Binary file handouts/ho03.pdf has changed

--- a/handouts/ho03.tex	Mon Oct 06 02:44:23 2014 +0100
+++ b/handouts/ho03.tex	Mon Oct 06 20:52:53 2014 +0100
@@ -7,34 +7,34 @@
 \section*{Handout 3 (Buffer Overflow Attacks)}
 
 By far the most popular attack method on computers are buffer
-overflow attacks or variations thereof. The popularity is
+overflow attacks or simple variations thereof. The popularity is
 unfortunate because we now have technology to prevent them
 effectively. But these kind of attacks are still very relevant
 even today since there are many legacy systems out there and
 also many modern embedded systems do not take any precautions
 to prevent such attacks.
 
-To understand how buffer overflow attacks work we have to have
+To understand how buffer overflow attacks work, we have to have
 a look at how computers work ``under the hood'' (on the
 machine level) and also understand some aspects of the C/C++
 programming language. This might not be everyday fare for
 computer science students, but who said that criminal hackers
 restrict themselves to everyday fare? Not to mention the
 free-riding script-kiddies who use this technology without
-knowing what are the underlying ideas.
+even knowing what the underlying ideas are.
  
 For buffer overflow attacks to work, a number of innocent
 design decisions, which are really benign on their own, need
 to conspire against you. All these decisions were pretty much
-taken in a time when there was no Internet: C was introduced
-around 1973, the Internet TCP/IP protocol was standardised in
-1982 by which time there were maybe 500 servers connected
-worldwide (all users were well-behaved), Intel's first 8086
-CPUs arrived around 1977. So nobody of the creators can 
-really be blamed, but as mentioned above we should already 
-be way beyond the point that buffer overflow attacks are
-worth a thought. Unfortunately this is far from the truth. I 
-let you think why?
+taken at a time when there was no Internet: C was introduced
+around 1973; the Internet TCP/IP protocol was standardised in
+1982 by which time there were maybe 500 servers connected (and
+all users were well-behaved, mostly academics); Intel's first
+8086 CPUs arrived around 1977. So nobody of the
+``forefathers'' can really be blamed, but as mentioned above
+we should already be way beyond the point that buffer overflow
+attacks are worth a thought. Unfortunately, this is far from
+the truth. I let you think why?
 
 One such ``benign'' design decision is how the memory is laid
 out into different regions for each process. 

Binary file pics/stack1.png has changed

Binary file pics/stack2.png has changed

Binary file pics/stack3.png has changed

--- a/progs/C0.c	Mon Oct 06 02:44:23 2014 +0100
+++ b/progs/C0.c	Mon Oct 06 20:52:53 2014 +0100
@@ -1,23 +1,18 @@
 #include <string.h>
 #include <stdio.h>
-#include <stdlib.h>
 
 void foo (char *bar)
 {
-  float my_float = 10.5;    // in hex: \x41\x28\x00\x00
-  char  buffer[28];        
+   long my_long = 101010101; // in hex: \xB5\x4A\x05\x06
+   char  buffer[28];        
 
-  printf("my float value = %f\n", my_float);
-
-  strcpy(buffer, bar);  
- 
-  printf("my float value = %f\n", my_float);
+   printf("my_long value = %lu\n", my_long);
+   strcpy(buffer, bar);    
+   printf("my_long value = %lu\n", my_long);
 }
  
 int main (int argc, char **argv)
 {
-  foo("my string is too long !!!!! ");                  // all is normal
-  //foo("my string is too long !!!!! \x10\x10\xc0\x42");  // overwrites my_float
+  foo("my string is too long !!!!!"); 
   return 0;
-}
-
+}
\ No newline at end of file

