Breaks up overview

Makefile

@@ -1,4 +1,7 @@
-SUBDIR= 	overview/
+SUBDIR+= 	intro
+SUBDIR+=	broken-abstractions
+SUBDIR+= 	memory-management
+SUBDIR+= 	malware
 SUBDIR+= 	stacksmashlab/
 SUBDIR+= 	malwarelab/
 

broken-abstractions/.gitignore

@@ -0,0 +1,14 @@
+BobbyTables.png
+__pycache__/
+aliascnt.sty
+latexmkrc
+slides.pdf
+slides.pytxcode
+procmem.jpg
+pythontex-files-slides/
+
+notes.pdf
+notes.pytxcode
+slides.pdf.xoj
+pythontex-files-notes/
+

overview/Makefile → broken-abstractions/Makefile

@@ -1,9 +1,9 @@
 LATEXFLAGS+=	-shell-escape
 
 .PHONY: all
-all: overview-slides.pdf overview-notes.pdf
+all: slides.pdf notes.pdf
 
-SRC=		overview-content.tex abstract.tex overview.bib
+SRC=		contents.tex abstract.tex bibliography.bib
 SRC+=		jail.py
 SRC+=		combine.c
 SRC+=		echo.sh echofix.sh
@@ -13,23 +13,24 @@ SRC+=		login.c
 
 DEPENDS+=	latexmkrc
 
-overview-slides.pdf overview-notes.pdf: ${SRC} ${DEPENDS}
+slides.pdf notes.pdf: ${SRC} ${DEPENDS}
 
-overview-slides.pdf: overview-slides.tex
-overview-notes.pdf: overview-notes.tex llncs
+slides.pdf: slides.tex
+notes.pdf: notes.tex
 
 procmem.jpg:
 	wget -O $@ https://www.linuxjournal.com/files/linuxjournal.com/linuxjournal/articles/067/6701/6701f1.jpg
 
 BobbyTables.png:
 	wget -O $@ http://imgs.xkcd.com/comics/exploits_of_a_mom.png
 
-.PHONY: clean-depends
-clean-depends:
+.PHONY: clean-depends distclean
+clean-depends distclean:
 	${RM} procmem.jpg BobbyTables.png
 
 .PHONY: clean
 clean:
+	${RM} notes.pdf slides.pdf
 	${RM} -R __pycache__ _minted-*
 
 INCLUDE_MAKEFILES=../makefiles

broken-abstractions/README.md

@@ -0,0 +1,5 @@
+[![Video: Broken abstractions][img]][vid]
+
+[vid]: https://youtu.be/GZ9pgfQ77Kg
+[img]: https://img.youtube.com/vi/GZ9pgfQ77Kg/hqdefault.jpg
+

