\
- Bob says Permitted $($File, read$)$\\
- $slev($File$)$ $=$ \only<1>{$P$}\only<2>{\textcolor{red}{$T\!S$}}\\
- $slev($Bob$)$ $=$ $T\!S$\\
- $slev(P) < slev(S)$\\
- $slev(S) < slev(T\!S)$
- \end{tabular}\\
- \hline
- Permitted $($File, read$)$
- \end{tabular}
- \end{center}}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Writing Files}
-
- \begin{itemize}
- \item Access policy for \underline{writing}
- \end{itemize}
-
- \bl{\begin{center}
- \begin{tabular}{c}
- \begin{tabular}{@ {}l@ {}}
- $\forall f.\;slev($Bob$)$ $\le$ $slev(f)$ $\Rightarrow$\\
- \hspace{3cm}Bob controls Permitted $(f$, write$)$\\
- Bob says Permitted $($File, write$)$\\
- $slev($File$)$ $=$ $T\!S$\\
- $slev($Bob$)$ $=$ $S$\\
- $slev(P) < slev(S)$\\
- $slev(S) < slev(T\!S)$
- \end{tabular}\\
- \hline
- Permitted $($File, write$)$
- \end{tabular}
- \end{center}}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Bell-LaPadula}
- \small
-
- \begin{itemize}
- \item \alert{Read Rule}: A principal \bl{$P$} can read an object \bl{$O$} if and only if
- \bl{$P$}'s security level is at least as high as \bl{$O$}'s.
- \item \alert{Write Rule}: A principal \bl{$P$} can write an object \bl{$O$} if and only if
- \bl{$O$}'s security level is at least as high as \bl{$P$}'s.\medskip
-
- \item Meta-Rule: All principals in a system should have a sufficiently high security level
- in order to access an object.
- \end{itemize}\bigskip
-
- This restricts information flow $\Rightarrow$ military\bigskip\bigskip\pause
-
- Bell-LaPadula: {\bf `no read up'} - {\bf `no write down'}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{\begin{tabular}{c}Principle of\\[-2mm] Least Privilege\end{tabular}}
-
- \begin{tikzpicture}
- \draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
- {\normalsize\color{darkgray}
- \begin{minipage}{10cm}\raggedright
- A principal should have as few privileges as possible to access a resource.
- \end{minipage}};
- \end{tikzpicture}\bigskip\bigskip
- \small
-
- \begin{itemize}
- \item Bob ($T\!S$) and Alice ($S$) want to communicate
- \item[] $\Rightarrow$ Bob should lower his security level
- \end{itemize}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Biba Policy}
- \small
-
- Data Integrity (rather than data confidentiality)
-
- \begin{itemize}
- \item Biba: {\bf `no read down'} - {\bf `no write up'}
- \item \alert{Read Rule}: A principal \bl{$P$} can read an object \bl{$O$} if and only if
- \bl{$P$}'s security level is lower or equal than \bl{$O$}'s.
- \item \alert{Write Rule}: A principal \bl{$P$} can write an object \bl{$O$} if and only if
- \bl{$O$}'s security level is lower or equal than \bl{$P$}'s.
- \end{itemize}\bigskip\bigskip\pause
-
- E.g.~Generals write orders to officers; officers write oders to solidiers\\
- Firewall: you can read from inside the firewall, but not from outside\\
- Phishing: you can look at an approved PDF, but not one from a random email\\
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Point to Take Home}
-
-\begin{itemize}
-\item Formal methods can be an excellent way of finding
-bugs as they force the designer
-to make everything explicit and thus confront dif$\!$ficult design
-choices that might otherwise be fudged.
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-
-\end{document}
-
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: t
-%%% End:
-
Binary file slides06.pdf has changed
--- a/slides06.tex Sun Dec 09 13:00:33 2012 +0000
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,636 +0,0 @@
-\documentclass[dvipsnames,14pt,t]{beamer}
-\usepackage{proof}
-\usepackage{beamerthemeplainculight}
-\usepackage[T1]{fontenc}
-\usepackage[latin1]{inputenc}
-\usepackage{mathpartir}
-\usepackage{isabelle}
-\usepackage{isabellesym}
-\usepackage[absolute,overlay]{textpos}
-\usepackage{ifthen}
-\usepackage{tikz}
-\usepackage{courier}
-\usepackage{listings}
-\usetikzlibrary{arrows}
-\usetikzlibrary{positioning}
-\usetikzlibrary{calc}
-\usepackage{graphicx}
-
-\isabellestyle{rm}
-\renewcommand{\isastyle}{\rm}%
-\renewcommand{\isastyleminor}{\rm}%
-\renewcommand{\isastylescript}{\footnotesize\rm\slshape}%
-\renewcommand{\isatagproof}{}
-\renewcommand{\endisatagproof}{}
-\renewcommand{\isamarkupcmt}[1]{#1}
-
-% Isabelle characters
-\renewcommand{\isacharunderscore}{\_}
-\renewcommand{\isacharbar}{\isamath{\mid}}
-\renewcommand{\isasymiota}{}
-\renewcommand{\isacharbraceleft}{\{}
-\renewcommand{\isacharbraceright}{\}}
-\renewcommand{\isacharless}{$\langle$}
-\renewcommand{\isachargreater}{$\rangle$}
-\renewcommand{\isasymsharp}{\isamath{\#}}
-\renewcommand{\isasymdots}{\isamath{...}}
-\renewcommand{\isasymbullet}{\act}
-
-
-
-\definecolor{javared}{rgb}{0.6,0,0} % for strings
-\definecolor{javagreen}{rgb}{0.25,0.5,0.35} % comments
-\definecolor{javapurple}{rgb}{0.5,0,0.35} % keywords
-\definecolor{javadocblue}{rgb}{0.25,0.35,0.75} % javadoc
-
-\lstset{language=Java,
- basicstyle=\ttfamily,
- keywordstyle=\color{javapurple}\bfseries,
- stringstyle=\color{javagreen},
- commentstyle=\color{javagreen},
- morecomment=[s][\color{javadocblue}]{/**}{*/},
- numbers=left,
- numberstyle=\tiny\color{black},
- stepnumber=1,
- numbersep=10pt,
- tabsize=2,
- showspaces=false,
- showstringspaces=false}
-
-\lstdefinelanguage{scala}{
- morekeywords={abstract,case,catch,class,def,%
- do,else,extends,false,final,finally,%
- for,if,implicit,import,match,mixin,%
- new,null,object,override,package,%
- private,protected,requires,return,sealed,%
- super,this,throw,trait,true,try,%
- type,val,var,while,with,yield},
- otherkeywords={=>,<-,<\%,<:,>:,\#,@},
- sensitive=true,
- morecomment=[l]{//},
- morecomment=[n]{/*}{*/},
- morestring=[b]",
- morestring=[b]',
- morestring=[b]"""
-}
-
-\lstset{language=Scala,
- basicstyle=\ttfamily,
- keywordstyle=\color{javapurple}\bfseries,
- stringstyle=\color{javagreen},
- commentstyle=\color{javagreen},
- morecomment=[s][\color{javadocblue}]{/**}{*/},
- numbers=left,
- numberstyle=\tiny\color{black},
- stepnumber=1,
- numbersep=10pt,
- tabsize=2,
- showspaces=false,
- showstringspaces=false}
-
-% beamer stuff
-\renewcommand{\slidecaption}{APP 06, King's College London, 29 October 2012}
-
-\newcommand{\bl}[1]{\textcolor{blue}{#1}}
-\begin{document}
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}<1>[t]
-\frametitle{%
- \begin{tabular}{@ {}c@ {}}
- \\
- \LARGE Access Control and \\[-3mm]
- \LARGE Privacy Policies (6)\\[-6mm]
- \end{tabular}}\bigskip\bigskip\bigskip
-
- %\begin{center}
- %\includegraphics[scale=1.3]{pics/barrier.jpg}
- %\end{center}
-
-\normalsize
- \begin{center}
- \begin{tabular}{ll}
- Email: & christian.urban at kcl.ac.uk\\
- Of$\!$fice: & S1.27 (1st floor Strand Building)\\
- Slides: & KEATS (also homework is there)\\
- \end{tabular}
- \end{center}
-
-
-\end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{1st Week}
-
-\begin{itemize}
-\item What are hashes and salts?\bigskip\pause
-\item \ldots can be use to store securely data on a client, but
-you cannot make your protocol dependent on the
-presence of the data\bigskip\pause
-\item \ldots can be used to store and verify passwords
-
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{2nd Week}
-
-\begin{itemize}
-\item Buffer overflows\bigskip
-\item choice of programming language can mitigate or even eliminate this problem
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{3rd Week}
-
-\begin{itemize}
-\item defence in depth\bigskip
-\item privilege separation afforded by the OS
-\end{itemize}
-
-\begin{center}
-\begin{tikzpicture}[scale=1]
-
- \draw[line width=1mm] (0, 1.1) rectangle (1.2,2);
- \draw (4.7,1) node {Internet};
- \draw (0.6,1.7) node {\footnotesize Slave};
- \draw[line width=1mm] (0, 0) rectangle (1.2,0.9);
- \draw (0.6,1.7) node {\footnotesize Slave};
- \draw (0.6,0.6) node {\footnotesize Slave};
- \draw (0.6,-0.5) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] processes\end{tabular}};
- \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}};
-
- \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2);
- \draw (-2.9,1.7) node {\footnotesize Monitor};
-
- \draw[white] (1.7,1) node (X) {};
- \draw[white] (3.7,1) node (Y) {};
- \draw[red, <->, line width = 2mm] (X) -- (Y);
-
- \draw[red, <->, line width = 1mm] (-0.4,1.4) -- (-1.4,1.1);
- \draw[red, <->, line width = 1mm] (-0.4,0.6) -- (-1.4,0.9);
-
- \end{tikzpicture}
-\end{center}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{4th Week}
-
-\begin{itemize}
-\item voting\ldots has security requirements that are in tension with each other
-\begin{center}
-integrity vs ballot secrecy\\
-authentication vs enfranchisment
-\end{center}\bigskip
-
-\item electronic voting makes `whole sale' fraud easier as opposed to `retail attacks'
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{5th Week}
-
-\begin{itemize}
-\item access control logic\bigskip
-
-\item formulas
-\item judgements
-\item inference rules
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[t]
- \frametitle{\Large\begin{tabular}{@ {}c@ {}}Access Control Logic\end{tabular}}
-
- Formulas
-
- \begin{itemize}
- \item[]
-
- \begin{center}\color{blue}
- \begin{tabular}[t]{rcl@ {\hspace{10mm}}l}
- \isa{F} & \isa{{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}} & \isa{true} \\
- & \isa{{\isaliteral{7C}{\isacharbar}}} & \isa{false} \\
- & \isa{{\isaliteral{7C}{\isacharbar}}} & \isa{F\ {\isaliteral{5C3C616E643E}{\isasymand}}\ F} \\
- & \isa{{\isaliteral{7C}{\isacharbar}}} & \isa{F\ {\isaliteral{5C3C6F723E}{\isasymor}}\ F} \\
- & \isa{{\isaliteral{7C}{\isacharbar}}} & \isa{F\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ F}\\
- & \isa{{\isaliteral{7C}{\isacharbar}}} & \isa{p\ {\isaliteral{28}{\isacharparenleft}}t\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}{\isaliteral{2C}{\isacharcomma}}{\isaliteral{5C3C646F74733E}{\isasymdots}}{\isaliteral{2C}{\isacharcomma}}t\isaliteral{5C3C5E697375623E}{}\isactrlisub n{\isaliteral{29}{\isacharparenright}}} \\
- & \isa{{\isaliteral{7C}{\isacharbar}}} & \alert{\isa{P\ says\ F}} & \textcolor{black}{``saying predicate''}\\
- \end{tabular}
- \end{center}
-
- \end{itemize}
-
-Judgements
-
-\begin{itemize}
-\item[] \mbox{\hspace{9mm}}\bl{$\Gamma \vdash \text{F}$}
-\end{itemize}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Inference Rules}
-
-\begin{center}
-\bl{\infer{\Gamma, F\vdash F}{}}\bigskip\\
-
-\bl{\infer{\Gamma \vdash F_2}{\Gamma \vdash F_1 \Rightarrow F_2 \quad \Gamma \vdash F_1}}
-\qquad
-\bl{\infer{\Gamma \vdash F_1 \Rightarrow F_2}{F_1, \Gamma \vdash F_2}}\bigskip\\
-
-\bl{\infer{\Gamma \vdash P\,\text{says}\, F}{\Gamma \vdash F}}\medskip\\
-
-\bl{\infer{\Gamma \vdash P \,\text{says}\, F_2}
- {\Gamma \vdash P \,\text{says}\, (F_1\Rightarrow F_2) \quad
- \Gamma \vdash P \,\text{says}\, F_1}}
-\end{center}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Proofs}
-
-\begin{center}
-\bl{
-\infer{\Gamma \vdash F}
- {\infer{\hspace{1cm}:\hspace{1cm}}
- {\infer{\hspace{1cm}:\hspace{1cm}}{:}
- &
- \infer{\hspace{1cm}:\hspace{1cm}}{:\quad :}
- }}
-}
-\end{center}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{The Access Control Problem}
-
-
-\begin{center}
- \begin{tikzpicture}[scale=1]
-
- \draw[line width=1mm] (-.3, -0.5) rectangle (1.5,2);
- \draw (-2.7,1) node {\begin{tabular}{l}access\\request\\ (\bl{$F$})\end{tabular}};
- \draw (4.2,1) node {\begin{tabular}{l}provable/\\not provable\end{tabular}};
- \draw (0.6,0.8) node {\footnotesize \begin{tabular}{l}AC-\\ Checker:\\ applies\\ inference\\ rules\end{tabular}};
-
- \draw[red, ->, line width = 2mm] (1.7,1) -- (2.7,1);
- \draw[red,<-, line width = 2mm] (-0.6,1) -- (-1.6,1);
- \draw[red, <-, line width = 3mm] (0.6,2.2) -- (0.6,3.2);
-
- \draw (0.6,4) node {\begin{tabular}{l}\large Access Policy (\bl{$\Gamma$})\end{tabular}};
-
- \end{tikzpicture}
-\end{center}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{}
-
- Recall the following scenario:
-
- \begin{itemize}
- \item If \textcolor{blue}{Admin} says that \textcolor{blue}{\isa{file\isaliteral{5C3C5E697375623E}{} {}}}
- should be deleted, then this file must be deleted.