--- a/progs/C2.c	Mon Oct 06 02:44:23 2014 +0100
+++ b/progs/C2.c	Mon Oct 06 20:52:53 2014 +0100
@@ -1,14 +1,32 @@
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+// Since gets() is insecure and produces lots 
+// of warnings, thereofre I use my own input 
+// function instead.
+void get_line(char *dst) {
+  char buffer[8];
+  int i = 0;
+  char ch;
+  while ((ch = getchar()) != '\n') {
+    buffer[i++] = ch;
+  }
+  buffer[i] = '\0';
+  strcpy(dst, buffer);
+}
+
 int match(char *s1, char *s2) {
-  while( *s1 != '\0' && *s2 != '\0' && *s1 == *s2 ){
+  while(*s1 != '\0' && *s2 != '\0' && *s1 == *s2){
     s1++; s2++;
   }
   return( *s1 - *s2 );
 }
 
-void welcome() { printf("Welcome to the Machine!\n"); exit(0); }
-void goodbye() { printf("Invalid identity, exiting!\n"); exit(1); }
+void welcome() { printf("Welcome!\n"); exit(0); }
+void goodbye() { printf("Wrong identity, exiting!\n"); exit(1); }
 
-main(){
+int main(){
   char name[8];
   char pw[8]; 
 
@@ -21,4 +39,4 @@
     welcome();
   else
     goodbye();
-}
\ No newline at end of file
+}

--- a/progs/C2a.c	Mon Oct 06 02:44:23 2014 +0100
+++ b/progs/C2a.c	Mon Oct 06 20:52:53 2014 +0100
@@ -1,15 +1,17 @@
-// Since gets() is insecure and produces lots 
-// of warnings, thereofre I use my own input 
-// function instead.
-char ch;
-int i;
-
 void get_line(char *dst) {
   char buffer[8];
-  i = 0;
+  int i = 0;
+  char ch;
   while ((ch = getchar()) != '\n') {
-    buffer[i++] = ch; 
+    buffer[i++] = ch;
   }
   buffer[i] = '\0';
   strcpy(dst, buffer);
-}	
+}
+
+int match(char *s1, char *s2) {
+  while(*s1 != '\0' && *s2 != '\0' && *s1 == *s2){
+    s1++; s2++;
+  }
+  return( *s1 - *s2 );
+}

--- a/progs/test.c	Mon Oct 06 02:44:23 2014 +0100
+++ b/progs/test.c	Mon Oct 06 20:52:53 2014 +0100
@@ -1,6 +1,6 @@
 #include <string.h>
 #include <stdio.h>
-#include <stdlib.h>
+//#include <stdlib.h>
 
 void foo (char *bar)
 {

Binary file slides/slides03.pdf has changed

--- a/slides/slides03.tex	Mon Oct 06 02:44:23 2014 +0100
+++ b/slides/slides03.tex	Mon Oct 06 20:52:53 2014 +0100
@@ -35,6 +35,295 @@
 \end{frame}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     
 