broken-abstractions/contents.tex

@@ -0,0 +1,224 @@
+\mode*
+
+% Since this a solution template for a generic talk, very little can
+% be said about how it should be structured. However, the talk length
+% of between 15min and 45min and the theme suggest that you stick to
+% the following rules:  
+
+% - Exactly two or three sections (other than the summary).
+% - At *most* three subsections per section.
+% - Talk about 30s to 2min per frame. So there should be between about
+%   15 and 30 frames, all told.
+
+
+\section{Broken Abstractions}
+
+\subsection{File System Paths}
+
+\begin{frame}[fragile]
+  \inputminted{python}{jail.py}
+\end{frame}
+
+\begin{frame}[fragile]
+  \begin{example}[./jail.py ../../etc/passwd]
+    \begin{pycode}
+import jail
+jail.main(["jailopen", "../../etc/passwd"])
+    \end{pycode}
+  \end{example}
+\end{frame}
+
+\begin{frame}
+  \pyc[variable]{import os}
+  \begin{alertblock}{The Problem: Abstraction of paths}
+    \begin{itemize}
+      \item We had \pyb[variable]{JAIL_PATH = os.environ["HOME"]}.
+      \item We let \pyb[variable]{filename = "../../etc/passwd"}.
+      \item Thus the file we open is \pyb[variable]{JAIL_PATH + "/" + filename} 
+        which results in \pyc[variable]{print(JAIL_PATH + "/" + filename)}.
+      \item Hence we actually read /etc/passwd.
+    \end{itemize}
+  \end{alertblock}
+\end{frame}
+
+\begin{frame}
+  \begin{itemize}
+    \item Fine, we ban the string \mintinline{python}{"../"}.
+
+    \item Then what about \mintinline{python}{"..\%c0\%af.."}?
+
+  \end{itemize}
+\end{frame}
+
+\subsection{Character Encoding}
+
+\begin{frame}
+  \begin{itemize}
+    \item All character representations in the computer comes in the form of 
+      different encodings, e.g.\ UTF-8 encoding.
+
+    \item The decoders might be programmed differently, some takes into account 
+      the errors in different encoders to compensate -- and this can be 
+      exploited.
+
+    \item Where the encoding and decoding is done can also be exploited.
+
+  \end{itemize}
+\end{frame}
+
+\begin{frame}
+  \begin{block}{UTF-8}
+    \begin{itemize}
+      \item A character encoding standard.
+      \item Uses variable length code words: from one byte.
+      \item First bit indicates if next byte is part of the same code word.
+    \end{itemize}
+  \end{block}
+
+  \begin{table}
+    \begin{tabular}{rrllll}
+      \textbf{Bytes} & \textbf{Avail bits} & \textbf{Byte 1}
+                                           & \textbf{Byte 2}
+                                           & \textbf{Byte 3}
+                                           & \textbf{Byte 4} \\
+                                           \toprule
+      1 & 7  & 0xxxxxxx &          &          & \\
+      2 & 11 & 110xxxxx & 10xxxxxx &          & \\
+      3 & 16 & 1110xxxx & 10xxxxxx & 10xxxxxx & \\
+      4 & 21 & 11110xxx & 10xxxxxx & 10xxxxxx & 10xxxxxx \\
+      \bottomrule
+    \end{tabular}
+  \end{table}
+\end{frame}
+
+% XXX add more details on UTF-8 coding
+
+\subsection{Integer Overflows}
+
+% XXX add more examples on integer overflows
+\begin{frame}[fragile]
+  \inputminted{C}{combine.c}
+\end{frame}
+
+\begin{frame}
+  \begin{alertblock}{The Problem: Abstraction of integers}
+    \begin{itemize}
+      \item Let \mintinline{C}{len2} be very long, say \(2^{32} - 1\), i.e.\ 
+        \mintinline{C}{len2 = 0xffffffff}.
+
+      \item Now we have
+        \begin{align*}
+          \text{\mintinline{C}{len1}} + \text{\mintinline{C}{len2}} 
+          + 1 \pmod{2^{32}}
+          &= \text{\mintinline{C}{len1}} + 2^{32} - 1 + 1 \pmod{2^{32}} \\