- \item \textcolor{blue}{Admin} trusts \textcolor{blue}{Bob} to decide whether
- \textcolor{blue}{\isa{file\isaliteral{5C3C5E697375623E}{}}} should be deleted.
- \item \textcolor{blue}{Bob} wants to delete \textcolor{blue}{\isa{file\isaliteral{5C3C5E697375623E}{}}}.
- \end{itemize}\bigskip
-
- \small
- \textcolor{blue}{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{3D}{\isacharequal}}}\small\begin{tabular}{l}
- \isa{{\isaliteral{28}{\isacharparenleft}}Admin\ says\ del{\isaliteral{5F}{\isacharunderscore}}file\isaliteral{5C3C5E697375623E}{}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ del{\isaliteral{5F}{\isacharunderscore}}file\isaliteral{5C3C5E697375623E}{}},\\
- \isa{{\isaliteral{28}{\isacharparenleft}}Admin\ says\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{28}{\isacharparenleft}}Bob\ says\ del{\isaliteral{5F}{\isacharunderscore}}file\isaliteral{5C3C5E697375623E}{}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ del{\isaliteral{5F}{\isacharunderscore}}file\isaliteral{5C3C5E697375623E}{}{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}},\\
- \isa{Bob\ says\ del{\isaliteral{5F}{\isacharunderscore}}file\isaliteral{5C3C5E697375623E}{}}\\
- \end{tabular}}\medskip
-
- \textcolor{blue}{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ del{\isaliteral{5F}{\isacharunderscore}}file\isaliteral{5C3C5E697375623E}{}}}
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-
-How to prove \bl{$\Gamma \vdash F$}?\bigskip\bigskip
-
-\begin{center}
-\Large \bl{\infer{\Gamma, F\vdash F}{}}
-\end{center}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-
-\begin{center}
-\Large
-\bl{\infer{\Gamma \vdash F_1 \Rightarrow F_2}{F_1, \Gamma \vdash F_2}}
-\end{center}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-
-\begin{center}
-\Large
-\bl{\infer{\Gamma \vdash P \,\text{says}\, F}{\Gamma \vdash F}}
-\end{center}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-
-\begin{center}
-\Large
-\bl{\infer{\Gamma \vdash F_1 \vee F_2}{\Gamma \vdash F_1}}\qquad
-\bl{\infer{\Gamma \vdash F_1 \vee F_2}{\Gamma \vdash F_2}}\
-\end{center}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-
-\begin{center}
-\Large
-\bl{\infer{\Gamma \vdash F_1 \wedge F_2}{\Gamma \vdash F_1 \quad \Gamma \vdash F_2}}
-\end{center}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-
-I want to prove \bl{$\Gamma \vdash \text{Pred}$}\bigskip\bigskip\pause
-
-\begin{enumerate}
-\item I found that \bl{$\Gamma$} contains the assumption \bl{$F_1 \Rightarrow F_2$}\bigskip\pause
-\item If I can prove \bl{$\Gamma \vdash F_1$},\pause{} then I can prove
-\begin{center}
-\bl{$\Gamma \vdash F_2$}
-\end{center}\bigskip\pause
-
-\item So better I try to prove \bl{$\Gamma \vdash \text{Pred}$} with the additional assumption
-\bl{$F_2$}.\bigskip
-\begin{center}
-\bl{$F_2, \Gamma \vdash \text{Pred}$}
-\end{center}
-\end{enumerate}
-
-\only<4>{
-\begin{textblock}{11}(1,10.5)
-\bl{\infer{\Gamma\vdash F_2}{\Gamma\vdash F_1\Rightarrow F_2 & \Gamma\vdash F_1}}
-\end{textblock}}
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\newcommand{\dn}{\stackrel{\mbox{\scriptsize def}}{=}}% for definitions
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-
-\begin{itemize}
-\item \bl{$P$} is entitled to do \bl{$F$}\smallskip\\
-\bl{$P \,\text{controls}\, F \,\dn\, (P\,\text{says}\, F) \Rightarrow F$}\medskip
-
-\begin{center}
-\bl{\infer{\Gamma \vdash F}{\Gamma \vdash P\,\text{controls}\, F & \Gamma \vdash P\,\text{says}\,F}}
-\end{center}
-
-\item \bl{$P$} speaks for \bl{$Q$}\smallskip\\
-\bl{$P \mapsto Q \,\dn\, \forall F. (P\,\text{says}\, F) \Rightarrow (Q \,\text{says}\,F)$}\medskip
-
-\begin{center}
-\bl{\infer{\Gamma \vdash Q\,\text{says}\,F}{\Gamma \vdash P\mapsto Q & \Gamma \vdash P\,\text{says}\,F}}
-\medskip\\
-\bl{\infer{\Gamma \vdash P\,\text{controls}\,F}{\Gamma \vdash P\mapsto Q & \Gamma \vdash Q\,\text{controls}\,F}}\\
-
-\end{center}
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Protocol Specifications}
-
-The Needham-Schroeder Protocol:
-
-\begin{center}
-\begin{tabular}{@ {\hspace{-7mm}}l@{\hspace{2mm}}r@ {\hspace{1mm}}l}
-Message 1 & \bl{$A \rightarrow S :$} & \bl{$A, B, N_A$}\\
-Message 2 & \bl{$S \rightarrow A :$} & \bl{$\{N_A, B, K_{AB},\{K_{AB}, A\}_{K_{BS}} \}_{K_{AS}}$}\\
-Message 3 & \bl{$A \rightarrow B :$} & \bl{$\{K_{AB}, A\}_{K_{BS}} $}\\
-Message 4 & \bl{$B \rightarrow A :$} & \bl{$\{N_B\}_{K_{AB}}$}\\
-Message 5 & \bl{$A \rightarrow B :$} & \bl{$\{N_B-1\}_{K_{AB}}$}\\
-\end{tabular}
-\end{center}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Trusted Third Party}
-
-Simple protocol for establishing a secure connection via a mutually
-trusted 3rd party (server):
-
-\begin{center}
-\begin{tabular}{@ {\hspace{-7mm}}l@{\hspace{2mm}}r@ {\hspace{1mm}}l}
-Message 1 & \bl{$A \rightarrow S :$} & \bl{$A, B$}\\
-Message 2 & \bl{$S \rightarrow A :$} & \bl{$\{K_{AB}\}_{K_{AS}}$} and \bl{$\{\{K_{AB}\}_{K_{BS}} \}_{K_{AS}}$}\\
-Message 3 & \bl{$A \rightarrow B :$} & \bl{$\{K_{AB}\}_{K_{BS}} $}\\
-Message 4 & \bl{$A \rightarrow B :$} & \bl{$\{m\}_{K_{AB}}$}\\
-\end{tabular}
-\end{center}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Sending Messages}
-
- \begin{itemize}
- \item Alice sends a message \bl{$m$}
- \begin{center}
- \bl{Alice says $m$}
- \end{center}\medskip\pause
-
- \item Alice sends an encrypted message \bl{$m$}\\ (with key \bl{$K$})
- \begin{center}
- \bl{Alice says $\{m\}_K$}
- \end{center}\medskip\pause
-
- \item Decryption of Alice's message\smallskip
- \begin{center}
- \bl{\mbox{\infer{\Gamma \vdash \text{Alice}\;\text{says}\;m}
- {\Gamma \vdash \text{Alice}\;\text{says}\;\{m\}_K & \Gamma \vdash \text{Alice}\,\text{says}\,K}}}
- \end{center}
- \end{itemize}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Encryption}
-
- \begin{itemize}
- \item Encryption of a message\smallskip
- \begin{center}
- \bl{\mbox{\infer{\Gamma \vdash \text{Alice}\;\text{says}\;\{m\}_K}
- {\Gamma \vdash \text{Alice}\;\text{says}\;m & \Gamma \vdash \text{Alice}\,\text{says}\,K}}}
- \end{center}
- \end{itemize}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Public/Private Keys}
-
- \begin{itemize}
- \item Bob has a private and public key: \bl{$K_{Bob}^{pub}$}, \bl{$K_{Bob}^{priv}$}\bigskip
- \begin{center}
- \bl{\mbox{\infer{\Gamma \vdash \text{Alice}\;\text{says}\;m}
- {\Gamma \vdash \text{Alice}\;\text{says}\;\{m\}_{K_{Bob}^{pub}} &
- \Gamma \vdash K_{Bob}^{priv}}}}
- \end{center}\bigskip\pause
-
- \item this is {\bf not} a derived rule!
- \end{itemize}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Trusted Third Party}
-
- \begin{itemize}
- \item Alice calls Sam for a key to communicate with Bob
- \item Sam responds with a key that Alice can read and a key Bob can read (pre-shared)
- \item Alice sends the message encrypted with the key and the second key it recieved
- \end{itemize}\bigskip
-
- \begin{center}
- \bl{\begin{tabular}{lcl}
- $A$ sends $S$ &:& $\textit{Connect}(A,B)$\\
- $S$ sends $A$ &:& $\{K_{AB}\}_{K_{AS}}$ \textcolor{black}{and} $\{\{K_{AB}\}_{K_{BS}}\}_{K_{AS}}$\\
- $A$ sends $B$ &:& $\{K_{AB}\}_{K_{BS}}$\\
- $A$ sends $B$ &:& $\{m\}_{K_{AB}}$
- \end{tabular}}
- \end{center}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Sending Rule}
-
- \bl{\begin{center}
- \mbox{\infer{\Gamma \vdash Q \;\textit{says}\; F}
- {\Gamma \vdash P \;\textit{says}\; F & \Gamma \vdash P \;\textit{sends}\; Q : F}}
- \end{center}}\bigskip\pause
-
- \bl{$P \,\text{sends}\, Q : F \dn$}\\
- \hspace{6mm}\bl{$(P \,\text{says}\, F) \Rightarrow (Q \,\text{says}\, F)$}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Trusted Third Party}
-
- \begin{center}
- \bl{\begin{tabular}{l}
- $A$ sends $S$ : $\textit{Connect}(A,B)$\\
- \bl{$S \,\text{says}\, (\textit{Connect}(A,B) \Rightarrow$}\\
- \hspace{2.5cm}\bl{$\{K_{AB}\}_{K_{AS}} \wedge
- \{\{K_{AB}\}_{K_{BS}}\}_{K_{AS}})$}\\
- $S$ sends $A$ : $\{K_{AB}\}_{K_{AS}}$ \bl{$\wedge$} $\{\{K_{AB}\}_{K_{BS}}\}_{K_{AS}}$\\
- $A$ sends $B$ : $\{K_{AB}\}_{K_{BS}}$\\
- $A$ sends $B$ : $\{m\}_{K_{AB}}$
- \end{tabular}}
- \end{center}\bigskip\pause
-
-
- \bl{$\Gamma \vdash B \,\text{says} \, m$}?
