Proceedings

More documents

Recommendations

Info

| 96 # echo “/dev/ad0.elia / ufs rw 1 1” >> /removable/etc/fstab It is important to note that this file must be stored on the removable medium and serves only the purpose of specifying the device for the root filesystem. As soon as the kernel has read out the contents of the file, it will mount the specified device as the root filesystem and the files on the removable medium (including fstab) will be outside of the filesystem name space. This means that the removable medium must first be mounted before the files on it can be accessed through the filesystem name space. It also means, however, that the removable medium can actually be removed after the root filesystem has been mounted from the encrypted hard disk – thus reducing unnecessary exposure. It is crucial that the removable medium be always in the possession of the user, because the whole concept of complete hard disk encryption relies on the assumption that the boot medium – therefore the removable medium, not the hard disk – is uncompromised and its contents are trusted. If any other partitions need to be mounted in order to boot up the system – for example /dev/ad0.elid for /usr – they must be specified in /etc/fstab as well. Since most installations use at least one swap partition, the command for adding the appropriate entry to /etc/fstab is given below. # echo “/dev/ad0.elib none swap sw 0 0“ > /fixed/etc/fstab The system is now ready for use and can be booted from the removable medium. As the different storage devices in the system are found, GELI searches them for any partitions that were initialized with the geli init -b parameter and asks for the passphrase. If the correct one has been provided, GELI will create new device nodes for plain text access to the hard disk and the partitions on it (e.g. /dev/ad0.elia), which then can then be mounted as specified in /etc/fstab. After that, the rest of the system is loaded. sysinstall can then be used in order to adjust the various settings that could not be set during the installation procedure – such as timezone, keyboard map and especially the root password! �� Any user seriously thinking about using complete hard disk encryption should be aware of what it actually protects and what it does not. Since encryption requires a lot of processing power and can therefore have a noticeable impact on performance, it is usually not enabled by default. FreeBSD marks no exception here. Although it provides strong encryption algorithms and two powerful tools for encrypting storage media, it is up to the user to discover and apply this functionality. This paper gave instructions on how to encrypt an entire hard disk while most of the operating system is still stored and loaded from it. It is important to remember, however, that FreeBSD – or any other software component for that matter – will not warn the user if the encrypted data on the hard disk is leaked (see chapter 2.3) or intentionally copied to another, unencrypted medium, such as an external drive or a smart media card. It is the responsibility of the user to encrypt these media as well. This responsibility applies equally well to data in transit. Network transmissions are -20-