+          &= \text{\mintinline{C}{len1}} \pmod{2^{32}} \\
+          &< \text{\mintinline{C}{sizeof(buf)}}.
+        \end{align*}
+
+      \item Thus we pass the test, although we shouldn't.
+    \end{itemize}
+  \end{alertblock}
+\end{frame}
+
+\begin{frame}
+  \begin{remark}
+    This is worse if we use \emph{signed} integers \dots
+  \end{remark}
+\end{frame}
+
+% XXX add more details and other examples of composition
+\subsection{Data and Code}
+
+\begin{frame}[fragile]
+  \begin{example}[echo.sh "-E test\textbackslash ning"]
+    \inputminted{sh}{echo.sh}
+    \begin{pycode}[echo.sh]
+import subprocess
+proc = subprocess.Popen(["./echo.sh", "-E test\\ning"], \
+stdout=subprocess.PIPE)
+print("\\begin{verbatim}" + proc.stdout.read().decode("utf-8") + \
+"\\end{verbatim}")
+    \end{pycode}
+  \end{example}
+\end{frame}
+
+\begin{frame}[fragile]
+  \begin{example}[echofix.sh "-E test\textbackslash ning"]
+    \inputminted{sh}{echofix.sh}
+    \begin{pycode}[echofix.sh]
+import subprocess
+proc = subprocess.Popen(["./echofix.sh", "-E test\\ning"], \
+stdout=subprocess.PIPE)
+print("\\begin{verbatim}" + proc.stdout.read().decode("utf-8") + \
+"\\end{verbatim}")
+    \end{pycode}
+  \end{example}
+\end{frame}
+
+\begin{frame}
+  \begin{itemize}
+    \item The login(1) and rlogin(1) composition bug was found in Linux and AIX 
+      systems which didn't check the syntax of the username.
+
+    \item The syntax of login(1) is \mintinline{sh}{login [-p] [-h host] [[-f] 
+        user]}.
+
+    \item The syntax of rlogin(1) is \mintinline{sh}{rlogin [-l user] machine}.
+
+    \item rlogin(1) connects to the machine and runs \mintinline{sh}{login user 
+        machine}.
+
+    \item However, the user could be chosen to be \enquote{-froot}.
+  \end{itemize}
+\end{frame}
+
+% XXX add canonical representations
+%\subsection{Canonical Representations}
+%
+%\begin{frame}
+%\end{frame}
+
+% XXX add better description of scripting vuln
+
+\begin{frame}[fragile]
+  \begin{minted}{sh}
+    cat ${1} | mail ${2}
+  \end{minted}
+  \begin{itemize}
+    \item What happens with the address
+      \mintinline{sh}{"foo@bar.org | rm -Rf /"}?
+  \end{itemize}
+\end{frame}
+
+% XXX add better description and examples of SQL injection
+
+\begin{frame}[fragile]
+  \begin{minted}[startinline]{php}
+    $sql = "SELECT * FROM client WHERE name = '$name'"
+  \end{minted}
+
+  \pause
+
+  \begin{itemize}
+    \item Insert the name \mintinline[startinline]{php}{Eve' OR 1=1--}.
+    \item This will get a totally different meaning.
+  \end{itemize}
+
+  \pause
+
+  \begin{minted}[startinline]{sql}
+    SELECT * FROM client WHERE name = 'Eve' OR 1=1--
+  \end{minted}
+\end{frame}
+
+\begin{frame}
+  \begin{figure}
+    \centering
+    \includegraphics[width=\textwidth]{BobbyTables.png}
+    \caption{%
+      XKCD's Exploits of a Mom.
+      Image: \cite{BobbyTables}.
+    }
+  \end{figure}
+\end{frame}
+

broken-abstractions/notes.tex

@@ -0,0 +1,44 @@
+\documentclass{article}
+
+\usepackage[hyphens]{url}
+\usepackage[hidelinks]{hyperref}
+
+\input{preamble.tex}
+
+\usepackage{beamerarticle}
+\setjobnamebeamerversion{slides}
+
+\begin{document}
+\title{%
+  Broken abstractions
+}
+\author{%
+  Daniel Bosk
+}
+\institute[MIUN IKS]{%
+  Department of Information and Communication Systems,\\
+  Mid Sweden University, SE-851\,70 Sundsvall
+}
+\date{\today}
+
+\mode<presentation>{%
+  \begin{frame}
+    \titlepage
+  \end{frame}
+}
+\mode<article>{%
+  \maketitle
+}
+
+\mode*
+
+\begin{abstract}
+  \input{abstract.tex}
+\end{abstract}
+
+\input{contents.tex}
+
+%%%%%%%%%%%%%%%%%%%%%%
+
+\printbibliography
+\end{document}