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\end{document}
-
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: t
-%%% End:
-
Binary file slides07.pdf has changed
--- a/slides07.tex Sun Dec 09 13:00:33 2012 +0000
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,976 +0,0 @@
-\documentclass[dvipsnames,14pt,t]{beamer}
-\usepackage{proof}
-\usepackage{beamerthemeplainculight}
-\usepackage[T1]{fontenc}
-\usepackage[latin1]{inputenc}
-\usepackage{mathpartir}
-\usepackage{isabelle}
-\usepackage{isabellesym}
-\usepackage[absolute,overlay]{textpos}
-\usepackage{ifthen}
-\usepackage{tikz}
-\usepackage{courier}
-\usepackage{listings}
-\usetikzlibrary{arrows}
-\usetikzlibrary{positioning}
-\usetikzlibrary{calc}
-\usepackage{graphicx}
-\usetikzlibrary{shapes}
-\usetikzlibrary{shadows}
-\usetikzlibrary{plotmarks}
-
-
-\isabellestyle{rm}
-\renewcommand{\isastyle}{\rm}%
-\renewcommand{\isastyleminor}{\rm}%
-\renewcommand{\isastylescript}{\footnotesize\rm\slshape}%
-\renewcommand{\isatagproof}{}
-\renewcommand{\endisatagproof}{}
-\renewcommand{\isamarkupcmt}[1]{#1}
-
-% Isabelle characters
-\renewcommand{\isacharunderscore}{\_}
-\renewcommand{\isacharbar}{\isamath{\mid}}
-\renewcommand{\isasymiota}{}
-\renewcommand{\isacharbraceleft}{\{}
-\renewcommand{\isacharbraceright}{\}}
-\renewcommand{\isacharless}{$\langle$}
-\renewcommand{\isachargreater}{$\rangle$}
-\renewcommand{\isasymsharp}{\isamath{\#}}
-\renewcommand{\isasymdots}{\isamath{...}}
-\renewcommand{\isasymbullet}{\act}
-
-
-
-\definecolor{javared}{rgb}{0.6,0,0} % for strings
-\definecolor{javagreen}{rgb}{0.25,0.5,0.35} % comments
-\definecolor{javapurple}{rgb}{0.5,0,0.35} % keywords
-\definecolor{javadocblue}{rgb}{0.25,0.35,0.75} % javadoc
-
-\lstset{language=Java,
- basicstyle=\ttfamily,
- keywordstyle=\color{javapurple}\bfseries,
- stringstyle=\color{javagreen},
- commentstyle=\color{javagreen},
- morecomment=[s][\color{javadocblue}]{/**}{*/},
- numbers=left,
- numberstyle=\tiny\color{black},
- stepnumber=1,
- numbersep=10pt,
- tabsize=2,
- showspaces=false,
- showstringspaces=false}
-
-\lstdefinelanguage{scala}{
- morekeywords={abstract,case,catch,class,def,%
- do,else,extends,false,final,finally,%
- for,if,implicit,import,match,mixin,%
- new,null,object,override,package,%
- private,protected,requires,return,sealed,%
- super,this,throw,trait,true,try,%
- type,val,var,while,with,yield},
- otherkeywords={=>,<-,<\%,<:,>:,\#,@},
- sensitive=true,
- morecomment=[l]{//},
- morecomment=[n]{/*}{*/},
- morestring=[b]",
- morestring=[b]',
- morestring=[b]"""
-}
-
-\lstset{language=Scala,
- basicstyle=\ttfamily,
- keywordstyle=\color{javapurple}\bfseries,
- stringstyle=\color{javagreen},
- commentstyle=\color{javagreen},
- morecomment=[s][\color{javadocblue}]{/**}{*/},
- numbers=left,
- numberstyle=\tiny\color{black},
- stepnumber=1,
- numbersep=10pt,
- tabsize=2,
- showspaces=false,
- showstringspaces=false}
-
-% beamer stuff
-\renewcommand{\slidecaption}{APP 07, King's College London, 13 November 2012}
-\newcommand{\dn}{\stackrel{\mbox{\scriptsize def}}{=}}% for definitions
-\newcommand{\bl}[1]{\textcolor{blue}{#1}}
-
-
-% The data files, written on the first run.
-\begin{filecontents}{re-python.data}
-1 0.029
-5 0.029
-10 0.029
-15 0.032
-16 0.042
-17 0.042
-18 0.055
-19 0.084
-20 0.136
-21 0.248
-22 0.464
-23 0.899
-24 1.773
-25 3.505
-26 6.993
-27 14.503
-28 29.307
-#29 58.886
-\end{filecontents}
-
-\begin{filecontents}{re1.data}
-1 0.00179
-2 0.00011
-3 0.00014
-4 0.00026
-5 0.00050
-6 0.00095
-7 0.00190
-8 0.00287
-9 0.00779
-10 0.01399
-11 0.01894
-12 0.03666
-13 0.07994
-14 0.08944
-15 0.02377
-16 0.07392
-17 0.22798
-18 0.65310
-19 2.11360
-20 6.31606
-21 21.46013
-\end{filecontents}
-
-\begin{filecontents}{re2.data}
-1 0.00240
-2 0.00013
-3 0.00020
-4 0.00030
-5 0.00049
-6 0.00083
-7 0.00146
-8 0.00228
-9 0.00351
-10 0.00640
-11 0.01217
-12 0.02565
-13 0.01382
-14 0.02423
-15 0.05065
-16 0.06522
-17 0.02140
-18 0.05176
-19 0.18254
-20 0.51898
-21 1.39631
-22 2.69501
-23 8.07952
-\end{filecontents}
-
-\begin{filecontents}{re-internal.data}
-1 0.00069
-301 0.00700
-601 0.00297
-901 0.00470
-1201 0.01301
-1501 0.01175
-1801 0.01761
-2101 0.01787
-2401 0.02717
-2701 0.03932
-3001 0.03470
-3301 0.04349
-3601 0.05411
-3901 0.06181
-4201 0.07119
-4501 0.08578
-\end{filecontents}
-
-\begin{filecontents}{re3.data}
-1 0.001605
-501 0.131066
-1001 0.057885
-1501 0.136875
-2001 0.176238
-2501 0.254363
-3001 0.37262
-3501 0.500946
-4001 0.638384
-4501 0.816605
-5001 1.00491
-5501 1.232505
-6001 1.525672
-6501 1.757502
-7001 2.092784
-7501 2.429224
-8001 2.803037
-8501 3.463045
-9001 3.609
-9501 4.081504
-10001 4.54569
-\end{filecontents}
-
-
-\begin{document}
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}<1>[t]
-\frametitle{%
- \begin{tabular}{@ {}c@ {}}
- \\
- \LARGE Access Control and \\[-3mm]
- \LARGE Privacy Policies (7)\\[-6mm]
- \end{tabular}}\bigskip\bigskip\bigskip
-
- %\begin{center}
- %\includegraphics[scale=1.3]{pics/barrier.jpg}
- %\end{center}
-
-\normalsize
- \begin{center}
- \begin{tabular}{ll}
- Email: & christian.urban at kcl.ac.uk\\
- Of$\!$fice: & S1.27 (1st floor Strand Building)\\
- Slides: & KEATS (also homework is there)\\
- \end{tabular}
- \end{center}
-
-
-\end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Judgements}
-
-\begin{center}
-\begin{tikzpicture}[scale=1]
-
- \draw (0.0,0.0) node {\LARGE \bl{$\Gamma \vdash F$}};
- \onslide<2->{
- \draw (-1,-0.3) node (X) {};
- \draw (-2.0,-2.0) node (Y) {};
- \draw (0.7,-3) node {\begin{tabular}{l}Gamma\\stands for a collection of formulas\\(``assumptions'')\end{tabular}};
- \draw[red, ->, line width = 2mm] (Y) -- (X);
-
- \draw (1.2,-0.1) node (X1) {};
- \draw (2.8,-0.1) node (Y1) {};
- \draw (4.5,-0.1) node {\begin{tabular}{l}a single formula\end{tabular}};
- \draw[red, ->, line width = 2mm] (Y1) -- (X1);
-
- \draw (-0.1,0.1) node (X2) {};
- \draw (0.5,1.5) node (Y2) {};
- \draw (1,1.8) node {\begin{tabular}{l}entails sign\end{tabular}};
- \draw[red, ->, line width = 2mm] (Y2) -- (X2);}
-
- \end{tikzpicture}
-\end{center}
-
-\pause\pause
-\footnotesize Gimel (Phoenician), Gamma (Greek), C and G (Latin), Gim (Arabic),\\[-2mm] ?? (Indian), Ge (Cyrillic)
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Inference Rules}
-
-\begin{center}
-\begin{tikzpicture}[scale=1]
-
- \draw (0.0,0.0) node
- {\Large\bl{\infer{\Gamma \vdash F_1 \wedge F_2}{\Gamma \vdash F_1 & \Gamma \vdash F_2}}};
-
- \draw (-0.1,-0.7) node (X) {};
- \draw (-0.1,-1.9) node (Y) {};
- \draw (-0.2,-2) node {\begin{tabular}{l}conclusion\end{tabular}};
- \draw[red, ->, line width = 2mm] (Y) -- (X);
-
- \draw (-1,0.6) node (X2) {};
- \draw (0.0,1.6) node (Y2) {};
- \draw (0,1.8) node {\begin{tabular}{l}premisses\end{tabular}};
- \draw[red, ->, line width = 2mm] (Y2) -- (X2);
- \draw (1,0.6) node (X3) {};
- \draw (0.0,1.6) node (Y3) {};
- \draw[red, ->, line width = 2mm] (Y3) -- (X3);
- \end{tikzpicture}
-\end{center}
-
-\only<2>{
-\begin{textblock}{11}(1,13)
-\small
-\bl{$P \,\text{says}\, F \vdash Q\,\text{says}\, F\wedge P \,\text{says}\, G $}
-\end{textblock}}
-\only<3>{
-\begin{textblock}{11}(1,13)
-\small
-\bl{$\underbrace{P \,\text{says}\, F}_{\Gamma} \vdash \underbrace{Q\,\text{says}\, F}_{F_1} \,\wedge
- \underbrace{P \,\text{says}\, G}_{F_2} $}
-\end{textblock}}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-
-\begin{center}
-\Large
-\bl{\infer{\Gamma \vdash F_2}{\Gamma \vdash F_1\Rightarrow F_2 & \Gamma \vdash F_1}}\bigskip\bigskip\bigskip
-
-\bl{\infer{\Gamma\vdash P\,\text{says}\, F}{\Gamma \vdash F}}
-\end{center}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-
-We want to prove
-
-\begin{center}
-\bl{$\Gamma \vdash \text{del\_file}$}
-\end{center}\pause
-
-There is an inference rule
-
-\begin{center}
-\bl{\infer{\Gamma \vdash P \,\text{says}\, F}{\Gamma \vdash F}}
-\end{center}\pause
-
-So we can derive \bl{$\Gamma \vdash \text{Alice} \,\text{says}\,\text{del\_file}$}.\bigskip\pause
-
-\bl{$\Gamma$} contains already \bl{$\text{Alice} \,\text{says}\,\text{del\_file}$}. \\
-So we can use the rule
-
-\begin{center}
-\bl{\infer{\Gamma, F \vdash F}{}}
-\end{center}
-
-\onslide<5>{\bf\alert{What is wrong with this?}}
-\hfill{\bf Done. Qed.}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Digression: Proofs in CS}
-
-Formal proofs in CS sound like science fiction? Completely irrelevant!