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Network Applications:\\[-1mm] Privilege Separation\end{tabular}}
+
+\begin{center}
+  \begin{tikzpicture}[scale=1]
+  
+  \draw[line width=1mm] (-.3, 0) rectangle (1.5,2);
+  \draw (4.7,1) node {Internet};
+  \draw (-2.7,1.7) node {\footnotesize Application};
+  \draw (0.6,1.7) node {\footnotesize Interface};
+  \draw (0.6,-0.4) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] process\end{tabular}};
+  \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}};
+  
+  \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2);
+
+  \draw[white] (1.7,1) node (X) {};
+  \draw[white] (3.7,1) node (Y) {};
+  \draw[red, <->, line width = 2mm] (X) -- (Y);
+ 
+  \draw[red, <->, line width = 1mm] (-0.6,1) -- (-1.6,1);
+  \end{tikzpicture}
+\end{center}
+
+\begin{itemize}
+\item the idea is make the attack surface smaller and 
+mitigate the consequences of an attack
+\item you need an OS that supports different roles (root vs.~users)
+\end{itemize}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{Weaknesses of Unix AC}
+
+\begin{itemize}
+\item if you have too many roles (for example too finegrained AC), then
+  hierarchy is too complex\medskip\\ \textcolor{gray}{you invite situations
+    like\ldots let's be root}\bigskip
+
+\item you can still abuse the system\ldots
+\end{itemize}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{A ``Cron''-Attack}
+
+The idea is to trick a privileged person to do something on your
+behalf:
+
+\begin{itemize}
+\item root:\\\texttt{rm /tmp/*/*}\bigskip\bigskip\pause
+
+\small
+\begin{minipage}{1.1\textwidth}
+\textcolor{gray}{the shell behind the scenes:}\\
+\textcolor{gray}{\texttt{rm /tmp/dir$_1$/file$_1$ /tmp/dir$_1$/file$_2$ /tmp/dir$_2$/file$_1$ \ldots}}\bigskip\\
+
+\textcolor{gray}{this takes time}
+\end{minipage}
+\end{itemize}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{A ``Cron''-Attack}
+
+\begin{enumerate}
+\item attacker \textcolor{gray}{(creates a fake passwd file)}\\ 
+\texttt{mkdir /tmp/a; cat > /tmp/a/passwd}\medskip
+\item root \textcolor{gray}{(does the daily cleaning)}\\
+\texttt{rm /tmp/*/*}\medskip\\
+\hspace{2cm}\textcolor{gray}{records that \texttt{/tmp/a/passwd}}\\ 
+\hspace{2cm}\textcolor{gray}{should be deleted, but does not do it yet}\medskip\\
+
+\item attacker \textcolor{gray}{(meanwhile deletes the fake passwd file, and establishes a link to 
+the real passwd file)}\\
+\texttt{rm /tmp/a/passwd; rmdir /tmp/a;}\\\texttt{ln -s /etc /tmp/a}\\
+\item root now deletes  the real passwd file
+\end{enumerate}
+
+\only<2>{
+\begin{textblock}{11}(2,5)
+\begin{tikzpicture}
+\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] 
+{\normalsize\color{darkgray}
+\begin{minipage}{9.5cm}\raggedright
+To prevent this kind of attack, you need additional
+policies (don't do such operations as root).
+\end{minipage}};
+\end{tikzpicture}
+\end{textblock}}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{\Large Buffer Overflow Attacks}
+
+\begin{center}
+\begin{columns}[b]
+\begin{column}{.4\textwidth}
+\centering
+\includegraphics[scale=1.2]{../pics/barrier.jpg}\\
+lectures so far
+\end{column}
+\begin{column}<2>{.4\textwidth}
+\centering
+\includegraphics[scale=0.32]{../pics/trainwreck.jpg}\\
+today
+\end{column}
+\end{columns}
+\end{center}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{Smash the Stack for Fun\ldots}
+
+\begin{itemize}
+\item {\bf Buffer Overflow Attacks} or\\ {\bf Smashing the Stack Attacks}\medskip
+
+\item one of the most popular attacks, unfortunately\\ 
+($>$ 50\% of security incidents reported at CERT are related 
+to buffer overflows)
+\begin{flushright}
+\small\url{http://www.kb.cert.org/vuls}
+\end{flushright}
+\medskip
+\item made popular in an article from 1996 by Elias Levy
+(also known as Aleph One):\\
+\begin{center}