COMPLETE HARD DISK ENCRYPTION WITH FREEBSD in most cases not encrypted by default either. Since all encryption and decryption of the data on the hard disk is done transparently to the user once the passphrase has been provided, it is easy to forget that some directories might contain data which is stored on a different machine and made available through NFS, for example – in which case the data is transferred in the clear over the network, unless explicitly set up otherwise. The mounting facility in UNIX is very powerful; but it also makes it difficult to keep track of which medium actually holds what data. The network poses of course an additional threat, because of an attacker's ability to target the machine remotely. The problem has already been discussed in chapter 1. If a particular machine is easier to attack remotely than locally, any reasonable attacker will not even bother with getting physical access to the machine. In that case it would make no sense to use complete hard disk encryption, because it does not eliminate the weakest link (the network connectivity). If, on the other hand, not the network, but the unencrypted or not fully encrypted hard disk is the weakest link and the attacker is also capable of getting physical access to the machine (for reasons discussed in chapter 2.4), then complete hard disk encryption makes sense. A key point to remember is that as long as a particular storage area is attached, the data residing on it is not protected any more than any other data accessible to the system. This applies to both GBDE and GELI; even unmounting an encrypted storage area will not protect the data from compromise since the corresponding device node providing access to the plain text still exists. In order to remove this plain text device node, the storage area in question must be detached. With GBDE this must be done manually, GELI has a feature that allows for automatic detachment on the last close – but this option must be explicitly specified. Since the partition holding the operating system must always be attached and mounted, its contents are also vulnerable during the entire time the system is up. This means that remotely or even locally introduced viruses, worms and trojans can compromise the system in the same way they can do it on a system without complete hard disk encryption. Another way to attack the system would be by compromising the hardware itself, for example by installing a hardware keylogger. This kind of attack is very hard to defend against and this paper makes no attempt to solve this issue. What complete hard disk encryption does protect against, is attacks which aim at either accessing data by reading out the contents of the hard disk on a different system in order to defeat the defenses on the original system or by compromising the system stored on the hard disk, so the encryption key or the data itself can be leaked. Encryption does not, however, prevent the data from being destroyed, both accidentally and intentionally. If it is chosen that the encrypted partition is mounted directly as the root filesystem – without the need for a memory disk, then it is crucial that a strong passphrase be chosen, because that will be the only thing required to access the encrypted data. Choosing the memory disk approach makes for a more resilient security model, since it enables the user to use a lockfile (GBDE) or a keyfile (GELI) – in order to get access to the data. While all these previously mentioned conditions and precautions matter, it is absolutely crucial to understand that the concept of complete hard disk encryption depends upon the assumption that the data on the removable medium is trusted. The removable medium must be used because the majority of the hardware is not capable of booting encrypted code. Since the kernel and all the other code necessary for mounting the encrypted partition(s) must be stored in the clear on the removable -21- 97 |