-Lecturers gone mad!\pause
-
-\begin{itemize}
-\item in 2008, verification of a small C-compiler
-\begin{itemize}
-\item ``if my input program has a certain behaviour, then the compiled machine code has the same behaviour''
-\item is as good as \texttt{gcc -O1}, but less buggy
-\end{itemize}
-\medskip
-\item in 2010, verification of a micro-kernel operating system (approximately 8700 loc)
-\begin{itemize}
-\item 200k loc of proof
-\item 25 - 30 person years
-\item found 160 bugs in the C code (144 by the proof)
-\end{itemize}
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{}
-
- \begin{tabular}{c@ {\hspace{2mm}}c}
- \\[6mm]
- \begin{tabular}{c}
- \includegraphics[scale=0.11]{harper.jpg}\\[-2mm]
- {\footnotesize Bob Harper}\\[-2.5mm]
- {\footnotesize (CMU)}
- \end{tabular}
- \begin{tabular}{c}
- \includegraphics[scale=0.37]{pfenning.jpg}\\[-2mm]
- {\footnotesize Frank Pfenning}\\[-2.5mm]
- {\footnotesize (CMU)}
- \end{tabular} &
-
- \begin{tabular}{p{6cm}}
- \raggedright
- \color{gray}{published a proof about a specification in a journal (2005),
- $\sim$31pages}
- \end{tabular}\\
-
- \pause
- \\[0mm]
-
- \begin{tabular}{c}
- \includegraphics[scale=0.36]{appel.jpg}\\[-2mm]
- {\footnotesize Andrew Appel}\\[-2.5mm]
- {\footnotesize (Princeton)}
- \end{tabular} &
-
- \begin{tabular}{p{6cm}}
- \raggedright
- \color{gray}{relied on their proof in a\\ {\bf security} critical application}
- \end{tabular}
- \end{tabular}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}
- \frametitle{Proof-Carrying Code}
-
- \begin{textblock}{10}(2.5,2.2)
- \begin{block}{Idea:}
- \begin{center}
- \begin{tikzpicture}
- \draw[help lines,cream] (0,0.2) grid (8,4);
-
- \draw[line width=1mm, red] (5.5,0.6) rectangle (7.5,4);
- \node[anchor=base] at (6.5,2.8)
- {\small\begin{tabular}{@ {}p{1.9cm}@ {}}\centering user: untrusted code\end{tabular}};
-
- \draw[line width=1mm, red] (0.5,0.6) rectangle (2.5,4);
- \node[anchor=base] at (1.5,2.3)
- {\small\begin{tabular}{@ {}p{1.9cm}@ {}}\centering developer ---\\ web server\end{tabular}};
-
- \onslide<3->{
- \draw[line width=1mm, red, fill=red] (5.5,0.6) rectangle (7.5,1.8);
- \node[anchor=base,white] at (6.5,1.1)
- {\small\begin{tabular}{@ {}p{1.9cm}@ {}}\bf\centering proof- checker\end{tabular}};}
-
- \node at (3.8,3.0) [single arrow, fill=red,text=white, minimum height=3cm]{\bf code};
- \onslide<2->{
- \node at (3.8,1.3) [single arrow, fill=red,text=white, minimum height=3cm]{\bf certificate};
- \node at (3.8,1.9) {\small\color{gray}{\mbox{}\hspace{-1mm}a proof}};
- }
-
-
- \end{tikzpicture}
- \end{center}
- \end{block}
- \end{textblock}
-
- %\begin{textblock}{15}(2,12)
- %\small
- %\begin{itemize}
- %\item<4-> Appel's checker is $\sim$2700 lines of code (1865 loc of\\ LF definitions;
- %803 loc in C including 2 library functions)\\[-3mm]
- %\item<5-> 167 loc in C implement a type-checker
- %\end{itemize}
- %\end{textblock}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
- \tikzstyle{every node}=[node distance=25mm,text height=1.5ex, text depth=.25ex]
- \tikzstyle{node1}=[rectangle, minimum size=10mm, rounded corners=3mm, very thick,
- draw=black!50, top color=white, bottom color=black!20]
- \tikzstyle{node2}=[rectangle, minimum size=12mm, rounded corners=3mm, very thick,
- draw=red!70, top color=white, bottom color=red!50!black!20]
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}<2->[squeeze]
- \frametitle{}
-
- \begin{columns}
-
- \begin{column}{0.8\textwidth}
- \begin{textblock}{0}(1,2)
-
- \begin{tikzpicture}
- \matrix[ampersand replacement=\&,column sep=7mm, row sep=5mm]
- { \&[-10mm]
- \node (def1) [node1] {\large\hspace{1mm}Spec\hspace{1mm}\mbox{}}; \&
- \node (proof1) [node1] {\large Proof}; \&
- \node (alg1) [node1] {\large\hspace{1mm}Alg\hspace{1mm}\mbox{}}; \\
-
- \onslide<4->{\node {\begin{tabular}{c}\small 1st\\[-2.5mm] \footnotesize solution\end{tabular}};} \&
- \onslide<4->{\node (def2) [node2] {\large Spec$^\text{+ex}$};} \&
- \onslide<4->{\node (proof2) [node1] {\large Proof};} \&
- \onslide<4->{\node (alg2) [node1] {\large\hspace{1mm}Alg\hspace{1mm}\mbox{}};} \\
-
- \onslide<5->{\node {\begin{tabular}{c}\small 2nd\\[-2.5mm] \footnotesize solution\end{tabular}};} \&
- \onslide<5->{\node (def3) [node1] {\large\hspace{1mm}Spec\hspace{1mm}\mbox{}};} \&
- \onslide<5->{\node (proof3) [node1] {\large Proof};} \&
- \onslide<5->{\node (alg3) [node2] {\large Alg$^\text{-ex}$};} \\
-
- \onslide<6->{\node {\begin{tabular}{c}\small 3rd\\[-2.5mm] \footnotesize solution\end{tabular}};} \&
- \onslide<6->{\node (def4) [node1] {\large\hspace{1mm}Spec\hspace{1mm}\mbox{}};} \&
- \onslide<6->{\node (proof4) [node2] {\large\hspace{1mm}Proof\hspace{1mm}};} \&
- \onslide<6->{\node (alg4) [node1] {\large\hspace{1mm}Alg\hspace{1mm}\mbox{}};} \\
- };
-
- \draw[->,black!50,line width=2mm] (proof1) -- (def1);
- \draw[->,black!50,line width=2mm] (proof1) -- (alg1);
-
- \onslide<4->{\draw[->,black!50,line width=2mm] (proof2) -- (def2);}
- \onslide<4->{\draw[->,black!50,line width=2mm] (proof2) -- (alg2);}
-
- \onslide<5->{\draw[->,black!50,line width=2mm] (proof3) -- (def3);}
- \onslide<5->{\draw[->,black!50,line width=2mm] (proof3) -- (alg3);}
-
- \onslide<6->{\draw[->,black!50,line width=2mm] (proof4) -- (def4);}
- \onslide<6->{\draw[->,black!50,line width=2mm] (proof4) -- (alg4);}
-
- \onslide<3->{\draw[white,line width=1mm] (1.1,3.2) -- (0.9,2.85) -- (1.1,2.35) -- (0.9,2.0);}
- \end{tikzpicture}
-
- \end{textblock}
- \end{column}
- \end{columns}
-
-
- \begin{textblock}{3}(12,3.6)
- \onslide<4->{
- \begin{tikzpicture}
- \node at (0,0) [single arrow, shape border rotate=270, fill=red,text=white]{2h};
- \end{tikzpicture}}
- \end{textblock}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Mars Pathfinder Mission 1997}
-
- \begin{center}
- \includegraphics[scale=0.15]{marspath1.png}
- \includegraphics[scale=0.16]{marspath3.png}
- \includegraphics[scale=0.3]{marsrover.png}
- \end{center}
-
- \begin{itemize}
- \item despite NASA's famous testing procedure, the lander crashed frequently on Mars
- \item problem was an algorithm not used in the OS
- \end{itemize}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Priority Inheritance Protocol}
-
- \begin{itemize}
- \item \ldots a scheduling algorithm that is widely used in real-time operating systems
- \item has been ``proved'' correct by hand in a paper in 1983
- \item \ldots but the first algorithm turned out to be incorrect, despite its ``proof''\bigskip\pause
-
- \item we specified the algorithm and then proved that the specification makes
- ``sense''
- \item we implemented our specification in C on top of PINTOS (used for teaching at Stanford)
- \item our implementation was much more efficient than their reference implementation
- \end{itemize}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Regular Expression Matching}
-\tiny
-
-\begin{tabular}{@ {\hspace{-6mm}}cc}
-\begin{tikzpicture}[y=.1cm, x=.15cm]
- %axis
- \draw (0,0) -- coordinate (x axis mid) (30,0);
- \draw (0,0) -- coordinate (y axis mid) (0,30);
- %ticks
- \foreach \x in {0,5,...,30}
- \draw (\x,1pt) -- (\x,-3pt)
- node[anchor=north] {\x};
- \foreach \y in {0,5,...,30}
- \draw (1pt,\y) -- (-3pt,\y)
- node[anchor=east] {\y};
- %labels
- \node[below=0.3cm] at (x axis mid) {\bl{a}s};
- \node[rotate=90, left=0.6cm] at (y axis mid) {secs};
-
- %plots
- \draw[color=blue] plot[mark=*, mark options={fill=white}]
- file {re-python.data};
- \only<1->{
- \draw[color=red] plot[mark=triangle*, mark options={fill=white} ]
- file {re1.data};}
- \only<1->{
- \draw[color=green] plot[mark=square*, mark options={fill=white} ]
- file {re2.data};}
-
- %legend
- \begin{scope}[shift={(4,20)}]
- \draw[color=blue] (0,0) --
- plot[mark=*, mark options={fill=white}] (0.25,0) -- (0.5,0)
- node[right]{\footnotesize Python};
- \only<1->{\draw[yshift=6mm, color=red] (0,0) --
- plot[mark=triangle*, mark options={fill=white}] (0.25,0) -- (0.5,0)
- node[right]{\footnotesize Scala V1};}
- \only<1->{
- \draw[yshift=12mm, color=green] (0,0) --
- plot[mark=square*, mark options={fill=white}] (0.25,0) -- (0.5,0)
- node[right]{\footnotesize Scala V2 with simplifications};}
- \end{scope}
-\end{tikzpicture} &
-
-\begin{tikzpicture}[y=.35cm, x=.00045cm]
- %axis
- \draw (0,0) -- coordinate (x axis mid) (10000,0);
- \draw (0,0) -- coordinate (y axis mid) (0,6);
- %ticks
- \foreach \x in {0,2000,...,10000}
- \draw (\x,1pt) -- (\x,-3pt)
- node[anchor=north] {\x};
- \foreach \y in {0,1,...,6}
- \draw (1pt,\y) -- (-3pt,\y)
- node[anchor=east] {\y};
- %labels
- \node[below=0.3cm] at (x axis mid) {\bl{a}s};
- \node[rotate=90, left=0.6cm] at (y axis mid) {secs};
-
- %plots
- \draw[color=blue] plot[mark=*, mark options={fill=white}]
- file {re-internal.data};
- \only<1->{
- \draw[color=red] plot[mark=triangle*, mark options={fill=white} ]
- file {re3.data};}
-
- %legend
- \begin{scope}[shift={(2000,4)}]
- \draw[color=blue] (0,0) --
- plot[mark=*, mark options={fill=white}] (0.25,0) -- (0.5,0)
- node[right]{\footnotesize Scala Internal};
- \only<1->{
- \draw[yshift=6mm, color=red] (0,0) --
- plot[mark=triangle*, mark options={fill=white}] (0.25,0) -- (0.5,0)
- node[right]{\footnotesize Scala V3};}
- \end{scope}
-\end{tikzpicture}
-\end{tabular}\bigskip\pause
-\normalsize
-\begin{itemize}
-\item I needed a proof in order to make sure my program is correct
-\end{itemize}\pause
-
-\begin{center}
-\bl{End Digression.\\ (Our small proof is 0.0005\% of the OS-proof.)}
-\end{center}
-
-\end{frame}}
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{One More Thing}
-
-\begin{itemize}
-\item I arrived at King's last year
-\item Maxime Crochemore told me about a string algorithm (suffix sorting) that appeared at a
-conference in 2007 (ICALP)
-\item ``horribly incomprehensible'', no implementation, but claims to be the best \bl{$O(n + k)$} algorithm\bigskip\pause
-
-\item Jian Jiang found 1 error and 1 superfluous step in this algorithm
-\item he received 88\% for the project and won the prize for the best 7CCSMPRJ project in the department
-\item no proof \ldots{} yet
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Trusted Third Party}
-
-Simple protocol for establishing a secure connection via a mutually
-trusted 3rd party (server):
-
-\begin{center}
-\begin{tabular}{@ {\hspace{-7mm}}l@{\hspace{2mm}}r@ {\hspace{1mm}}l}
-Message 1 & \bl{$A \rightarrow S :$} & \bl{$A, B$}\\
-Message 2 & \bl{$S \rightarrow A :$} & \bl{$\{K_{AB}\}_{K_{AS}}$} and \bl{$\{\{K_{AB}\}_{K_{BS}} \}_{K_{AS}}$}\\
-Message 3 & \bl{$A \rightarrow B :$} & \bl{$\{K_{AB}\}_{K_{BS}} $}\\
-Message 4 & \bl{$A \rightarrow B :$} & \bl{$\{m\}_{K_{AB}}$}\\
-\end{tabular}
-\end{center}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Encrypted Messages}
-
- \begin{itemize}
- \item Alice sends a message \bl{$m$}
- \begin{center}
- \bl{Alice says $m$}
- \end{center}\medskip\pause
-
- \item Alice sends an encrypted message \bl{$m$}\\ (with key \bl{$K$})
- \begin{center}
- \bl{Alice says $\{m\}_K$}
- \end{center}\medskip\pause
-
- \item Decryption of Alice's message\smallskip
- \begin{center}
- \bl{\mbox{\infer{\Gamma \vdash \text{Alice}\;\text{says}\;m}
- {\Gamma \vdash \text{Alice}\;\text{says}\;\{m\}_K & \Gamma \vdash \text{Alice}\,\text{says}\,K}}}
- \end{center}
- \end{itemize}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Encryption}
-
- \begin{itemize}
- \item Encryption of a message\smallskip
- \begin{center}
- \bl{\mbox{\infer{\Gamma \vdash \text{Alice}\;\text{says}\;\{m\}_K}
- {\Gamma \vdash \text{Alice}\;\text{says}\;m & \Gamma \vdash \text{Alice}\,\text{says}\,K}}}
- \end{center}
- \end{itemize}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Trusted Third Party}
-
- \begin{itemize}
- \item Alice calls Sam for a key to communicate with Bob
- \item Sam responds with a key that Alice can read and a key Bob can read (pre-shared)
- \item Alice sends the message encrypted with the key and the second key it recieved
- \end{itemize}\bigskip
-
- \begin{center}
- \bl{\begin{tabular}{lcl}
- $A$ sends $S$ &:& $\textit{Connect}(A,B)$\\
- $S$ sends $A$ &:& $\{K_{AB}\}_{K_{AS}}$ \textcolor{black}{and} $\{\{K_{AB}\}_{K_{BS}}\}_{K_{AS}}$\\
- $A$ sends $B$ &:& $\{K_{AB}\}_{K_{BS}}$\\
- $A$ sends $B$ &:& $\{m\}_{K_{AB}}$
- \end{tabular}}
- \end{center}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Sending Rule}
-
-
- \bl{\begin{center}
- \mbox{\infer{\Gamma \vdash Q \;\textit{says}\; F}
- {\Gamma \vdash P \;\textit{says}\; F & \Gamma \vdash P \;\textit{sends}\; Q : F}}
- \end{center}}\bigskip\pause
-
- \bl{$P \,\text{sends}\, Q : F \dn$}\\
- \hspace{6mm}\bl{$(P \,\text{says}\, F) \Rightarrow (Q \,\text{says}\, F)$}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Trusted Third Party}
-
- \begin{center}
- \bl{\begin{tabular}{l}
- $A$ sends $S$ : $\textit{Connect}(A,B)$\\
- \bl{$S \,\text{says}\, (\textit{Connect}(A,B) \Rightarrow$}\\
- \hspace{2.5cm}\bl{$\{K_{AB}\}_{K_{AS}} \wedge
- \{\{K_{AB}\}_{K_{BS}}\}_{K_{AS}})$}\\
- $S$ sends $A$ : $\{K_{AB}\}_{K_{AS}}$ \bl{$\wedge$} $\{\{K_{AB}\}_{K_{BS}}\}_{K_{AS}}$\\
- $A$ sends $B$ : $\{K_{AB}\}_{K_{BS}}$\\
- $A$ sends $B$ : $\{m\}_{K_{AB}}$
- \end{tabular}}
- \end{center}\bigskip\pause
-
-
- \bl{$\Gamma \vdash B \,\text{says} \, m$}?