+{\bf ``Smashing The Stack For Fun and Profit''}
+\end{center}\medskip
+
+\begin{flushright}
+\small\url{http://phrack.org/issues/49/14.html}
+\end{flushright} 
+ 
+\end{itemize}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{A Long Printed ``Twice''}
+\mbox{}\\[-10mm]
+
+\footnotesize
+\lstinputlisting[language=C,xleftmargin=4mm]{../progs/C0.c}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{``A Login Function'' (1)}
+\mbox{}\\[-10mm]
+
+\footnotesize
+\lstinputlisting[language=C,xleftmargin=4mm]{../progs/C2a.c}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{``A Login Function'' (2)}
+\mbox{}\\[-10mm]
+
+\footnotesize
+\lstinputlisting[language=C,xleftmargin=-3mm]{../progs/C2b.c}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{What the Hell Is Going On?}
+
+\lstinputlisting[language=C,xleftmargin=4mm]{../progs/example1.c}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{Memory}
+
+\begin{itemize}
+\item each process will get a chunk of memory that is organised as
+follows:
+\end{itemize}
+
+\begin{center}
+  \begin{tikzpicture}[scale=0.8]
+  %\draw[step=1cm] (-3,-3) grid (3,3);
+  \draw[line width=1mm] (-2, -3) rectangle (2,3);
+  \draw[line width=1mm] (-2,1) -- (2,1);
+  \draw[line width=1mm] (-2,-1) -- (2,-1);
+  \draw (0,2) node {\large\tt text};
+  \draw (0,0) node {\large\tt heap};
+  \draw (0,-2) node {\large\tt stack};
+
+  \draw (-2.7,3) node[anchor=north east] {\tt\begin{tabular}{@{}l@{}}lower\\ address\end{tabular}};
+  \draw (-2.7,-3) node[anchor=south east] {\tt\begin{tabular}{@{}l@{}}higher\\ address\end{tabular}};
+  \draw[->, line width=1mm] (-2.5,3) -- (-2.5,-3);
+
+  \draw (2.7,-2) node[anchor=west] {\tt grows};
+  \draw (2.7,-3) node[anchor=south west] {\tt\footnotesize older};
+  \draw (2.7,-1) node[anchor=north west] {\tt\footnotesize newer};
+  \draw[|->, line width=1mm] (2.5,-3) -- (2.5,-1);
+  \end{tikzpicture}
+\end{center}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{The Stack}
+
+\begin{textblock}{7}(1,1)
+  \begin{tikzpicture}[scale=0.8]
+  %\draw[step=1cm] (-3,-1) grid (3,8);
+  \draw[gray!20,fill=gray!20] (-1, 0) rectangle (1,-1);
+  \draw[line width=1mm] (-1,-1.2) -- (-1,7.4);
+  \draw[line width=1mm] ( 1,-1.2) -- ( 1,7.4);
+  \draw (0,-1) node[anchor=south] {\tt main};
+  \draw[line width=1mm] (-1,0) -- (1,0);
+  \draw (0,0) node[anchor=south] {\tt arg$_3$=3};
+  \draw[line width=1mm] (-1,1) -- (1,1);
+  \draw (0,1) node[anchor=south] {\tt arg$_2$=2};
+  \draw[line width=1mm] (-1,2) -- (1,2);
+  \draw (0,2) node[anchor=south] {\tt arg$_1$=1};
+  \draw[line width=1mm] (-1,3) -- (1,3);
+  \draw (0,3.1) node[anchor=south] {\tt ret};
+  \draw[line width=1mm] (-1,4) -- (1,4);
+  \draw (0,4) node[anchor=south] {\small\tt last sp};
+  \draw[line width=1mm] (-1,5) -- (1,5);
+  \draw (0,5) node[anchor=south] {\tt buf$_1$};
+  \draw[line width=1mm] (-1,6) -- (1,6);
+  \draw (0,6) node[anchor=south] {\tt buf$_2$};
+  \draw[line width=1mm] (-1,7) -- (1,7);
+  \draw (2,6.1) node[anchor=south] {\code{$esp}};
+  \draw[<-,line width=0.5mm] (1.1,7) -- (2.5,7);
+
+  \draw[->,line width=0.5mm] (1,4.5) -- (1.8,4.5) -- (1.8, 0) -- (1.1,0); 
+  \draw[->,line width=0.5mm] (1,3.5) -- (2.5,3.5);
+  \draw (2.6,3.1) node[anchor=south west] {\tt back to main()};
+
+  \draw[->,red,line width=2mm] (2.5,0.1) -- (4.2,0.1);
+\end{tikzpicture}
+\end{textblock}
+
+\begin{textblock}{7}(6.4,8)
+\begin{bubble}[6.8cm]
+\footnotesize
+\lstinputlisting[language=C,xleftmargin=5mm]{../progs/example1.c} 
+\end{bubble}
+\end{textblock}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{Behind the Scenes}
+
+machine code
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \begin{frame}[c]
 \frametitle{\begin{tabular}{c}Network Applications:\\[-1mm] Privilege Separation\end{tabular}}
@@ -86,27 +375,6 @@
 \end{frame}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
 