Page 2 and 3:
| 2
Page 5 and 6:
22. Chaos Communication Congress Pr
Page 7 and 8:
REPORTS 7 5 Thesis on Informational
Page 9 and 10:
10 5 Thesis on Informational- Cogni
Page 11 and 12:
5 THESIS ON INFORMATIONAL-COGNITIVE
Page 13 and 14:
Page 15 and 16:
Page 17:
Page 20 and 21:
UQBTng: a tool capable of automatic
Page 22 and 23:
IV. UQBT MODIFICATIONS A. Summary A
Page 24 and 25:
• if LHS of A is exactly sem str,
Page 27 and 28:
Advanced Buffer Overflow Methods [o
Page 29 and 30:
ADVANCED BUFFER OVERFLOW METHODS #i
Page 31 and 32:
ADVANCED BUFFER OVERFLOW METHODS 0x
Page 33 and 34:
ADVANCED BUFFER OVERFLOW METHODS in
Page 35:
ADVANCED BUFFER OVERFLOW METHODS }
Page 38 and 39:
| 34 Eine Führung in das europäis
Page 40 and 41:
| 36 Die kryptische Kennung 10 eine
Page 42 and 43:
| 38 senvertreter angewiesen. Die
Page 44 and 45:
| 40 Anonymous Data Broadcasting by
Page 46 and 47:
| 42 operate, consider the setting,
Page 48 and 49:
| 44 Figure 1: Anonymous data broad
Page 51 and 52: Autodafé: An Act of Software Tortu
Page 53 and 54: AUTODAFE - AN ACT OF SOFTWARE TORTU
Page 61 and 62: Bad TRIPs What the WTO Treaty did i
Page 63 and 64: BAD TRIPS The TRIPS is especially h
Page 65: BAD TRIPS Extension of the transiti
Page 68 and 69: | 64 Collateral Damage Consequences
Page 70 and 71: | 66 If one considers a DNSBL listi
Page 72 and 73: | 68 • A number of sites do not h
Page 74 and 75: | 70 to use other mailing software.
Page 76 and 77: | 72 These kinds of checks tend to
Page 79 and 80: COMPLETE Hard Disk Encryption with
Page 81 and 82: COMPLETE HARD DISK ENCRYPTION WITH
Page 99: COMPLETE HARD DISK ENCRYPTION WITH
Page 105: COMPLETE HARD DISK ENCRYPTION WITH
Page 108 and 109: | 104 x86-64 buffer overflow exploi
Page 110 and 111: | 106 3 ELF64 LAYOUT AND X86-64 EXE
Page 112 and 113: | 108 4 THE BORROWED CODE CHUNKS TE
Page 114 and 115: | 110 5 AND DOES THIS REALLY WORK?
Page 116 and 117: | 112 6 SINGLE WRITE EXPLOITS 9 48
Page 118 and 119: | 114 6 SINGLE WRITE EXPLOITS 11 34
Page 120 and 121: | 116 7 AUTOMATED EXPLOITATION 13 A
Page 122 and 123: | 118 7 AUTOMATED EXPLOITATION 15 W
Page 124 and 125: | 120 8 RELATED WORK 17 32 read(soc
Page 126 and 127: | 122 11 CREDITS 19 11 Credits Than
Page 129 and 130: Developing Intelligent Search Engin
Page 131 and 132: DEVELOPING INTELLIGENT SEARCH ENGIN
Page 133 and 134: DEVELOPING INTELLIGENT SEARCH ENGIN
Page 135 and 136: Digital Identity and the Ghost in t
Page 137 and 138: DIGITAL IDENTITY AND THE GHOST IN T
Page 145: DIGITAL IDENTITY AND THE GHOST IN T
Page 148 and 149: | 144
Page 150 and 151:
| 146
Page 153 and 154:
Esperanto, die internationale Sprac
Page 155 and 156:
ESPERANTO, DIE INTERNATIONALE SPRAC
Page 157 and 158:
ESPERANTO, DIE INTERNATIONALE SPRAC
Page 159 and 160:
Fair Code Free/Open Source Software
Page 161 and 162:
FAIR CODE 2. Von Digital Divide zu
Page 163 and 164:
FAIR CODE ökonomisch schlecht gest
Page 165 and 166:
FAIR CODE menschliches Verhalten re
Page 167:
FAIR CODE gewährleistet, und nur d
Page 170 and 171:
��
Page 172 and 173:
| 168 ��
Page 174 and 175:
| 170 ��
Page 176 and 177:
| 172 ��
Page 178 and 179:
| 174 ��
Page 180 and 181:
| 176 ��
Page 183 and 184:
Fuzzing Breaking software in an aut
Page 185 and 186:
FUZZING or protocol and fuzzing fra
Page 187 and 188:
FUZZING #define SOME_MAX 4096 if (y
Page 189 and 190:
Geometrie ohne Punkte, Geraden & Eb
Page 191 and 192:
GEOMETRIE OHNE PUNKTE, GERADEN & EB
Page 193:
GEOMETRIE OHNE PUNKTE, GERADEN & EB
Page 196 and 197:
| 192
Page 198 and 199:
| 194
Page 200 and 201:
| 196
Page 203 and 204:
Hacking OpenWRT Felix Fietkau 199 |
Page 205 and 206:
HACKING OPENWRT 1 Introduction to O
Page 207 and 208:
HACKING OPENWRT 3.2 Makefile This f
Page 209 and 210:
HACKING OPENWRT If your package is
Page 211 and 212:
HACKING OPENWRT 4.2 toolchain/ tool
Page 213 and 214:
HACKING OPENWRT To add a new platfo
Page 215 and 216:
Hopalong Casualty On automated vide
Page 217 and 218:
HOPALONG CASUALTY 2 Intro to Visual
Page 219 and 220:
HOPALONG CASUALTY Appearance As hum
Page 221 and 222:
HOPALONG CASUALTY A thorough review
Page 223 and 224:
Hosting a Hacking Challenge - CTF-s
Page 225 and 226:
HOSTING A HACKING CHALLENGE - CTF-S
Page 227 and 228:
Page 229:
Page 232 and 233:
| 228 1 Introduction Intrusion Dete
Page 234 and 235:
| 230 • Changing file owner / gro
Page 236 and 237:
| 232 Figure 2: Simple correlation
Page 239 and 240:
Lyrical I Abschluss des CCC-Poesie-
Page 241 and 242:
Magnetic Stripe Technology Joseph B
Page 243 and 244:
MAGNETIC STRIPE TECHNOLOGY black re
Page 245 and 246:
MAGNETIC STRIPE TECHNOLOGY My curre
Page 247 and 248:
MAGNETIC STRIPE TECHNOLOGY MetroCar
Page 249 and 250:
��
Page 251 and 252:
Code Listing (dmsb.c) ��
Page 253 and 254:
Memory allocator security Yves Youn
Page 255 and 256:
MEMORY ALLOCATOR SECURITY 251 |
Page 257 and 258:
MEMORY ALLOCATOR SECURITY 253 |
Page 259 and 260:
Message generation at the info laye
Page 261 and 262:
MESSAGE GENERATION AT THE INFO LAYE
Page 263 and 264:
Page 265 and 266:
Page 267 and 268:
Page 269:
Page 272 and 273:
| 268 Abstract Open Source, EU Fund
Page 274 and 275:
| 270 lines of code x1e5 1.8 1.6 1.
Page 276 and 277:
| 272 cooperation. Getting the new
Page 278 and 279:
| 274 PyPy - The new Python Impleme
Page 280 and 281:
| 276 performs abstract interpretat
Page 282 and 283:
| 278 adding short cuts for some co
Page 284 and 285:
| 280
Page 286 and 287:
| 282
Page 288 and 289:
| 284
Page 290 and 291:
| 286
Page 292 and 293:
| 288
Page 294 and 295:
| 290
Page 296 and 297:
| 292
Page 298 and 299:
| 294 Die Risiken der Nanotechnik N
Page 300 and 301:
| 296 Neue Materialien, einer der P
Page 302 and 303:
| 298 wahrscheinlich nicht ausreich
Page 304 and 305:
| 300 „State of the Future 2005
Page 307 and 308:
The Web according to W3C How to tur
Page 309 and 310:
THE WEB ACCORDING TO W3C 305 |
Page 311 and 312:
THE WEB ACCORDING TO W3C 307 |
Page 313:
THE WEB ACCORDING TO W3C our proces
Page 316 and 317:
| 312 Transparenz der Verantwortung
Page 318 and 319:
| 314 Transparenz der Verantwortung
Page 320 and 321:
| 316 (6) Wird dem Betroffenen kein
Page 322 and 323:
| 318 „anonymes Staatshandeln“
Page 324 and 325:
| 320 Die Einschränkungen der Grun
Page 326 and 327:
| 322 11 wie es insbesondere an Hei
Page 328 and 329:
��
Page 330 and 331:
��
Page 332 and 333:
| 328 ��
Page 335 and 336:
Wargames - Hacker Spielen Männlich
Page 337 and 338:
WARGAMES - HACKER SPIELEN 333 |
Page 339 and 340:
Page 341 and 342:
Page 343 and 344:
Page 345 and 346:
Page 347 and 348:
Page 349 and 350:
Page 351 and 352:
Page 353 and 354:
Page 355 and 356:
Was ist technisches Wissen? Philoso
Page 357 and 358:
WAS IST TECHNISCHES WISSEN? ��
Page 359 and 360:
Page 361 and 362:
Page 363 and 364:
Page 365 and 366:
Page 367 and 368:
��
Page 369 and 370:
��
Page 371 and 372:
Page 373:
Page 376 and 377:
| 372 ��
Page 378 and 379:
��
Page 380 and 381:
��
Page 382 and 383:
| 378
Page 384 and 385:
| 380
Page 386 and 387:
| 382
Page 388 and 389:
| 384
Page 390 and 391:
| 386
Page 392 and 393:
| 388
Page 394:
| 390
show all

Proceedings

Create successful ePaper yourself

Delete template?

Save as template?