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Challenge-Response Protocol}
-
- \begin{itemize}
- \item an engine \bl{$E$} and a transponder \bl{$T$} share a key \bl{$K$}\bigskip
- \item \bl{$E$} sends out a \alert{nonce} \bl{$N$} (random number) to \bl{$T$}\bigskip
- \item \bl{$T$} responds with \bl{$\{N\}_K$}\bigskip
- \item if \bl{$E$} receives \bl{$\{N\}_K$} from \bl{$T$}, it starts engine
- \end{itemize}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Challenge-Response Protocol}
-
- \begin{center}
- \bl{\begin{tabular}{l}
- $E \;\text{says}\; N$\hfill(start)\\
- $E \;\text{sends}\; T : N$\hfill(challenge)\\
- $(T \;\text{says}\; N) \Rightarrow (T \;\text{sends}\; E : \{N\}_K \wedge$\\
- \hspace{3.5cm} $T \;\text{sends}\; E : \text{Id}(T))$\;\;\;\hfill(response)\\
- $T \;\text{says}\; K$\hfill(key)\\
- $T \;\text{says}\; \text{Id}(T)$\hfill(identity)\\
- $(E \;\text{says}\; \{N\}_K \wedge E \;\text{says}\; \text{Id}(T)) \Rightarrow$\\
- \hspace{5cm}$ \text{start\_engine}(T)$\hfill(engine)\\
- \end{tabular}}
- \end{center}\bigskip
-
- \bl{$\Gamma \vdash \text{start\_engine}(T)$}?
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Exchange of a Fresh Key}
-
-\bl{$A$} and \bl{$B$} share a (``super-secret'') key \bl{$K_{AB}$} and want to share another key
-
- \begin{itemize}
- \item assumption \bl{$K_{AB}$} is only known to \bl{$A$} and \bl{$B$}\bigskip
- \item \bl{$A \,\text{sends}\, B : A, \{N_A\}_{K_{AB}}$}
- \item \bl{$B\,\text{sends}\, A : \{N_A + 1, N_B\}_{K_{AB}}$}
- \item \bl{$A \,\text{sends}\, B : \{N_B + 1\}_{K_{AB}}$}
- \item \bl{$B \,\text{sends}\, A : \{K^{new}_{AB}, N^{new}_B\}_{K_{AB}}$}
- \item<2> \bl{$A \,\text{sends}\, B : \{msg\}_{K^{new}_{AB}}$}
- \end{itemize}\bigskip
-
- Assume \bl{$K^{new}_{AB}$} is compromised by \bl{$I$}
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{The Attack}
-
-An intruder \bl{$I$} convinces \bl{$A$} to accept the compromised key \bl{$K^{new}_{AB}$}\medskip
-
-\begin{minipage}{1.1\textwidth}
-\begin{itemize}
- \item \bl{$A \,\text{sends}\, B : A, \{N_A\}_{K_{AB}}$}
- \item \bl{$B\,\text{sends}\, A : \{N_A + 1, N_B\}_{K_{AB}}$}
- \item \bl{$A \,\text{sends}\, B : \{N_B + 1\}_{K_{AB}}$}
- \item \bl{$B \,\text{sends}\, A : \{K^{new}_{AB}, N^{new}_B\}_{K_{AB}}$}\;\;recorded by \bl{$I$}\pause
- \item \bl{$A \,\text{sends}\, B : A, \{M_A\}_{K_{AB}}$}
- \item \bl{$B\,\text{sends}\, A : \{M_A + 1, M_B\}_{K_{AB}}$}
- \item \bl{$A \,\text{sends}\, B : \{M_B + 1\}_{K_{AB}}$}
- \item \bl{$B \,\text{sends}\, I : \{K^{newer}_{AB}, N^{newer}_B\}_{K_{AB}}$}\;intercepted by \bl{$I$}
- \item \bl{$I \,\text{sends}\, A : \{K^{new}_{AB}, N^{new}_B\}_{K_{AB}}$}\pause
- \item \bl{$A \,\text{sends}\, B : \{msg\}_{K^{new}_{AB}}$}\;\;\;\;\bl{$I$} can read it also
- \end{itemize}
- \end{minipage}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Another Challenge-Response}
-
-\bl{$A$} and \bl{$B$} share the key \bl{$K_{AB}$} and want to identify
-each other\bigskip
-
- \begin{itemize}
- \item \bl{$A \,\text{sends}\, B : A, N_A$}
- \item \bl{$B\,\text{sends}\, A : \{N_A, K'_{AB}\}_{K_{AB}}$}
- \item \bl{$A \,\text{sends}\, B : \{N_A\}_{K'_{AB}}$}
- \end{itemize}
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Another Challenge-Response}
-
-\bl{$A$} and \bl{$B$} share the key \bl{$K_{AB}$} and want to identify
-each other\bigskip
-
- \begin{itemize}
- \item \bl{$A \,\text{sends}\, B : A, N_A$}
- \item \bl{$B\,\text{sends}\, A : \{N_A, K'_{AB}\}_{K_{AB}}$}
- \item \bl{$A \,\text{sends}\, B : \{N_A\}_{K'_{AB}}$}
- \end{itemize}
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Another Challenge-Response}
-
-Unfortunately, an intruder \bl{$I$} can impersonate \bl{$B$}.
-
-\begin{center}
-\begin{tabular}{@{\hspace{-7mm}}c@{\hspace{1mm}}c@{}}
-\begin{tabular}{@{}l@{}}
-\onslide<1->{\bl{$A \,\text{sends}\, I : A, N_A$}}\\
-\onslide<4->{\bl{$I \,\text{sends}\, A : \{N_A,\!K'_{\!AB}\}_{K_{\!AB}}$}}\\
-\onslide<5->{\bl{$A \,\text{sends}\, I : \{N_A\}_{K'_{AB}}$}}\\
-\end{tabular}
-&
-\begin{tabular}{@{}l@{}}
-\onslide<2->{\bl{$I \,\text{sends}\, A : B, N_A$}}\\
-\onslide<3->{\bl{$A \,\text{sends}\, I : \{N_A,\!K'_{\!AB}\}_{K_{\!AB}}$}}\\
-\onslide<6->{\bl{$I \,\text{sends}\, A : \{N_A\}_{K'_{AB}}$}}\\
-\end{tabular}
-\end{tabular}
-\end{center}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-\end{document}
-
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: t
-%%% End:
-
Binary file slides08.pdf has changed
--- a/slides08.tex Sun Dec 09 13:00:33 2012 +0000
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,747 +0,0 @@
-\documentclass[dvipsnames,14pt,t]{beamer}
-\usepackage{proof}
-\usepackage{beamerthemeplainculight}
-\usepackage[T1]{fontenc}
-\usepackage[latin1]{inputenc}
-\usepackage{mathpartir}
-\usepackage{isabelle}
-\usepackage{isabellesym}
-\usepackage[absolute,overlay]{textpos}
-\usepackage{ifthen}
-\usepackage{tikz}
-\usepackage{courier}
-\usepackage{listings}
-\usetikzlibrary{arrows}
-\usetikzlibrary{positioning}
-\usetikzlibrary{calc}
-\usepackage{graphicx}
-\usetikzlibrary{shapes}
-\usetikzlibrary{shadows}
-\usetikzlibrary{plotmarks}
-
-
-\isabellestyle{rm}
-\renewcommand{\isastyle}{\rm}%
-\renewcommand{\isastyleminor}{\rm}%
-\renewcommand{\isastylescript}{\footnotesize\rm\slshape}%
-\renewcommand{\isatagproof}{}
-\renewcommand{\endisatagproof}{}
-\renewcommand{\isamarkupcmt}[1]{#1}
-
-% Isabelle characters
-\renewcommand{\isacharunderscore}{\_}
-\renewcommand{\isacharbar}{\isamath{\mid}}
-\renewcommand{\isasymiota}{}
-\renewcommand{\isacharbraceleft}{\{}
-\renewcommand{\isacharbraceright}{\}}
-\renewcommand{\isacharless}{$\langle$}
-\renewcommand{\isachargreater}{$\rangle$}
-\renewcommand{\isasymsharp}{\isamath{\#}}
-\renewcommand{\isasymdots}{\isamath{...}}
-\renewcommand{\isasymbullet}{\act}
-
-
-
-\definecolor{javared}{rgb}{0.6,0,0} % for strings
-\definecolor{javagreen}{rgb}{0.25,0.5,0.35} % comments
-\definecolor{javapurple}{rgb}{0.5,0,0.35} % keywords
-\definecolor{javadocblue}{rgb}{0.25,0.35,0.75} % javadoc
-
-\lstset{language=Java,
- basicstyle=\ttfamily,
- keywordstyle=\color{javapurple}\bfseries,
- stringstyle=\color{javagreen},
- commentstyle=\color{javagreen},
- morecomment=[s][\color{javadocblue}]{/**}{*/},
- numbers=left,
- numberstyle=\tiny\color{black},
- stepnumber=1,
- numbersep=10pt,
- tabsize=2,
- showspaces=false,
- showstringspaces=false}
-
-\lstdefinelanguage{scala}{
- morekeywords={abstract,case,catch,class,def,%
- do,else,extends,false,final,finally,%
- for,if,implicit,import,match,mixin,%
- new,null,object,override,package,%
- private,protected,requires,return,sealed,%
- super,this,throw,trait,true,try,%
- type,val,var,while,with,yield},
- otherkeywords={=>,<-,<\%,<:,>:,\#,@},
- sensitive=true,
- morecomment=[l]{//},
- morecomment=[n]{/*}{*/},
- morestring=[b]",
- morestring=[b]',
- morestring=[b]"""
-}
-
-\lstset{language=Scala,
- basicstyle=\ttfamily,
- keywordstyle=\color{javapurple}\bfseries,
- stringstyle=\color{javagreen},
- commentstyle=\color{javagreen},
- morecomment=[s][\color{javadocblue}]{/**}{*/},
- numbers=left,
- numberstyle=\tiny\color{black},
- stepnumber=1,
- numbersep=10pt,
- tabsize=2,
- showspaces=false,
- showstringspaces=false}
-
-% beamer stuff
-\renewcommand{\slidecaption}{APP 08, King's College London, 20 November 2012}
-\newcommand{\dn}{\stackrel{\mbox{\scriptsize def}}{=}}% for definitions
-\newcommand{\bl}[1]{\textcolor{blue}{#1}}
-
-\begin{document}
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}<1>[t]
-\frametitle{%
- \begin{tabular}{@ {}c@ {}}
- \\
- \LARGE Access Control and \\[-3mm]
- \LARGE Privacy Policies (8)\\[-6mm]
- \end{tabular}}\bigskip\bigskip\bigskip
-
- %\begin{center}
- %\includegraphics[scale=1.3]{pics/barrier.jpg}
- %\end{center}
-
-\normalsize
- \begin{center}
- \begin{tabular}{ll}
- Email: & christian.urban at kcl.ac.uk\\
- Of$\!$fice: & S1.27 (1st floor Strand Building)\\
- Slides: & KEATS (also homework is there)\\
- \end{tabular}
- \end{center}
-
-
-\end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Last Week}
-
-Andrew Secure RPC Protocol:
-\bl{$A$} and \bl{$B$} share a key private \bl{$K_{AB}$} and want to identify
-each other\bigskip
-
- \begin{itemize}
- \item \bl{$A \,\text{sends}\, B : A, N_A$}
- \item \bl{$B\,\text{sends}\, A : \{N_A, K'_{AB}\}_{K_{AB}}$}
- \item \bl{$A \,\text{sends}\, B : \{N_A\}_{K'_{AB}}$}
- \end{itemize}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[t]
- \frametitle{Protocols}
-
-\mbox{}
-
-\begin{tabular}{l}
-{\Large \bl{$A\;\text{sends}\; B : \ldots$}}\\
-\onslide<2->{\Large \bl{$B\;\text{sends}\; A : \ldots$}}\\
-\onslide<2->{\Large \;\;\;\;\;\bl{$:$}}\bigskip
-\end{tabular}
-
- \begin{itemize}
- \item by convention \bl{$A$}, \bl{$B$} are named principals \bl{Alice\ldots}\\
- but most likely they are programs, which just follow some instructions (they are more like roles)\bigskip
-\item<2-> indicates one ``protocol run'', or session, which specifies some
-order in the communication
-\item<2-> there can be several sessions in parallel (think of wifi routers)
-\end{itemize}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Last Week}
-
-
-\bl{$A$} and \bl{$B$} share the key \bl{$K_{AB}$} and want to identify
-each other\bigskip
-
- \begin{itemize}
- \item \bl{$A \,\text{sends}\, B : A, N_A$}
- \item \bl{$B\,\text{sends}\, A : \{N_A, K'_{AB}\}_{K_{AB}}$}
- \item \bl{$A \,\text{sends}\, B : \{N_A\}_{K'_{AB}}$}
- \end{itemize}
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Defeating Challenge-Response}
-
-\noindent
-A \alert{reflection attack}: an intruder \bl{$I$} impersonates \bl{$B$}.