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{A ``Cron''-Attack}
-
-The idea is to trick a privileged person to do something on your
-behalf:
-
-\begin{itemize}
-\item root:\\\texttt{rm /tmp/*/*}\bigskip\bigskip\pause
-
-\small
-\begin{minipage}{1.1\textwidth}
-\textcolor{gray}{the shell behind the scenes:}\\
-\textcolor{gray}{\texttt{rm /tmp/dir$_1$/file$_1$ /tmp/dir$_1$/file$_2$ /tmp/dir$_2$/file$_1$ \ldots}}\bigskip\\
-
-\textcolor{gray}{this takes time}
-\end{minipage}
-\end{itemize}
-
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
 
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \begin{frame}[c]
@@ -137,60 +405,155 @@
 \end{frame}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
 
+
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \begin{frame}[c]
-\frametitle{\Large Buffer Overflow Attacks}
+\frametitle{The Problem}
+
+\begin{itemize}
+\item The basic problem is that library routines in C look as follows:
+\end{itemize}
 
 \begin{center}
-\begin{columns}[b]
-\begin{column}{.4\textwidth}
-\centering
-\includegraphics[scale=1.2]{../pics/barrier.jpg}\\
-lectures so far
-\end{column}
-\begin{column}<2>{.4\textwidth}
-\centering
-\includegraphics[scale=0.32]{../pics/trainwreck.jpg}\\
-today
-\end{column}
-\end{columns}
+\small\lstinputlisting[language=C,numbers=none]{../progs/app5.c}
 \end{center}
 
+  
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{Variants}
+
+There are many variants:
+
+\begin{itemize}
+\item return-to-lib-C attacks
+\item heap-smashing attacks\\
+\textcolor{gray}{\small(Slammer Worm in 2003 infected 90\% of vulnerable systems within 10 minutes)}\bigskip
+
+\item ``zero-days-attacks'' (new unknown vulnerability)
+\end{itemize}
+  
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+
+{\small\lstinputlisting[language=C]{../progs/C2.c}}
+  
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%\mode<presentation>{
+%\begin{frame}[c]
+%
+%\small
+%A programmer might be careful, but still introduce vulnerabilities:\bigskip
+%
+%{\lstset{language=Java}\footnotesize
+%\texttt{\lstinputlisting{../progs/C2a.c}}}
+%
+% 
+%\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{Payloads}
+
+\begin{itemize}
+\item the idea is you store some code to the buffer
+\item you then override the return address to execute this payload\medskip
+\item normally you start a root-shell\pause
+\item difficulty is to guess the right place where to ``jump''
+\end{itemize}
+  
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{Payloads (2)}
+
+\begin{itemize}
+\item another difficulty is that the code is not allowed to contain \texttt{$\backslash$x00}:
+
+\begin{center}
+\texttt{xorl   \%eax, \%eax}
+\end{center}
+\end{itemize}\bigskip\bigskip
+  
+{\small
+\lstinputlisting[language=C]{../progs/app5.c}}
+  
 \end{frame}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
 
 
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \begin{frame}[c]
-\frametitle{\begin{tabular}{c}Network Applications:\\[-1mm] Privilege Separation\end{tabular}}
+\frametitle{Format String Vulnerability}
 
-\begin{center}
-  \begin{tikzpicture}[scale=1]
+\small
+\texttt{string} is nowhere used:\bigskip
+
+{\footnotesize\lstinputlisting[language=C]{../progs/C4.c}}\bigskip
+
+this vulnerability can be used to read out the stack
   