-
-\begin{center}
-\begin{tabular}{@{\hspace{-7mm}}c@{\hspace{1mm}}c@{}}
-\begin{tabular}{@{}l@{}}
-\onslide<1->{\bl{$A \,\text{sends}\, I : A, N_A$}}\\
-\onslide<4->{\bl{$I \,\text{sends}\, A : \{N_A,\!K'_{\!AB}\}_{K_{\!AB}}$}}\\
-\onslide<5->{\bl{$A \,\text{sends}\, I : \{N_A\}_{K'_{AB}}$}}\\
-\end{tabular}
-&
-\begin{tabular}{@{}l@{}}
-\onslide<2->{\bl{$I \,\text{sends}\, A : B, N_A$}}\\
-\onslide<3->{\bl{$A \,\text{sends}\, I : \{N_A,\!K'_{\!AB}\}_{K_{\!AB}}$}}\\
-\onslide<6->{\bl{$I \,\text{sends}\, A : \{N_A\}_{K'_{AB}}$}}\\
-\end{tabular}
-\end{tabular}
-\end{center}\bigskip
-
-\onslide<7->{Sounds stupid: ``\ldots answering a question with a counter question''\medskip\\
-was originally developed at CMU for terminals to connect to
-workstations (e.g., file servers)}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Identify Friend or Foe}
-
-\begin{center}
-\onslide<3->{\mbox{}\hspace{3.4cm}\includegraphics[scale=0.55]{pics/MigInMiddle.jpg}}
-\end{center}
-
-\begin{textblock}{6}(0.3,2)
-\onslide<2->{
-198?: war between Angola (supported by Cuba)
-and Namibia (supported by SA)}
-\end{textblock}
-
-\begin{textblock}{3}(12.5,4.6)
- \onslide<3->{
- \begin{tikzpicture}
- \node at (0,0) [single arrow, fill=red,text=white, rotate=-50, shape border rotate=180]{``bystander''};
- \end{tikzpicture}}
- \end{textblock}
-
-\begin{textblock}{3}(10.9,10)
- \onslide<3->{
- \begin{tikzpicture}
- \node at (0,0) [single arrow, fill=red,text=white, rotate=-40, shape border rotate=180]{attacker};
- \end{tikzpicture}}
- \end{textblock}
-
-\only<4->{
-\begin{textblock}{6}(0.3,9)
-being outsmarted by Angola/Cuba
-ended SA involvement (?)
-\end{textblock}}
-\only<5->{
-\begin{textblock}{6}(0.3,13)
-IFF opened up a nice side-channel attack
-\end{textblock}}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Encryption to the Rescue?}
-
-
- \begin{itemize}
- \item \bl{$A \,\text{sends}\, B : \{A, N_A\}_{K_{AB}}$}\hspace{1cm} encrypted\bigskip
- \item \bl{$B\,\text{sends}\, A : \{N_A, K'_{AB}\}_{K_{AB}}$}\bigskip
- \item \bl{$A \,\text{sends}\, B : \{N_A\}_{K'_{AB}}$}\bigskip
- \end{itemize}\pause
-
-means you need to send separate ``Hello'' signals (bad), or worse
-share a single key between many entities
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Protocol Attacks}
-
-\begin{itemize}
-\item replay attacks
-\item reflection attacks
-\item man-in-the-middle attacks
-\item timing attacks
-\item parallel session attacks
-\item binding attacks (public key protocols)
-\item changing environment / changing assumptions\bigskip
-
-\item (social engineering attacks)
-\end{itemize}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Replay Attacks}
-
-Schroeder-Needham protocol: exchange of a symmetric key with a trusted 3rd-party \bl{$S$}:
-
-\begin{center}
-\begin{tabular}{r@ {\hspace{1mm}}l}
-\bl{$A \rightarrow S :$} & \bl{$A, B, N_A$}\\
-\bl{$S \rightarrow A :$} & \bl{$\{N_A, B, K_{AB},\{K_{AB}, A\}_{K_{BS}} \}_{K_{AS}}$}\\
-\bl{$A \rightarrow B :$} & \bl{$\{K_{AB}, A\}_{K_{BS}} $}\\
-\bl{$B \rightarrow A :$} & \bl{$\{N_B\}_{K_{AB}}$}\\
-\bl{$A \rightarrow B :$} & \bl{$\{N_B-1\}_{K_{AB}}$}\\
-\end{tabular}
-\end{center}\bigskip\pause
-
-at the end of the protocol both \bl{$A$} and \bl{$B$} should be in the possession of the secret key
-\bl{$K_{AB}$} and know that the other principal has the key
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Nonces}
-
-\begin{enumerate}
-\item I generate a nonce (random number) and send it to you encrypted with a key we share
-\item you increase it by one, encrypt it under a key I know and send
-it back to me
-\end{enumerate}
-
-
-I can infer:
-
-\begin{itemize}
-\item you must have received my message
-\item you could only have generated your answer after I send you my initial
-message
-\item if only you and me know the key, the message must have come from you
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-
-\begin{center}
-\begin{tabular}{l}
-\bl{$A \rightarrow S :$} \bl{$A, B, N_A$}\\
-\bl{$S \rightarrow A :$} \bl{$\{N_A, B, K_{AB},\{K_{AB}, A\}_{K_{BS}} \}_{K_{AS}}$}\\
-\bl{$A \rightarrow B :$} \bl{$\{K_{AB}, A\}_{K_{BS}} $}\\
-\bl{$B \rightarrow A :$} \bl{$\{N_B\}_{K_{AB}}$}\\
-\bl{$A \rightarrow B :$} \bl{$\{N_B-1\}_{K_{AB}}$}\pause\\
-\hspace{5cm}compromise \bl{$K_{AB}$}\pause\\
-\bl{$A \rightarrow S :$} \bl{$A, B, N'_A$}\\
-\bl{$S \rightarrow A :$} \bl{$\{N'_A, B, K'_{AB},\{K'_{AB}, A\}_{K_{BS}} \}_{K_{AS}}$}\pause\\
-\bl{$I(A) \rightarrow B :$} \bl{$\{K_{AB}, A\}_{K_{BS}} $}\hspace{0.5cm} replay of older run\pause\\
-\bl{$B \rightarrow I(A) :$} \bl{$\{N'_B\}_{K_{AB}}$}\\
-\bl{$I(A) \rightarrow B :$} \bl{$\{N'_B-1\}_{K_{AB}}$}\
-\end{tabular}
-\end{center}\pause
-
-\bl{$B$} believes it is following the correct protocol,
-intruder \bl{$I$} can form the correct response because it knows \bl{$K_{AB}$} and
-talks to \bl{$B$} masquerading as \bl{$A$}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-
-\begin{center}
-\includegraphics[scale=0.5]{pics/dogs.jpg}
-\end{center}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Replay Attacks}
-
-Andrew Secure RPC protocol: exchanging a new key
-between \bl{$A$} and \bl{$B$}
-
-\begin{center}
-\begin{tabular}{l}
-\bl{$A \rightarrow B :$} \bl{$A, \{N_A\}_{K_{AB}}$}\\
-\bl{$B \rightarrow A :$} \bl{$\{N_A+1, N_B\}_{K_{AB}}$}\\
-\bl{$A \rightarrow B :$} \bl{$\{N_B+1\}_{K_{AB}}$}\\
-\bl{$B \rightarrow A :$} \bl{$\{K^{new}_{AB}, N^{new}_B\}_{K_{AB}}$}\\
-\end{tabular}
-\end{center}\bigskip\pause
-
-Assume nonces are represented as bit-sequences of the same length as keys
-\begin{center}
-\begin{tabular}{@{}l@{}}
-\bl{$A \rightarrow B :$} \bl{$A, \{N_A\}_{K_{AB}}$}\\
-\bl{$B \rightarrow A :$} \bl{$\{N_A+1, N_B\}_{K_{AB}}$}\\
-\bl{$A \rightarrow I(B) :$} \bl{$\{N_B+1\}_{K_{AB}}$}\hspace{0.5mm}intercepts\\
-\bl{$I(B) \rightarrow A :$} \bl{$\{N_A+1, N_B\}_{K_{AB}}$}\hspace{0.5mm}resend 2nd msg\\
-\end{tabular}
-\end{center}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Time-Stamps}
-
-The Schroeder-Needham protocol can be fixed by including a time-stamp (e.g., in Kerberos):
-
-\begin{center}
-\begin{tabular}{r@ {\hspace{1mm}}l}
-\bl{$A \rightarrow S :$} & \bl{$A, B, N_A$}\\
-\bl{$S \rightarrow A :$} & \bl{$\{N_A, B, K_{AB},\{K_{AB}, A, T_S\}_{K_{BS}} \}_{K_{AS}}$}\\
-\bl{$A \rightarrow B :$} & \bl{$\{K_{AB}, A, T_S\}_{K_{BS}} $}\\
-\bl{$B \rightarrow A :$} & \bl{$\{N_B\}_{K_{AB}}$}\\
-\bl{$A \rightarrow B :$} & \bl{$\{N_B-1\}_{K_{AB}}$}\\
-\end{tabular}
-\end{center}\bigskip\pause
-
-but nothing is for free: then you need to synchronise time and possibly become a victim to
-timing attacks
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-
-It can also be fixed by including another nonce:
-
-\begin{center}
-\begin{tabular}{r@ {\hspace{1mm}}l}
-\bl{$A \rightarrow B :$} & \bl{$A$}\\
-\bl{$B \rightarrow A :$} & \bl{$\{A, N_B\}_{K_{BS}}$}\\
-\bl{$A \rightarrow S :$} & \bl{$A, B, N_A, \{A, N_B\}_{K_{BS}}$}\\
-\bl{$S \rightarrow A :$} & \bl{$\{N_A, B, K_{AB},\{K_{AB}, A, N_B\}_{K_{BS}} \}_{K_{AS}}$}\\
-\bl{$A \rightarrow B :$} & \bl{$\{K_{AB}, A, N_B\}_{K_{BS}} $}\\
-\bl{$B \rightarrow A :$} & \bl{$\{N_B\}_{K_{AB}}$}\\
-\bl{$A \rightarrow B :$} & \bl{$\{N_B-1\}_{K_{AB}}$}\\
-\end{tabular}
-\end{center}\bigskip\pause
-
-but nothing is for free: then you need to synchronise time and possibly become victim to
-timing attacks
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Binding Attacks}
-
-with public-private keys it is important that the public key is \alert{bound}
-to the right owner (verified by a certification authority \bl{$CA$})
-
-\begin{center}
-\begin{tabular}{l}
-\bl{$A \rightarrow CA :$} \bl{$A, B, N_A$}\\
-\bl{$CA \rightarrow A :$} \bl{$CA, \{CA, A, N_A, K^{pub}_{B}\}_{K^{pub}_{A}}$}\\
-\end{tabular}
-\end{center}\bigskip
-
-\bl{$A$} knows \bl{$K^{priv}_A$} and can verify the message came from \bl{$CA$}
-in response to \bl{$A$}'s message and trusts \bl{$K^{pub}_{B}$} is \bl{$B$}'s public key
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Binding Attacks}
-
-\begin{center}
-\begin{tabular}{l}
-\bl{$A \rightarrow I(CA) :$} \bl{$A, B, N_A$}\\
-\bl{$I(A) \rightarrow CA :$} \bl{$A, I, N_A$}\\
-\bl{$CA \rightarrow I(A) :$} \bl{$CA, \{CA, A, N_A, K^{pub}_{I}\}_{K^{pub}_{A}}$}\\
-\bl{$I(CA) \rightarrow A :$} \bl{$CA, \{CA, A, N_A, K^{pub}_{I}\}_{K^{pub}_{A}}$}\\
-\end{tabular}
-\end{center}\pause
-
-\bl{$A$} now encrypts messages for \bl{$B$} with the public key of \bl{$I$}
-(which happily decrypts them with its private key)
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-
-There are plenty of other protocols and attacks. This could go on ``forever''.\pause\bigskip
-
-We look here on one more kind of attacks that are because of a changing environment.
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-\frametitle{Changing Environment Attacks}
-
-\begin{itemize}
-\item all protocols rely on some assumptions about the environment
-(e.g., cryptographic keys cannot be broken)\bigskip\pause
-\end{itemize}
-
-\only<2>{
-\begin{itemize}
-\item in the ``good olden days'' (1960/70) rail transport was cheap, so fraud was not
-worthwhile
-\end{itemize}}
-
-\only<3>{
-\begin{itemize}
-\item when it got expensive, some people bought cheaper monthly tickets for a suburban
-station and a nearby one, and one for the destination and a nearby one
-\item a large investment later all barriers were automatic and tickets could record state
-\end{itemize}}
-
-\only<4>{
-\begin{itemize}
-\item but suddenly the environment changed: rail transport got privatised creating many
-competing companies
-potentially cheating each other
-\item revenue from monthly tickets was distributed according to a formula involving where the ticket was bought\ldots
-\end{itemize}}
-
-\only<5>{
-\begin{itemize}
-\item apart from bad outsiders (passengers), you also had bad insiders (rail companies)
-\item chaos and litigation ensued
-\end{itemize}}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-
-A Man-in-the-middle attack in real life:
-
-\begin{itemize}
-\item the card only says yes or no to the terminal if the PIN is correct
-\item trick the card in thinking transaction is verified by signature
-\item trick the terminal in thinking the transaction was verified by PIN
-\end{itemize}
-
-\begin{minipage}{1.1\textwidth}
-\begin{center}
-\mbox{}\hspace{-6mm}\includegraphics[scale=0.5]{pics/chip-attack.png}
-\includegraphics[scale=0.3]{pics/chipnpinflaw.png}
-\end{center}
-\end{minipage}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Problems with EMV}
-
-\begin{itemize}
-\item it is a wrapper for many protocols
-\item specification by consensus (resulted unmanageable complexity)
-\item its specification is 700 pages in English plus 2000+ pages for testing, additionally some
-further parts are secret
-\item other attacks have been found
-
-\item one solution might be to require always online verification of the PIN with the bank
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Problems with WEP (Wifi)}
-
-\begin{itemize}
-\item a standard ratified in 1999
-\item the protocol was designed by a committee not including cryptographers
-\item it used the RC4 encryption algorithm which is a stream cipher requiring a unique nonce
-\item WEP did not allocate enough bits for the nonce
-\item for authenticating packets it used CRC checksum which can be easily broken
-\item the network password was used to directly encrypt packages (instead of a key negotiation protocol)\bigskip
-\item encryption was turned of by default
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Protocols are Difficult}
-
-\begin{itemize}
-\item even the systems designed by experts regularly fail\medskip
-\item try to make everything explicit (you need to authenticate all data you might rely on)\medskip
-\item the one who can fix a system should also be liable for the losses\medskip
-\item cryptography is often not {\bf the} answer\bigskip\bigskip
-\end{itemize}
-
-logic is one way protocols are studied in academia
-(you can use computers to search for attacks)
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Public-Key Infrastructure}
-
-\begin{itemize}
-\item the idea is to have a certificate authority (CA)
-\item you go to the CA to identify yourself
-\item CA: ``I, the CA, have verified that public key \bl{$P^{pub}_{Bob}$} belongs to Bob''\bigskip
-\item CA must be trusted by everybody
-\item What happens if CA issues a false certificate? Who pays in case of loss? (VeriSign
-explicitly limits liability to \$100.)