-  \draw[line width=1mm] (-.3, 0) rectangle (1.5,2);
-  \draw (4.7,1) node {Internet};
-  \draw (-2.7,1.7) node {\footnotesize Application};
-  \draw (0.6,1.7) node {\footnotesize Interface};
-  \draw (0.6,-0.4) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] process\end{tabular}};
-  \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}};
-  
-  \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2);
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
 
-  \draw[white] (1.7,1) node (X) {};
-  \draw[white] (3.7,1) node (Y) {};
-  \draw[red, <->, line width = 2mm] (X) -- (Y);
- 
-  \draw[red, <->, line width = 1mm] (-0.6,1) -- (-1.6,1);
-  \end{tikzpicture}
-\end{center}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Protections against\\ Buffer Overflow Attacks\end{tabular}}
 
 \begin{itemize}
-\item the idea is make the attack surface smaller and 
-mitigate the consequences of an attack
+\item use safe library functions
+\item stack caneries
+\item ensure stack data is not executable (can be defeated)
+\item address space randomisation (makes one-size-fits-all more difficult)
+\item choice of programming language (one of the selling points of Java)
+
 \end{itemize}
-
+  
 \end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{Security Goals}
+
+\begin{itemize}
+\item Prevent common vulnerabilities from occurring (e.g. buffer overflows)\pause
+\item Recover from attacks (traceability and auditing of security-relevant actions)\pause
+\item Monitoring (detect attacks)\pause
+\item Privacy, confidentiality, anonymity (to protect secrets)\pause
+\item Authenticity (needed for access control)\pause
+\item Integrity (prevent unwanted modification or tampering)\pause
+\item Availability and reliability (reduce the risk of DoS attacks)
+\end{itemize}
+  
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{Homework}
+
+\begin{itemize}
+\item Assume format string attacks allow you to read out the stack. What can you do
+	with this information?\bigskip
+
+\item Assume you can crash a program remotely. Why is this a problem?
+\end{itemize}
+  
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
 
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \mode<presentation>{
@@ -406,333 +769,6 @@
 
 
 