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Privacy, Anonymity et al}
-
-Some terminology:
-
-\begin{itemize}
-\item \alert{secrecy} is the mechanism used to limit the number of
-principals with access to information (eg, cryptography or access controls)
-
-\item \alert{confidentiality} is the obligation to protect the secrets of other people
-or organizations (secrecy for the benefit of an organisation)
-
-\item \alert{anonymity} is the ability to leave no evidence of an activity (eg, sharing a secret)
-
-\item \alert{privacy} is the ability or right to protect your personal secrets
-(secrecy for the benefit of an individual)
-
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-\frametitle{Privacy vs Anonymity}
-
-\begin{itemize}
-\item everybody agrees that anonymity has its uses (e.g., voting, whistleblowers, peer-review)
-\end{itemize}\bigskip\bigskip\pause
-
-
-But privacy?\bigskip\bigskip
-
-``You have zero privacy anyway. Get over it.''\\
-\hfill{}Scott Mcnealy (CEO of Sun)\bigskip\\
-
-
-If you have nothing to hide, you have nothing to fear.
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-\frametitle{Privacy}
-
-private data can be often used against me
-
-\begin{itemize}
-\item if my location data becomes public, thieves will switch off their phones and help themselves in my home
-\item if supermarkets can build a profile of what I buy, they can use it to their advantage (banks - mortgages)
-\item my employer might not like my opinions\bigskip\pause
-
-\item one the other hand, Freedom-of-Information Act
-\item medical data should be private, but medical research needs data
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-\frametitle{Privacy Problems}
-
-\begin{itemize}
-\item Apple takes note of every dictation (send over the Internet to Apple)
-\item markets often only work, if data is restricted (to build trust)
-\item Social network can reveal data about you
-\item have you tried the collusion extension for FireFox?
-\item I do use Dropbox, store cards\bigskip
-\item next week: anonymising data
-\end{itemize}
-
-\begin{textblock}{5}(12,8.9)
-\includegraphics[scale=0.3]{pics/gattaca.jpg}\\
-\small Gattaca (1997)
-\end{textblock}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-\end{document}
-
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: t
-%%% End:
-
Binary file slides09.pdf has changed
--- a/slides09.tex Sun Dec 09 13:00:33 2012 +0000
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,554 +0,0 @@
-\documentclass[dvipsnames,14pt,t]{beamer}
-\usepackage{proof}
-\usepackage{beamerthemeplainculight}
-\usepackage[T1]{fontenc}
-\usepackage[latin1]{inputenc}
-\usepackage{mathpartir}
-\usepackage{isabelle}
-\usepackage{isabellesym}
-\usepackage[absolute,overlay]{textpos}
-\usepackage{ifthen}
-\usepackage{tikz}
-\usepackage{courier}
-\usepackage{listings}
-\usetikzlibrary{arrows}
-\usetikzlibrary{positioning}
-\usetikzlibrary{calc}
-\usepackage{graphicx}
-\usetikzlibrary{shapes}
-\usetikzlibrary{shadows}
-\usetikzlibrary{plotmarks}
-
-
-\isabellestyle{rm}
-\renewcommand{\isastyle}{\rm}%
-\renewcommand{\isastyleminor}{\rm}%
-\renewcommand{\isastylescript}{\footnotesize\rm\slshape}%
-\renewcommand{\isatagproof}{}
-\renewcommand{\endisatagproof}{}
-\renewcommand{\isamarkupcmt}[1]{#1}
-
-% Isabelle characters
-\renewcommand{\isacharunderscore}{\_}
-\renewcommand{\isacharbar}{\isamath{\mid}}
-\renewcommand{\isasymiota}{}
-\renewcommand{\isacharbraceleft}{\{}
-\renewcommand{\isacharbraceright}{\}}
-\renewcommand{\isacharless}{$\langle$}
-\renewcommand{\isachargreater}{$\rangle$}
-\renewcommand{\isasymsharp}{\isamath{\#}}
-\renewcommand{\isasymdots}{\isamath{...}}
-\renewcommand{\isasymbullet}{\act}
-
-
-
-\definecolor{javared}{rgb}{0.6,0,0} % for strings
-\definecolor{javagreen}{rgb}{0.25,0.5,0.35} % comments
-\definecolor{javapurple}{rgb}{0.5,0,0.35} % keywords
-\definecolor{javadocblue}{rgb}{0.25,0.35,0.75} % javadoc
-
-\lstset{language=Java,
- basicstyle=\ttfamily,
- keywordstyle=\color{javapurple}\bfseries,
- stringstyle=\color{javagreen},
- commentstyle=\color{javagreen},
- morecomment=[s][\color{javadocblue}]{/**}{*/},
- numbers=left,
- numberstyle=\tiny\color{black},
- stepnumber=1,
- numbersep=10pt,
- tabsize=2,
- showspaces=false,
- showstringspaces=false}
-
-\lstdefinelanguage{scala}{
- morekeywords={abstract,case,catch,class,def,%
- do,else,extends,false,final,finally,%
- for,if,implicit,import,match,mixin,%
- new,null,object,override,package,%
- private,protected,requires,return,sealed,%
- super,this,throw,trait,true,try,%
- type,val,var,while,with,yield},
- otherkeywords={=>,<-,<\%,<:,>:,\#,@},
- sensitive=true,
- morecomment=[l]{//},
- morecomment=[n]{/*}{*/},
- morestring=[b]",
- morestring=[b]',
- morestring=[b]"""
-}
-
-\lstset{language=Scala,
- basicstyle=\ttfamily,
- keywordstyle=\color{javapurple}\bfseries,
- stringstyle=\color{javagreen},
- commentstyle=\color{javagreen},
- morecomment=[s][\color{javadocblue}]{/**}{*/},
- numbers=left,
- numberstyle=\tiny\color{black},
- stepnumber=1,
- numbersep=10pt,
- tabsize=2,
- showspaces=false,
- showstringspaces=false}
-
-% beamer stuff
-\renewcommand{\slidecaption}{APP 09, King's College London, 27 November 2012}
-\newcommand{\dn}{\stackrel{\mbox{\scriptsize def}}{=}}% for definitions
-\newcommand{\bl}[1]{\textcolor{blue}{#1}}
-
-\begin{document}
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}<1>[t]
-\frametitle{%
- \begin{tabular}{@ {}c@ {}}
- \\
- \LARGE Access Control and \\[-3mm]
- \LARGE Privacy Policies (9)\\[-6mm]
- \end{tabular}}\bigskip\bigskip\bigskip
-
- %\begin{center}
- %\includegraphics[scale=1.3]{pics/barrier.jpg}
- %\end{center}
-
-\normalsize
- \begin{center}
- \begin{tabular}{ll}
- Email: & christian.urban at kcl.ac.uk\\
- Of$\!$fice: & S1.27 (1st floor Strand Building)\\
- Slides: & KEATS (also homework is there)\\
- \end{tabular}
- \end{center}
-
-\end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Last Week}
-
-Recall, the Schroeder-Needham (1978) protocol is vulnerable to replay attacks.
-
-\begin{center}
-\begin{tabular}{@{}r@ {\hspace{1mm}}l@{}}
-\bl{$A \rightarrow S :$} & \bl{$A, B, N_A$}\\
-\bl{$S \rightarrow A :$} & \bl{$\{N_A, B, K_{AB},\{K_{AB}, A\}_{K_{BS}} \}_{K_{AS}}$}\\
-\bl{$A \rightarrow B :$} & \bl{$\{K_{AB}, A\}_{K_{BS}} $}\\
-\bl{$B \rightarrow A :$} & \bl{$\{N_B\}_{K_{AB}}$}\\
-\bl{$A \rightarrow B :$} & \bl{$\{N_B-1\}_{K_{AB}}$}\\
-\end{tabular}
-\end{center}\pause
-
-Fix: Replace messages 2 and 3 to include a timestamp:\bigskip
-
-\begin{minipage}{1.1\textwidth}
-\begin{center}
-\begin{tabular}{@{\hspace{-2mm}}r@ {\hspace{1mm}}l@{}}
-\bl{$S \rightarrow A :$} & \bl{$\{B, K_{\!AB}, T_S, \!\{K_{\!AB}, A, T_S\}_{K_{BS}} \}_{K_{AS}}$}\\
-\bl{$A \rightarrow B :$} & \bl{$\{K_{AB}, A, T_S\}_{K_{BS}} $}\\
-\end{tabular}
-\end{center}
-\end{minipage}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-\frametitle{Denning-Sacco Fix}
-
-Denning-Sacco (1981) suggested to add the timestamp, but omit the handshake:\bigskip
-
-\begin{minipage}{1.1\textwidth}
-\begin{center}
-\begin{tabular}{@{\hspace{-2mm}}r@ {\hspace{1mm}}l@{}}
-\bl{$A \rightarrow S :$} & \bl{$A, B$}\\
-\bl{$S \rightarrow A :$} & \bl{$\{B, K_{\!AB}, T_S, \!\{K_{\!AB}, A, T_S\}_{K_{BS}} \}_{K_{AS}}$}\\
-\bl{$A \rightarrow B :$} & \bl{$\{K_{AB}, A, T_S\}_{K_{BS}} $}\\
-\textcolor{lightgray}{$B \rightarrow A :$} & \textcolor{lightgray}{$\{N_B\}_{K_{AB}}$}\\
-\textcolor{lightgray}{$A \rightarrow B :$} & \textcolor{lightgray}{$\{N_B-1\}_{K_{AB}}$}\\
-\end{tabular}
-\end{center}
-\end{minipage}\bigskip
-
-they argue \bl{$A$} and \bl{$B$} can check that the messages are not replays of earlier
-runs, by checking the time difference with when the protocol is last used
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-\frametitle{\begin{tabular}{@{}c@{}}Denning-Sacco-Lowe Fix of Fix\end{tabular}}
-
-Lowe (1997) disagreed and said the handshake should be kept,
-otherwise:\bigskip
-
-\begin{minipage}{1.1\textwidth}
-\begin{center}
-\begin{tabular}{@{\hspace{-7mm}}r@ {\hspace{1mm}}l@{}}
-\bl{$A \rightarrow S :$} & \bl{$A, B$}\\
-\bl{$S \rightarrow A :$} & \bl{$\{B, K_{\!AB}, T_S, \!\{K_{\!AB}, A, T_S\}_{K_{BS}} \}_{K_{AS}}$}\\
-\bl{$A \rightarrow B :$} & \bl{$\{K_{AB}, A, T_S\}_{K_{BS}} $}\\
-\bl{$I(A) \rightarrow B :$} & \bl{$\{K_{AB}, A, T_S\}_{K_{BS}} $}\hspace{5mm}\textcolor{black}{replay}\\
-\end{tabular}
-\end{center}
-\end{minipage}\bigskip
-
-When is this a problem?\pause\medskip
-
-Assume \bl{$B$} is a bank and the message is ``Draw \pounds{1000} from \bl{$A$}'s
-account and transfer it to \bl{$I$}.''
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-\frametitle{Privacy}
-
-\begin{minipage}{1.05\textwidth}
-\begin{itemize}
-\item we \alert{do} want that government data is made public (free maps for example)
-\item we \alert{do not} want that medical data becomes public (similarly tax data, school
-records, job offers)\bigskip
-\item personal information can potentially lead to fraud
-(identity theft)
-\end{itemize}\pause
-
-{\bf ``The reality'':}
-\only<2>{\begin{itemize}
-\item London Health Programmes lost in June unencrypted details of more than 8 million people
-(no names, but postcodes and details such as gender, age and ethnic origin)
-\end{itemize}}
-\only<3>{\begin{itemize}
-\item also in June Sony, got hacked: over 1M users' personal information, including passwords, email addresses, home addresses, dates of birth, and all Sony opt-in data associated with their accounts.
-\end{itemize}}
-\end{minipage}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Privacy and Big Data}
-
-Selected sources of ``Big Data'':\smallskip{}
-
-\begin{itemize}
-\item Facebook
-\begin{itemize}
-\item 40+ Billion photos (100 PB)
-\item 6 Billion messages daily (5 - 10 TB)
-\item 900 Million users
-\end{itemize}
-\item Common Crawl
-\begin{itemize}
-\item covers 3.8 Billion webpages (2012 dataset)
-\item 50 TB of data
-\end{itemize}
-\item Google
-\begin{itemize}
-\item 20 PB daily (2008)
-\end{itemize}
-\item Twitter
-\begin{itemize}
-\item 7 Million users in the UK
-\item a company called Datasift is allowed to mine all tweets since 2010
-\item they charge 10k per month for other companies to target advertisement
-\end{itemize}
-\end{itemize}\pause
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Cookies\ldots}
-
-``We have published a new cookie policy. It explains what cookies are
-and how we use them on our site. To learn more about cookies and
-their benefits, please view our cookie policy.\medskip
-
-If you'd like to disable cookies on this device, please view our information
-pages on 'How to manage cookies'. Please be aware that parts of the
-site will not function correctly if you disable cookies. \medskip
-
-By closing this
-message, you consent to our use of cookies on this device in accordance
-with our cookie policy unless you have disabled them.''
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Scare Tactics}
-
-The actual policy reads:\bigskip
-
-``As we explain in our Cookie Policy, cookies help you to get the most
-out of our websites.\medskip
-
-If you do disable our cookies you may find that certain sections of our
-website do not work. For example, you may have difficulties logging in
-or viewing articles.''
-
-
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Netflix Prize}
-
-Anonymity is \alert{necessary} for privacy, but \alert{not} enough!\bigskip
-
-\begin{itemize}
-\item Netflix offered in 2006 (and every year until 2010) a 1 Mio \$ prize for improving their movie rating algorithm
-\item dataset contained 10\% of all Netflix users (appr.~500K)
-\item names were removed, but included numerical ratings as well as times of rating
-\item some information was \alert{perturbed} (i.e., slightly modified)
-\end{itemize}
-
-\hfill{\bf\alert{All OK?}}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Re-identification Attack}
-
-Two researchers analysed the data:
-
-\begin{itemize}
-\item with 8 ratings (2 of them can be wrong) and corresponding dates that can have a margin 14-day error, 98\% of the
-records can be identified
-\item for 68\% only two ratings and dates are sufficient (for movie ratings outside the top 500)\bigskip\pause
-\item they took 50 samples from IMDb (where people can reveal their identity)
-\item 2 of them uniquely identified entries in the Netflix database (either by movie rating or by dates)
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{}
-
-\begin{itemize}
-\item Birth data, postcode and gender (unique for\\ 87\% of the US population)
-\item Preferences in movies (99\% of 500K for 8 ratings)
-\end{itemize}\bigskip
-
-Therefore best practices / or even law (HIPAA, EU):
-
-\begin{itemize}
-\item only year dates (age group for 90 years or over),
-\item no postcodes (sector data is OK, similarly in the US)\\
-\textcolor{gray}{no names, addresses, account numbers, licence plates}
-\item disclosure information needs to be retained for 5 years
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{How to Safely Disclose Information?}
-
-\only<1>{
-\begin{itemize}
-\item Assume you make a survey of 100 randomly chosen people.
-\item Say 99\% of the surveyed people in the 10 - 40 age group have seen the
-Gangnam video on youtube.\bigskip
-
-\item What can you infer about the rest of the population?
-\end{itemize}}
-\only<2>{
-\begin{itemize}
-\item Is it possible to re-identify data later, if more data is released. \bigskip\bigskip\pause
-
-\item Not even releasing only aggregate information prevents re-identification attacks.
-(GWAS was a public database of gene-frequency studies linked to diseases;
-you only needed partial DNA information in order
-to identify whether an individual was part of the study --- DB closed in 2008)
-\end{itemize}}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Differential Privacy}
-
-\begin{center}
-User\;\;\;\;
-\begin{tabular}{c}
-tell me \bl{$f(x)$} $\Rightarrow$\\
-$\Leftarrow$ \bl{$f(x) + \text{noise}$}
-\end{tabular}
-\;\;\;\;\begin{tabular}{@{}c}
-Database\\
-\bl{$x_1, \ldots, x_n$}
-\end{tabular}
-\end{center}
-
-
-\begin{itemize}
-\item \bl{$f(x)$} can be released, if \bl{$f$} is insensitive to
-individual entries \bl{$x_1, \ldots, x_n$}\\
-\item Intuition: whatever is learned from the dataset would be learned regardless of whether
-\bl{$x_i$} participates\bigskip\pause
-
-\item Noised needed in order to prevent queries:\\ Christian's salary $=$
-\begin{center}
-\bl{\large$\Sigma$} all staff $-$ \bl{\large$\Sigma$} all staff $\backslash$ Christian
-\end{center}
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Adding Noise}
-
-Adding noise is not as trivial as one would wish:
-
-\begin{itemize}
-\item If I ask how many of three have seen the Gangnam video and get a result
-as follows
-
-\begin{center}
-\begin{tabular}{l|c}
-Alice & yes\\
-Bob & no\\
-Charlie & yes\\
-\end{tabular}
-\end{center}
-
-then I have to add a noise of \bl{$1$}. So answers would be in the
-range of \bl{$1$} to \bl{$3$}
-
-\bigskip
-\item But if I ask five questions for all the dataset (has seen Gangnam video, is male, below 30, \ldots),
-then one individual can change the dataset by \bl{$5$}
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-\frametitle{\begin{tabular}{@{}c@{}}Tor, Anonymous Webbrowsing\end{tabular}}
-
-\begin{itemize}
-\item initially developed by US Navy Labs, but then opened up to the world
-\item network of proxy nodes
-\item a Tor client establishes a ``random'' path to the destination server (you cannot trace back where the information came from)\bigskip\pause
-\end{itemize}
-
-\only<2>{
-\begin{itemize}
-\item malicious exit node attack: someone set up 5 Tor exit nodes and monitored the traffic:
-\begin{itemize}
-\item a number of logons and passwords used by embassies (Usbekistan `s1e7u0l7c', while
-Tunesia `Tunesia' and India `1234')
-\end{itemize}
-\end{itemize}}
-\only<3>{
-\begin{itemize}
-\item bad apple attack: if you have one insecure application, your IP can be tracked through Tor
-\begin{itemize}
-\item background: 40\% of traffic on Tor is generated by BitTorrent
-\end{itemize}
-\end{itemize}}
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-\frametitle{\begin{tabular}{@{}c@{}}Skype Secure Communication\end{tabular}}
-
-\begin{itemize}
-\item Skype used to be known as a secure online communication (encryption cannot be disabled),
-but \ldots\medskip
-
-\item it is impossible to verify whether crypto algorithms are correctly used, or whether there are backdoors.\bigskip
-
-\item recently someone found out that you can reset the password of somebody else's
-account, only knowing their email address (needed to suspended the password reset feature temporarily)
-\end{itemize}
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@{}c@{}}Take Home Point\end{tabular}}
-
-According to Ross Anderson: \bigskip
-\begin{itemize}
-\item Privacy in a big hospital is just about doable.\medskip
-\item How do you enforce privacy in something as big as Google
-or complex as Facebook? No body knows.\bigskip
-
-Similarly, big databases imposed by government
-\end{itemize}
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@{}c@{}}Next Week\end{tabular}}
-
-Homework: Which areas should I focus on?
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-\end{document}
-
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: t
-%%% End:
-
Binary file slides10.pdf has changed
--- a/slides10.tex Sun Dec 09 13:00:33 2012 +0000
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,217 +0,0 @@
-\documentclass[dvipsnames,14pt,t]{beamer}
-\usepackage{proof}
-\usepackage{beamerthemeplainculight}
-\usepackage[T1]{fontenc}
-\usepackage[latin1]{inputenc}
-\usepackage{mathpartir}
-\usepackage{isabelle}
-\usepackage{isabellesym}
-\usepackage[absolute,overlay]{textpos}
-\usepackage{ifthen}
-\usepackage{tikz}
-\usepackage{courier}
-\usepackage{listings}
-\usetikzlibrary{arrows}
-\usetikzlibrary{positioning}
-\usetikzlibrary{calc}
-\usepackage{graphicx}
-\usetikzlibrary{shapes}
-\usetikzlibrary{shadows}
-\usetikzlibrary{plotmarks}
-
-
-\isabellestyle{rm}
-\renewcommand{\isastyle}{\rm}%
-\renewcommand{\isastyleminor}{\rm}%
-\renewcommand{\isastylescript}{\footnotesize\rm\slshape}%
-\renewcommand{\isatagproof}{}
-\renewcommand{\endisatagproof}{}
-\renewcommand{\isamarkupcmt}[1]{#1}
-
-% Isabelle characters
-\renewcommand{\isacharunderscore}{\_}
-\renewcommand{\isacharbar}{\isamath{\mid}}
-\renewcommand{\isasymiota}{}
-\renewcommand{\isacharbraceleft}{\{}
-\renewcommand{\isacharbraceright}{\}}
-\renewcommand{\isacharless}{$\langle$}
-\renewcommand{\isachargreater}{$\rangle$}
-\renewcommand{\isasymsharp}{\isamath{\#}}
-\renewcommand{\isasymdots}{\isamath{...}}
-\renewcommand{\isasymbullet}{\act}
-
-
-
-\definecolor{javared}{rgb}{0.6,0,0} % for strings
-\definecolor{javagreen}{rgb}{0.25,0.5,0.35} % comments
-\definecolor{javapurple}{rgb}{0.5,0,0.35} % keywords
-\definecolor{javadocblue}{rgb}{0.25,0.35,0.75} % javadoc
-
-\lstset{language=Java,
- basicstyle=\ttfamily,
- keywordstyle=\color{javapurple}\bfseries,
- stringstyle=\color{javagreen},
- commentstyle=\color{javagreen},
- morecomment=[s][\color{javadocblue}]{/**}{*/},
- numbers=left,
- numberstyle=\tiny\color{black},
- stepnumber=1,
- numbersep=10pt,
- tabsize=2,
- showspaces=false,
- showstringspaces=false}
-
-\lstdefinelanguage{scala}{
- morekeywords={abstract,case,catch,class,def,%
- do,else,extends,false,final,finally,%
- for,if,implicit,import,match,mixin,%
- new,null,object,override,package,%
- private,protected,requires,return,sealed,%
- super,this,throw,trait,true,try,%
- type,val,var,while,with,yield},
- otherkeywords={=>,<-,<\%,<:,>:,\#,@},
- sensitive=true,
- morecomment=[l]{//},
- morecomment=[n]{/*}{*/},
- morestring=[b]",
- morestring=[b]',
- morestring=[b]"""
-}
-
-\lstset{language=Scala,
- basicstyle=\ttfamily,
- keywordstyle=\color{javapurple}\bfseries,
- stringstyle=\color{javagreen},
- commentstyle=\color{javagreen},
- morecomment=[s][\color{javadocblue}]{/**}{*/},
- numbers=left,
- numberstyle=\tiny\color{black},
- stepnumber=1,
- numbersep=10pt,
- tabsize=2,
- showspaces=false,
- showstringspaces=false}
-
-% beamer stuff
-\renewcommand{\slidecaption}{APP 09, King's College London, 27 November 2012}
-\newcommand{\dn}{\stackrel{\mbox{\scriptsize def}}{=}}% for definitions
-\newcommand{\bl}[1]{\textcolor{blue}{#1}}
-
-\begin{document}
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}<1>[t]
-\frametitle{%
- \begin{tabular}{@ {}c@ {}}
- \\
- \LARGE Access Control and \\[-3mm]
- \LARGE Privacy Policies (10)\\[-6mm]
- \end{tabular}}\bigskip\bigskip\bigskip
-
- %\begin{center}
- %\includegraphics[scale=1.3]{pics/barrier.jpg}
- %\end{center}
-
-\normalsize
- \begin{center}
- \begin{tabular}{ll}
- Email: & christian.urban at kcl.ac.uk\\
- Of$\!$fice: & S1.27 (1st floor Strand Building)\\
- Slides: & KEATS (also homework is there)\\
- \end{tabular}
- \end{center}
-
-\end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Revision: Proofs}
-
-\begin{center}
-\includegraphics[scale=0.4]{pics/river-stones.jpg}
-\end{center}
-
-\begin{textblock}{5}(11.7,5)
-goal
-\end{textblock}
-
-\begin{textblock}{5}(11.7,14)
-start
-\end{textblock}
-
-\begin{textblock}{5}(0,7)
-\begin{center}
-\bl{\infer[\small\textcolor{black}{\text{axiom}}]{\quad\vdash\quad}{}}\\[8mm]
-\bl{\infer{\vdash}{\quad\vdash\quad}}\\[8mm]
-\bl{\infer{\vdash}{\quad\vdash\qquad\vdash\quad}}
-\end{center}
-\end{textblock}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Proof Example Proof}
-
-\begin{center}
-\bl{\infer{P\;\text{says}\;F_1 \wedge Q\;\text{says}\;F_2 \vdash Q\;\text{says}\;F_2 \wedge P\;\text{says}\;F_1}
- {\raisebox{2mm}{\text{\LARGE $?$}}}}
-\end{center}
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Proof Example Proof}
-
-\begin{tabular}{@{\hspace{-6mm}}l}
-\begin{minipage}{1.1\textwidth}
-We have (by axiom)
-
-\begin{center}
-\begin{tabular}{@{}ll@{}}
-(1) & \bl{$P\;\text{says}\;F_1 \wedge Q\;\text{says}\;F_2 \vdash P\;\text{says}\;F_1 \wedge Q\;\text{says}\;F_2$}
-\end{tabular}
-\end{center}
-
-From (1) we get
-
-\begin{center}
-\begin{tabular}{@{}ll@{}}
-(2) & \bl{$P\;\text{says}\;F_1 \wedge Q\;\text{says}\;F_2 \vdash P\;\text{says}\;F_1$}\\
-(3) & \bl{$P\;\text{says}\;F_1 \wedge Q\;\text{says}\;F_2 \vdash Q\;\text{says}\;F_2$}\\
-\end{tabular}
-\end{center}
-
-From (3) and (2) we get
-
-\begin{center}
-\begin{tabular}{@{}ll@{}}
-\bl{$P\;\text{says}\;F_1 \wedge Q\;\text{says}\;F_2 \vdash Q\;\text{says}\;F_2 \wedge P\;\text{says}\;F_1$}
-\end{tabular}
-\end{center}
-
-Done.
-\end{minipage}
-\end{tabular}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-\end{document}
-
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: t
-%%% End:
-