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}A ``Cron''-Attack\end{tabular}}
-
-\begin{enumerate}
-\item attacker \textcolor{gray}{(creates a fake passwd file)}\\ 
-\texttt{mkdir /tmp/a; cat > /tmp/a/passwd}\medskip
-\item root \textcolor{gray}{(does the daily cleaning)}\\
-\texttt{rm /tmp/*/*}\medskip\\
-\hspace{2cm}\textcolor{gray}{\small records that \texttt{/tmp/a/passwd}}\\ 
-\hspace{2cm}\textcolor{gray}{\small should be deleted, but does not do it yet}\medskip\\
-
-\item attacker \textcolor{gray}{(meanwhile deletes the fake passwd file, and establishes a link to 
-the real passwd file)}\\
-\texttt{rm /tmp/a/passwd; rmdir /tmp/a;}\\\texttt{ln -s /etc /tmp/a}\\
-\item root now deletes  the real passwd file
-\end{enumerate}
-
-\only<2>{
-\begin{textblock}{11}(2,5)
-\begin{tikzpicture}
-\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] 
-{\normalsize\color{darkgray}
-\begin{minipage}{9cm}\raggedright
-To prevent this kind of attack, you need additional
-policies (don't do such operations as root).
-\end{minipage}};
-\end{tikzpicture}
-\end{textblock}}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-
-\begin{center}
-\includegraphics[scale=0.45]{../pics/trainwreck.jpg}\\
-one general defence mechanism is\\\alert{\bf defence in depth}
-\end{center}
-
-  
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{Smash the Stack for Fun\ldots}
-
-\begin{itemize}
-\item ``smashing the stack attacks'' or\\ ``buffer overflow attacks''\medskip
-\item one of the most popular attacks\\ ($>$ 50\% of security incidents reported at CERT are related to buffer overflows)
-\begin{flushright}\small
-\textcolor{gray}{\url{http://www.kb.cert.org/vuls}}
-\end{flushright}
-\medskip
-\item made popular in an article by Elias Levy\\ (also known as Aleph One):\\
-\begin{center}
-{\bf ``Smashing The Stack For Fun and Profit''}
-\end{center}\medskip
-
-\begin{flushright}
-\small\textcolor{gray}{Issue 49, Article 14}
-\end{flushright} 
- 
-\end{itemize}
-
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{A Float Printed ``Twice''}
-
-\footnotesize
-\lstinputlisting[language=C]{../progs/C1.c}
-
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{Memory}
-
-\begin{itemize}
-\item each process will get a chunk of memory that is organised as
-follows:
-\end{itemize}
-
-\begin{center}
-  \begin{tikzpicture}[scale=0.8]
-  %\draw[step=1cm] (-3,-3) grid (3,3);
-  \draw[line width=1mm] (-2, -3) rectangle (2,3);
-  \draw[line width=1mm] (-2,1) -- (2,1);
-  \draw[line width=1mm] (-2,-1) -- (2,-1);
-  \draw (0,2) node {\large\tt text};
-  \draw (0,0) node {\large\tt heap};
-  \draw (0,-2) node {\large\tt stack};
-
-  \draw (-2.7,3) node[anchor=north east] {\tt\begin{tabular}{@{}l@{}}lower\\ address\end{tabular}};
-  \draw (-2.7,-3) node[anchor=south east] {\tt\begin{tabular}{@{}l@{}}higher\\ address\end{tabular}};
-  \draw[->, line width=1mm] (-2.5,3) -- (-2.5,-3);
-
-  \draw (2.7,-2) node[anchor=west] {\tt grows};
-  \draw (2.7,-3) node[anchor=south west] {\tt\footnotesize older};
-  \draw (2.7,-1) node[anchor=north west] {\tt\footnotesize newer};
-  \draw[|->, line width=1mm] (2.5,-3) -- (2.5,-1);
-  \end{tikzpicture}
-\end{center}
-
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{The Stack}
-
-\begin{textblock}{7}(1,1)
-  \begin{tikzpicture}[scale=0.8]
-  %\draw[step=1cm] (-3,-1) grid (3,8);
-  \draw[gray!20,fill=gray!20] (-1, 0) rectangle (1,-1);
-  \draw[line width=1mm] (-1,-1.2) -- (-1,7.4);
-  \draw[line width=1mm] ( 1,-1.2) -- ( 1,7.4);
-  \draw (0,-1) node[anchor=south] {\tt main};
-  \draw[line width=1mm] (-1,0) -- (1,0);
-  \draw (0,0) node[anchor=south] {\tt arg$_3$=3};
-  \draw[line width=1mm] (-1,1) -- (1,1);
-  \draw (0,1) node[anchor=south] {\tt arg$_2$=2};
-  \draw[line width=1mm] (-1,2) -- (1,2);
-  \draw (0,2) node[anchor=south] {\tt arg$_1$=1};
-  \draw[line width=1mm] (-1,3) -- (1,3);
-  \draw (0,3.1) node[anchor=south] {\tt ret};
-  \draw[line width=1mm] (-1,4) -- (1,4);
-  \draw (0,4) node[anchor=south] {\small\tt last sp};
-  \draw[line width=1mm] (-1,5) -- (1,5);
-  \draw (0,5) node[anchor=south] {\tt buf$_1$};
-  \draw[line width=1mm] (-1,6) -- (1,6);
-  \draw (0,6) node[anchor=south] {\tt buf$_2$};
-  \draw[line width=1mm] (-1,7) -- (1,7);
-  \draw (2,6.1) node[anchor=south] {\code{$esp}};
-  \draw[<-,line width=0.5mm] (1.1,7) -- (2.5,7);
-
-  \draw[->,line width=0.5mm] (1,4.5) -- (1.8,4.5) -- (1.8, 0) -- (1.1,0); 
-  \draw[->,line width=0.5mm] (1,3.5) -- (2.5,3.5);
-  \draw (2.6,3.1) node[anchor=south west] {\tt back to main()};
-
-  \draw[->,red,line width=2mm] (2.5,0.1) -- (4.2,0.1);
-\end{tikzpicture}
-\end{textblock}
-
-\begin{textblock}{7}(6.4,8)
-\begin{bubble}[6.8cm]
-\footnotesize
-\lstinputlisting[language=C,xleftmargin=5mm]{../progs/example1.c} 
-\end{bubble}
-\end{textblock}
-
-
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{The Problem}
-
-\begin{itemize}
-\item The basic problem is that library routines in C look as follows:
-\end{itemize}
-
-\begin{center}
-\small\lstinputlisting[language=C,numbers=none]{../progs/app5.c}
-\end{center}
-
-  
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{Variants}
-
-There are many variants:
-
-\begin{itemize}
-\item return-to-lib-C attacks
-\item heap-smashing attacks\\
-\textcolor{gray}{\small(Slammer Worm in 2003 infected 90\% of vulnerable systems within 10 minutes)}\bigskip
-
-\item ``zero-days-attacks'' (new unknown vulnerability)
-\end{itemize}
-  
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-
-\begin{center}
-\only<1>{\includegraphics[scale=0.9]{../pics/stack1}\;\;}
-\only<2>{\includegraphics[scale=0.9]{../pics/stack2}\;\;}
-\only<3>{\includegraphics[scale=0.9]{../pics/stack3}\;\;}
-\end{center}
-    
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-
-{\small\lstinputlisting[language=C]{../progs/C2.c}}
-  
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%\mode<presentation>{
-%\begin{frame}[c]
-%
-%\small
-%A programmer might be careful, but still introduce vulnerabilities:\bigskip
-%
-%{\lstset{language=Java}\footnotesize
-%\texttt{\lstinputlisting{../progs/C2a.c}}}
-%
-% 
-%\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{Payloads}
-
-\begin{itemize}
-\item the idea is you store some code to the buffer
-\item you then override the return address to execute this payload\medskip
-\item normally you start a root-shell\pause
-\item difficulty is to guess the right place where to ``jump''
-\end{itemize}
-  
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{Payloads (2)}
-
-\begin{itemize}
-\item another difficulty is that the code is not allowed to contain \texttt{$\backslash$x00}:
-
-\begin{center}
-\texttt{xorl   \%eax, \%eax}
-\end{center}
-\end{itemize}\bigskip\bigskip
-  
-{\small
-\lstinputlisting[language=C]{../progs/app5.c}}
-  
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{Format String Vulnerability}
-
-\small
-\texttt{string} is nowhere used:\bigskip
-
-{\footnotesize\lstinputlisting[language=C]{../progs/C4.c}}\bigskip
-
-this vulnerability can be used to read out the stack
-  
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Protections against\\ Buffer Overflow Attacks\end{tabular}}
-
-\begin{itemize}
-\item use safe library functions
-\item stack caneries
-\item ensure stack data is not executable (can be defeated)
-\item address space randomisation (makes one-size-fits-all more difficult)
-\item choice of programming language (one of the selling points of Java)
-
-\end{itemize}
-  
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{Security Goals}
-
-\begin{itemize}
-\item Prevent common vulnerabilities from occurring (e.g. buffer overflows)\pause
-\item Recover from attacks (traceability and auditing of security-relevant actions)\pause
-\item Monitoring (detect attacks)\pause
-\item Privacy, confidentiality, anonymity (to protect secrets)\pause
-\item Authenticity (needed for access control)\pause
-\item Integrity (prevent unwanted modification or tampering)\pause
-\item Availability and reliability (reduce the risk of DoS attacks)
-\end{itemize}
-  
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{Homework}
-
-\begin{itemize}
-\item Assume format string attacks allow you to read out the stack. What can you do
-	with this information?\bigskip
-
-\item Assume you can crash a program remotely. Why is this a problem?
-\end{itemize}
-  
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
-
-
 \end{document}
 
 %%% Local Variables: