ࡱ; h  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~Root Entry  !r\V)䰱 PresentationStarImpress 5.0akSfxDocumentInfo  {1b  {1| uK Info 0 Info 1 Info 2 Info 3 {1b 0<44Standard LIBIMBEDDED LIBIMBEDDED TASK,0,1,H 2,0,100,1,SBX sb Z Standard StarBASICSBX ARSBX AR SBX AR2c%bqqOh+'0 h t 1XOutdevItemPool 1   )     &'()*+,-./06789:;UVWXYZ[\]c !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstt      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefd0~9'@qXX',@X'.@2XXX' @X'@Arrow ArrowddArrow}}XXXSX'@ArrowddArrow}}XXX_':@,XXXX&'.@2,XXX'@^XX'@X @ @ @ @ @ @  @'@AXX'@̙Gray 20%Gray 30%Gray 40%Gray 10%XX X2XDXVXpXX'6@m22ddX'(@X'"@ BMvv(@@SD@x^SI 0 s\ z 46ZBn8x)1̔.<觔B+̄ ޢ40:prf |q]~+H~|WFMbP@aoCē[ȡz6~U{߃XFKK@{XX(L @MM @NN @OO @PP @QQ@ XRR @'SS.@UtXXXTT @wUU@XXVV@XXWW @XX @YY @ ZZ @![[ @7\\ @M]] @c^^@~X__ @`` @aa @bb @cc @dd @ee @@8X@XX@xX@X@X@dX@X@X@9X @S @i @ @ @ @ 9''''' '''' ''XXXX X,X>XDXVXt @ ''''''''' '' '' ''XXX X,X>XJX\XnXX**<@eXXXX X&77<@XXXX X&HH @ =g* @'+'+' ' +'' XX&X2X8X>XDXPXVXbffv@ JJKKJJKKJJKKQQVVJJKKJJKKJJKKJJKK JJKK QQVV JJQQVV^^ JJKKSSUUVVJJKKSSUUVVJJKKSSUUVVXX X2XPXbXtXXXXXXX"J@5 X8p}%DZp0d,BXn4J`v & < R h ~   . V 6 L b x  B X n 6 ^ "AWm;[{(>Tj8  P?>NEditEngineItemPool 6fH0bcg*|]@x ",StarBatsN -",StarBatsN -",StarBatsN -"` ` ,StarBatsN -" ,StarBatsN -",StarBatsN -"hh,StarBatsN -",StarBatsN -",StarBatsN -"pp,StarBatsN - "X,StarBatsN -",StarBatsN -",StarBatsN -"` ` ,StarBatsN -" ,StarBatsN -",StarBatsN -"hh,StarBatsN -",StarBatsN -",StarBatsN -"pp,StarBatsN - ",StarBatsN -",StarBatsN -",StarBatsN -"` ` ,StarBatsN -" ,StarBatsN -",StarBatsN -"hh,StarBatsN -",StarBatsN -",StarBatsN -"pp,StarBatsN - r,StarBats -r,StarBats -r,StarBats -r ,StarBats -r,StarBats -r,StarBats -rpp,StarBats -rXX,StarBats -r@@,StarBats -r(#(#,StarBats - "XX,StarBatsi -",StarBatsi -",StarBatsi -"` ` ,StarBatsi -" ,StarBatsi -",StarBatsi -"hh,StarBatsi -",StarBatsi -",StarBatsi - Z d:|NAT5 rGIF89af3̙f3f3ffffff3f3333f333f3f3̙f3̙̙̙̙f̙3̙ffffff3f3333f333f3̙f3̙̙f3̙f3ff̙ffff3f33̙33f333̙f3ffffff3ffff̙fff3fffffff3ffffffffffff3fff3f3f3f3ff33f3ffffff3f3333f333333̙3f3333333f3333f3f3f3ff3f33f33333333f333333333f333f3̙f3f3ffffff3f3333f333f3!,O=H Ad 0B:5L Ȓ%{Va'ذk#=lKjXD (D@Z StarBats!"-  StarBats!"- StarBatsX!"-BM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:K StarBats!"-BM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_ !K O StarBatsX!"-  StarBats!r- BM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:K BM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_X!"K BM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_X!KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_X!"KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_X!"KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_X!"KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_X!"KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_ !KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_ !KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:K"BM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:K#BM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:K$BM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_ !K% StarBats[!"-&BM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_ !K'BM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:K(BM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_ !K)BM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_ !K*BM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_X!"K+BM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_ !K,BM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_ !KpBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KqBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KrBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_ !:KsBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KtBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KuBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KvBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KwBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KxBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_ !KyBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_ !KzBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:K{BM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_ !K|BM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_ !K}BM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:K~BM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_ !KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_ !KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_ !KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_ !KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_ !KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_ !KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_ !KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_ !KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_ !KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_ !KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_ !KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_ !KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_ !KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_ !KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_ !KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_ !KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_ !KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_ !KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_ !KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_ !KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_ !KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_ !KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_ !KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_ !KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_ !KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_ !KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_ !KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_ !KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_ !KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KBM6(SDxx^M@P4}P@7~i%s%bg_׻{b\ Mv:CS&Rgh lyCSX2˔Rs34< M< Ma< Ma+M), CSXTuD:CSxG)tG) v&i4䑎)L.:CSXPuu< M:L) N14IQgh ˣG)0:CSsݘRv&ih5͕U˵u5ȑxs9Q#[mΖfUٖlA>7HK,{L[x<^ Gޟz-[a5Ydo7cLy\Q~j׀^_磄_!:KXXGXXXXXXXXXXj X8 XXXXpX>X XXXvXDX X!X#X|%XJ'X)XQ)X+X,X.X0XW2X%4X5X7X9X];X+=X>X@XBXcDX1FXGXIXKXiMX7OXQXRXTXoVX=XX ZX[X]Xu_XCaXcXdXfX{hXIjXlXmXoXqXOsXuXvXxXzXU|X#~XXXX[X)XXŊXXaX/XX˓XXgX5XXќXXmX;X XץXXsXAXXݮXXyXGXXXXXMXXXXXSX!XXXXYX'XXXX_X-XX@'$@;_dddddXdddd@,dd|d&@ddd`  dddhddddddpddd  xddd (#ddd% 'ddd0* RdddX,dd|d,dd|ddddY ,dd|d@ddd` dddY|` ddd` YdddYdddYpdddpY ddd Y ddd Y@ddd` "%ddd%Y#0*ddd0*YXX!X4XGXZXmXXXXXXXXXX+XDXWXjXXXXXXXX,XEA' @!`ddddddddddddd,ddd dddXXX&X2X>XJXVXb1'@b`dX+'(@` XXX' @`!'@`X' [@-aTimes Times  Symbol TimesXXX.X?'@ a Nd 4d d d {d d d hd d d d id Jd XXX"X,X6X@XJXTX^XhXrX|X?( @b'%@DbXXX'@kbX'@bX'@bXX'@bX'@bX%' @ cS' @ c"' @6c' @Lc @bc]]]_)`ADvB t  ~  N z , _ +5@;P@)@m@" DrMd??JoeMn0{1`^ {10ʾ{10MODrLy LAYER_LAYOUTDrLy LAYER_BCKGRNDDrLy LAYER_BACKGRNDOBJDrLyLAYER_CONTROLSDrLy!LAYER_MEASURELINESDrMP'JoeMlVTDrML DrOb<SVDr&y1A&DrOb<SVDr&;LdA&DrOb<SVDr&y.1LDrOb<SVDr&;.LdLDrXXgg fHome~LT~GliederungDrMPJoeM]PFDrML DrObSVDr&]PF'Home~LT~Hintergrund]PFDrObSVDr&V! Home~LT~TitelVpxV4B1[#Click to edit the title text format Home~LT~Titel<( ( @'DrObWSVDr&V?(Home~LT~Gliederung 1V? xV4B1 %Click to edit the outline text formatHome~LT~Gliederung 1<( ( @'Second Outline LevelHome~LT~Gliederung 2<( (@'Third Outline LevelHome~LT~Gliederung 3<( ( @'Fourth Outline LevelHome~LT~Gliederung 4 <( ( @'Fifth Outline LevelHome~LT~Gliederung 5 <( (@'Sixth Outline LevelHome~LT~Gliederung 6 <( (@'Seventh Outline LevelHome~LT~Gliederung 7<( (@'Eighth Outline LevelHome~LT~Gliederung 8<( (@'"Ninth Outline LevelHome~LT~Gliederung 9<(  (*@'# DrXXgg ^Home~LT~GliederungDrMPJoeMVTlDrML DrObSVDr&T C(0! Home~LT~TitelT C(0dxV4B1OClick to move the slide Home~LT~Titel<( ( @'DrObSVDr& 3G"]#Home~LT~Notizen 3G"]mxV4B1XClick to edit the notes formatHome~LT~Notizen<( (@' DrXXgg VHome~LT~GliederungDrPgcJoeMlVTDrML8DrMD,DrXX Handoutsgg FHome~LT~GliederungDrPgR]RJoeM]PFDrML8DrMD,DrObSVDr&V! Home~LT~TitelxVYxV4B1D UML security Home~LT~Titel<( ( @'DrOb8SVDr&/V?( Home~LT~Gliederung 1/V?xV4B1IntroHome~LT~Gliederung 1<( (@'Security modelHome~LT~Gliederung 1<( (@'ImplementationHome~LT~Gliederung 1<( (@'Honeypot vs jailHome~LT~Gliederung 1<( (@'UML inside chrootHome~LT~Gliederung 1<( (@' QuestionsHome~LT~Gliederung 1<( (@'DrObNSVDr& )? Standard )?zN[NNAT5 =NPNG  IHDRx"gAMA a IDATxܽieU31gdeT%AB вm mԘtCp7,c `7 {YդȈx?{'o)>+VT7>{{QlRO(RZl68wZt^˲$"1Fk$Iiq @{yQEy>F<{[fdV\p{nڜ˗~˗/y.q$I^o4FVy޳9vpy_x4#Yx4yq, JO2$I\Ubm ʗ/_vEQqZ(Dpʲh0v:NzA tUcxɲ^_(B|/nkmeYγMs( 0Xk86ƈpA?88vbBp8U|æj@Rd8>#q,-ʲ~/R@Ҫ)ι Tv;IM>enw̓\&ijzE38^~'WyTH$IR*b2h\X>R\dɎ 3"FTaJ6Bkת(cqie˲t:^ODx4%r&Ib -IGzZF)&gq: ݽ="M"KtsH<<}e jQ)LՒ˗/YF{k1Fh8m;#R[k$ɲ,Zmqqqqqn'L=W >OR bh`0CZx<p(,ECn9Շ~8șB~ggȦZ 4IDQvΏFyQA0N#,beaiqɔH0i6,8"K UB]Ն,߈Jqb‚(qnvw*uw,p([vuu뉤ão$WLhgk#fE?ޡ|%5`B6vيkh/hbc8g&fL]!Q & 5X`DpU1ㅅQF#c _!SU=XBAYԄ*oy+dRb8 ը jZFޣ^7 ݭhceYy.bd A^,///-----j5IDU>6W/ZPJA Rg#ɜO<͐;wclpd~ot!4z-O;TUۼsrVkZ+++ T >/ \5_ǧ"b"Uѳ7;Cq֒h #тfhR#3" 嵵7@5CBWjr7*L1S2f+E޹¹yb Ϙa̦0Sb+BNDiZ-ar g b*3 lQYZUD恞0tG7+=jGԘ{;>sO`Yk%ےeY{ c]C<2 @=$R|51[V,KV,ˌI(4`|XCp mɲLh‚F!LX hO}AXSfN!3mcT|T&DH$LQo6̶(pGe9sD8$bZmJp+cyq&q2 S5EDi_eWs{qF/S$h^NTJ=hT*8:l$t%3(jf*m%meYFu:E^k7Na{wun%,[ <8oW[5$q&,W_H0J4RdS~_I¤gGt^oAC,;yfAC*hj |djc˔C^<Beq*9/qϸ3GtRZ8#̋Ղ #:;!Qo3r'YB]s=v.+f͡(2QdOl8F OT')EZkIH^V*U)/WX5߱":恖' EAj ÓUeAˇ $qe9.w<O]'$E frd[PtH(3bO]Mu:e˲0Jy]m R%AgZkx Ģ.f ~)LBդV LQY;4f@[=4gf)ujuO!aU2*;ueԴd 9rx') (t0Ł6flYqWJq}YT=8thtUUpUZjn{xx({^ءnKd=o$ dClZ=3S'Zgj5_})`ęgṅfJX;6Օݕ$|}AEewHԜτ/ uQuw+Ar{w{{{lJ%.+5@˔b!OO(J殞rho40=36p:NW@I S!V515ƨU8C$g){pR-8r%"iV uazDtsi]?3w$0qhe1ψLWXuppy[n's)ed 2KEj՚p8hZxC\eg. JHt>I¹sExe^GV7$ 3'nM~ە:~uwjJLD x< $ẏq020'9)ϝ;'Aj݃ il0)R." jaaAf"Zj $h` O+ dKSp$KKKgPJYyI"R#zg31cth̻p~d[oݺS}aFHhxI$"pytItTȬ te\ř)?A!q9gD0MOzKt !z!Ϯpp t9gY.S^kD{eº2FYs% 3e޳RV7ny.[X4‚E"DyfUwSNGx_>ུF+Z#8QL]Ȇ|z,_zukky.3^K$6BJKc<i0j4):3H4)c@ypOZ"FCvqpzAjZ`uڵmC(.p8:;g}D0'&$nmgŵ&@1$DFX앞g4JpcyyjIgQ`{{ƍach58E]H"-9Q' >{CddfJk 03zY&"QUMut͛7766$,Uմ<2p9`LRJ(KDI<'ѵItEV+IQr5{- 3E#'Bȿ#+e_V5 C龸6 %Cd>]u yyB =ϔF y~xx(fwwwE$g:ݼ\$kkvpppco2(Vonnw&l\2,e\tP|`KpfqT96C!βluW~ےF{חGjן= ] eYz=!E̗t%s}\!Bg(z]z_kZDKI!/?RK]p?zauͫwŋ7nHqfl({cl1$)a~qm(("`0tpЛAYիE^~g4!EQz#jϦX悋`ӯc @Y;)QZD;8Kd屰y}Rׯ_zͥnفgDXϦy`Y^'48d=}uጶO^$˝xf|~c/^ڥd'RȆ@8F| N$z8v]ʕ+~)yȑ\\$z/}CObwwF÷+j5Ŝ6m|^拏< ϏF4^M TBHg KDm&el8}2=seiޞɾ٥Y֯x{e[7 CB&(T_:],/-g??b*___m|;0ի+1tVHDWrl{{{A1<^׿uo$n~ҥK. Yyk^Nwڳ.>WH iW*m&A9~0_`NIFozӗt6vw)I/ IDAT~VK\kxxpеZC͛կ~Dpt^ͮ]_n/H$}g8^jH$9B޳s7LnWn-Ν4)ސ_]timm';=fC=wG'I~NhwS} Phqo~MQ3'IQFe>I7>s$`7f:^Ҫֺ]wW1.=yZ1͛X]}=gf* Y}9=Pi%`+E"h2^3 %W45PS%/uE)ZC-//+++w ,'#_ Ҧ^ss+tGrrrrK$I2t=裋Ǟ wʪR9JsQc'ƉҪ<1yN{{{77]vU6>2釗.Ƙ㯾i3i"K_?ܯWz{LNBj۷;p Уo;k4|Yj^gwwwggwK-r;T {ݼc[qH_YshՑDS6HS1wܹz_7\=lí%(7·Z۽y~(胟:KC54G;.lnn187M]ڼv&;)nҕe2M:*^Z%GLg"s8fꍋwҧé2=oW~WO;c~0Nh}g$um"ӎk^]k7o9$j֌17n8]բ<(j=#{ڿ&occCГO>|S4HO'r|@ƹ Ҁ!cݨF7o֩UGf b.M]rتĪ*bRM'U62apfʙw[-"IFXV&(ΚCϗHl`!exxaSc nnoXAlň#DqughdFk Ob',"h& 8<`"Ri g:K'7{|cEHd5j/hw6n01{vv8Mzû?zïgo|,K" iVV i4FP=E#$E!ΐHcO,و V4HywN9=vX' 4t7k˭V35˥dvawVp׾++j}Y1C?:8cfJ#Kj 42RR42jhըY(Jj&XihO\ENŐ˼,T\cw[E|ZO$=.`8۷n3dY^k-/=6|`xŒC՞x?bE ԮSPS#M(MR*8h`+x(V (0QHSʍʲ<,eai{{{ׯ_;;;vA.$\2ussҒ%~'Ъam.bҘ"Kư50LJ&Q&Q0AMJ iR:Rhhie)큟@d:ݳ>{xxW{l6WEΝ޷ZO~{st?")bJF#Қ=OpD$%I7WqPړJ[3Ù֩VVM  zkטn_x;kkkVG+W D;ۈyX)&={G`TpHAYφ%`B$ bY14-7G_ϟ____[[s, y2Q[ ّiCN^yΕJF(NB3c)RPyt-`I)E16PmeD4볤tn,.\/|4 ͍76^ascbvFJA8 j)j VQD?@ʓq*̊; MdKUl=iMFYxS)}ܝ.͛?veeYCWWW`0v;jeu.jd"E:ҥ֬Un u%E4EM&45TMA g&)"C'xdLʑq`֊f_zSv[ ͋:n)6bvx=\YZF>2(R1KDPF :"Kd &RAy^i"O VAP :- MCbJ"h)J+Fv`kнYewE/po5jJ36ZCk4 Y,C(C l CGSM&I3L%EdN+}!%HKΊHKA4^j@hl?~Q:aIac1X6!cT N001de4+x&DJ7k uj2J +eRD t1 :CC\ ` 7:\S?1kk*%3 F*2|وl L eo Y&x"O.P%+ Ꮶ+y*`@D15 _חe0`w-s_?6rǍ:{W:ibAR@1:unрhLT$1bL&r'nʏoY]=0 9 5[`r2#'D!6a 2$RN)/|DAv'cǵk/_t+++24{eg?%km*wE}>O~|h-G5 ?jr :Y]V]MKTF%:E,a"h 1O>E3 kPJn77$fۿ*GEdDvy6SӉbIM ̓*bALjSR &3S[s,1B5("& jg=WY@ b4bhJ%"hMZ[(K)MHcd1Y4Awm<53wDܼDaI$0V(t:.@GO ijD !שGOae)i]TZCI4$B9%t6" %;sțDu02'[GO:'i$x"WgL 8&KM/k0 "v@)_'Iζab3>?.8W ZSR=C-E#E=E=E-E=FCI$F#(GDG#F"HW+D)ud(UU"xĺ&.l":z)Q#Ƽ%5e2DG䙱 S$ 8PN!Њ` !hdԨj{BjTFqXű6\ ﴇl4Y *+Ɂ 3;xtSO5F yewe8-f[:F;O5FS (+q_aMya)VH#\@soUЀє%hdR=&VXibVZjf*h#cc5Ql Q2E`M B<@jy1RSq\Pi?E)2i 0De-xjz{!! ')b A#rtYd1J KM2j$TOUM*FRS Pz_nІ0,`8p v? /38=9A"LSTc4Jb#> ;qa9Lit22HcYf + ڦ6-6Pv ̈́k1҄%5) h-sDpLpn:PfUpz҂tOK oܩ ʋbv)ޣiA#!9Ň)b904q4'yլ5"K Hy6[PjzkOc$؛iM رvcS:)<{K<8"D- 3?sI5K>ZMY1;r[M г4 Kb& CB (SݣxŇz_ Ԅ&@<֘MJUbVZܢ:5$džc$B#F A)2"֬s*w;*A?Y"f⦂ohbyV!#jMnyrȬx$5wPg p4ň=H>*(p>f6fDqDMlP&-Qd4(BAG K4i#(=CyL)2^ 4MUZ/V/fN%$L L 5)-g9 00%b.@BlQOAZ5XhZG6Xmڂ" *Y(-OmP0rDYLB4hzLp%4ITtE W1S=#)JI)" aTDIOjtRZ2%K#E#xF"8"fjآxXhFSĩ6+$> @eNJd䘴C.lw9+.F4/1 M85OG\T T5D)vFGx t5rFy$@h*0PHt)eǻ8B-ADhnDZIkcjSR{GW(31 l&Ž|d?z\h*p5f.ѩ}}2`~7s+n\QzyXP=U4|= \X_U}|Zz;EoF[| 1 %&MAwS-D1OP~ @}6w TL3樾.̎0d2F`&O7J"Ed*D5 IDAT Rc<=~wǮik㒹@!AS+#ZXZO>Z-_}{*(JDV.8j̍^_ 6Xݪm (5v_];.~W%1#L xHxʘ% xi)VBY𻾧Oޓo{~hƻjzRۆ4@$*{ O;kgyOw?OyhLxK6 㫾L}wFrUKᇞWSSV*&yJhT)t;|V=O_c1MO0|My+2z̆Qw(~` ?yᗿ7'|?k=}Zc'꛾~}7KcrDRhfQ|ݷ.^Peɋm/EQs?<)dS?X7ĿVymj|uӊZeL;=z -.o5g~dYW? ??_ڷ'58"H`I4P̅dЌD2DZ/o7qZs~hdC< $*r&{'.=>"\on=$g/╏7~j?0zur0b{}9We%8>-o1~yW ~]rOoP KO,-%hP#*1hHm5*cIk_+_WKٟO<;?Ӹ(ܹG]]q{=v$ yy'B$#b"hHG" 38[T *FA`!<$oBBM݄;9W ӂ,S0-ӄikY"K_d}UZ!"ܨ9lfc%^H}ys-y6Yg6 ;t`0;HU5[)+ʾ^ƍ |h:t9`" F Qk8$IVUG#z 3,Ssଢ଼fO[F*k31f?~c>;z" /3/'V 쎇چ f i60)| =-b^kd̂8>J-_vk"qUgh!%۞m˴߹Ji=`,"FUfI@er&pқmКɖ:Sm(pڅe` ω2#!&eUFI;FsKi*>Đޛf^$.,BV%:R"f'b&ĭ#K #e^V\JyǬk ;6F[~}dZY{=o ѩ$l"±p&,MCt:CLZo bp:0oJ/" DG?o2%Ե` , E"J5O\V,h| {4e+ ۝4yglꪀfe*GcI, '*)6R۩Q,_kpKlzӂ9\UyAO\/q/L%|YhV`g7j:bB{V-UsYW _Ucnf)G\ ۶jstK<]̹G;6m*͜xe{򴦋y3lvyAsVf4MMj%r5ۈ[cLUUBDU%8ܽx濾hZfv[dܭ S<>=aoO[, Y"A q&k6/^'Fǿ70q }~?ݐNSf@isg_n}: &f2^硣zZxFy M"?Uj"ck8WO M|RojWdV8Rb<1U|\/ O7} >򘻊tӂ$'{'OaeKumk.?]gCrBtgOLvN~/=Q giđ38,є9#ÉHZd%y.[W%o_OEѥ_n*tloJeQZV@R_٦rNd w:75* 0ssBjH4۾U22**N&]%c%OO(wOv,y 1 T v&Mq HYӢd ߱) #ϻI"S\v~i-jX54M] m5[bU·$keeԪWV4׀pTp詖Β[33zyI# ^k_Ux8gJbx8WGdP][j 1z`FkUx5dPQ;pa਴dǎn1NyS46A,C@(s懲OtCuG14*>Ӣ7>sv[u7vTLucZZNCUҖPU:fPXdY!j:t,r!B\  ڤ?N?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefgij being changed. Kernel data being read is not a concern at this point. Reading kernel data is not a security problem in the sense that it allows someone to break out of UML. We expect that the user inside UML has root privileges inside it, and so can read any data in the virtual machine anyway.Home~LT~Notizen<( ( @' +'UML virtual machines are also single-user in the sense that they are typically assigned to a specific person and other people don't put their sensitive information in it. This makes security concerns such as sniffing personal email less of a problem.Home~LT~Notizen<( ( @' +'DrXXmodel2gg RHome~LT~GliederungDrPgJoeM]PFDrML8DrMD,DrObSVDr&V! Home~LT~TitelVhxV4B1SHow to change kernel memory Home~LT~Titel<( ( @'DrObSVDr&V?( Home~LT~Gliederung 1iV?JxV4B11Directly - with a memory storeHome~LT~Gliederung 1 <( (}@'+System call - i.e. read(fd, kernel_addr, n)Home~LT~Gliederung 1 <( (~@' +-Through a driver - i.e. /dev/mem or /dev/kmemHome~LT~Gliederung 1 <( (@' -DrXXmemorygg VHome~LT~GliederungDrPgwJoeMVTlDrML8DrMD,DrOb<SVDr&T C(0 DrObSVDr& 3G#]#Home~LT~Notizen{ 3G#]\xV4B1AEThere are basically three ways to attempt to write into kernel memoryHome~LT~Notizen<( ( @' Wit can be stored into directly if it is mapped writeable into the process address spaceHome~LT~Notizen<( ( @' a system call can be faked into changing it by passing a kernel address into a system call that has an output buffer as an argument.Home~LT~Notizen<( ( @' Bthere may be drivers whose purpose is to provide access to memory.Home~LT~Notizen<( ( @' DrXXmemorygg RHome~LT~GliederungDrPg6JoeM]PFDrML8DrMD,DrObSVDr&V! Home~LT~TitelyVZxV4B1E Direct stores Home~LT~Titel<( ( @'DrOboSVDr&V?( Home~LT~Gliederung 1 V?xV4B1^UML write-protects most kernel memory on exit from kernel and write-enables it on kernel entryHome~LT~Gliederung 1 <( (@' ExceptionsHome~LT~Gliederung 1 <( (@' Two pages at start of executableHome~LT~Gliederung 2 <( (@'One page of static dataHome~LT~Gliederung 2 <( (@'Three pages of kernel stackHome~LT~Gliederung 2 <( (@'DrXXdirectgg VHome~LT~GliederungDrPg:JoeMVTlDrML8DrMD,DrOb<SVDr&T C(0 DrObSVDr& 3G-d#Home~LT~Notizen 3G-dxV4B1|CThe UML kernel is mapped into the address spaces of its processes. Because of the performance impact of protecting kernel memory from userspace, it is mapped in writeable by default. In 'jail' mode (or 'honeypot' mode, which enables 'jail' if necessary), it is write-protected whenever the process is running in userspace.Home~LT~Notizen<( ( @' There are some exceptions, some of which can be fixed but don't seem exploitable, and one of which (the kernel stack) is not fixable given the current capabilities of the host Linux, but is not exploitable.Home~LT~Notizen<( ( @' DrXXdirectgg RHome~LT~GliederungDrPgxJoeM]PFDrML8DrMD,DrObSVDr&V! Home~LT~TitelyVZxV4B1E Private pages Home~LT~Titel<( ( @'DrObASVDr&V?( Home~LT~Gliederung 1V?xV4B1One page of textHome~LT~Gliederung 1 <( (@'0Writeable, but is never executed after bootstrapHome~LT~Gliederung 2 <( (@'One page of dataHome~LT~Gliederung 1 <( (@'contains errnoHome~LT~Gliederung 2 <( (@'.user can fiddle UML's errno to heart's contentHome~LT~Gliederung 2 <( (@'DrXX$ private pagegg VHome~LT~GliederungDrPg(JoeMVTlDrML8DrMD,DrOb<SVDr&T C(0 DrObSVDr& 3G#Home~LT~Notizen, 3G xV4B1There are two pages of the kernel binary which are not shared between all the threads in that virtual machine. These pages are writeable. Home~LT~Notizen<( ( @' One contains code which is executed early in the UML bootstrap and never run again. Polluting this therefore can't affect UML.Home~LT~Notizen<( ( @' The other is a data page, and contains only errno. The purpose of this is to provide each thread with a private copy of errno. A malign process can therefore change the kernel's value of errno arbitrarily, but that seems unlikely to be exploitable.Home~LT~Notizen<( ( @' In any case, the page of code is likely to be simply unmapped and thrown out. The errno page may be write-protected. It would have to be the last page protected, and if mprotect sets errno to 0 on success, then that assignment will fault because it just made that page unwriteable.Home~LT~Notizen<( ( @' +'DrXX$ private pagegg RHome~LT~GliederungDrPg@JoeM]PFDrML8DrMD,DrObSVDr&V! Home~LT~TitelwVXxV4B1C Static data Home~LT~Titel<( ( @'DrOb}SVDr&V?( Home~LT~Gliederung 1V?xV4B1$Contains two timer-related variablesHome~LT~Gliederung 1 <( (@'timer_onHome~LT~Gliederung 2 <( (@' missed_ticksHome~LT~Gliederung 2 <( (@'DrXXdatagg VHome~LT~GliederungDrPgJoeMVTlDrML8DrMD,DrOb<SVDr&T C(0DrObSSVDr& 3G#]#Home~LT~Notizen 3G#]xV4B1One page of the kernel's static data remains unprotected. Because of a difference between the timer handler and all other UML signal handlers, the data needed by the timer is not automatically write-enabled on kernel entry. So, two variables that are modified by the handler are left writeable. These will likely be protected in the future, but in the meantime, they don't seem exploitable.Home~LT~Notizen<( ( @' DrXXdatagg VHome~LT~GliederungDrPgJoeM]PFDrML8DrMD,DrObSVDr&V! Home~LT~TitelqVRxV4B1=Stack Home~LT~Titel<( ( @'DrObSVDr&V?( Home~LT~Gliederung 1_V?@xV4B1!$Three pages of process' kernel stackHome~LT~Gliederung 1 <( (@'#Stack for signals delivered by hostHome~LT~Gliederung 1 <( (@'required to be writeableHome~LT~Gliederung 2 <( (@'2Initialized by tracing thread for each system callHome~LT~Gliederung 1 <( (@'#Completely reinitialized before useHome~LT~Gliederung 1 <( (@' modifications will be thrown outHome~LT~Gliederung 2 <( (@'DrXXstackgg VHome~LT~GliederungDrPgJoeMVTlDrML8DrMD,DrOb<SVDr&T C(0DrObrSVDr& 3GXo#Home~LT~Notizen 3GXoxV4B1UML specifies that its signals will be delivered on a dedicated signal stack, which in kernel terms is the process' kernel stack. This can not be write-protected since the host would just kill the UML thread with a segfault if it tried to deliver a signal on a write-protected stack.Home~LT~Notizen<( ( @' dThis stack is also used for system calls, and in this case, it is initialized by the tracing thread.Home~LT~Notizen<( ( @' However, any modifications to these pages by the process would just be lost because UML initializes them completely before using them and its behavior doesn't depend on their previous contents.Home~LT~Notizen<( ( @' DrXXstackgg RHome~LT~GliederungDrPg[JoeM]PFDrML8DrMD,DrObSVDr&V! Home~LT~TitelxVYxV4B1D System calls Home~LT~Titel<( ( @'DrOb%SVDr&V?( Home~LT~Gliederung 1V?xV4B1read(fd, kernel_address, n)Home~LT~Gliederung 1 <( (@'9evades protection because buffer is filled in kernel modeHome~LT~Gliederung 1 <( (@'*verify_area checks buffer address manuallyHome~LT~Gliederung 1 <( (@'*Works for 'jail', problems with 'honeypot'Home~LT~Gliederung 1 <( (@'DrXX$ system callsgg VHome~LT~GliederungDrPgUJoeMVTlDrML8DrMD,DrOb<SVDr&T C(0DrOb$SVDr& 3G#Home~LT~Notizen 3GxV4B1PA sneakier way to try to change kernel memory is to get the kernel to do it for you by passing a kernel address as an output parameter to a system call. Since the output buffer will be filled in the kernel, kernel memory is write-enabled, so this offers a potential way to get around the write-protection that's in effect in user mode.Home~LT~Notizen<( ( @' This problem is mostly taken care of by the generic kernel with the help of some architecture-specific code in asm/uaccess.h, notably verify_area. This checks the buffer address by hand to make sure it's a userspace address and not a kernel address.Home~LT~Notizen<( ( @' This works perfectly well in 'jail' mode, but it's more complicated in 'honeypot' mode because of some peculiarities of that mode. This will be discussed in detail later.Home~LT~Notizen<( ( @' DrXX$ system callsgg RHome~LT~GliederungDrPg/JoeM]PFDrML8DrMD,DrObSVDr&V! Home~LT~TitelsVTxV4B1?Devices Home~LT~Titel<( ( @'DrObqSVDr&V@( Home~LT~Gliederung 1V@xV4B1/dev/mem and /dev/kmemHome~LT~Gliederung 1 <( (@'CAP_SYS_RAWIO required to openHome~LT~Gliederung 1 <( (@')disabled by removing bounding set at bootHome~LT~Gliederung 1 <( (@'3prevents any process from acquiring that capabilityHome~LT~Gliederung 2 <( (@',possible honeypot test - may need rethinkingHome~LT~Gliederung 2 <( (@'DrXXdevicesgg RHome~LT~GliederungDrPgJoeMVTlDrML8DrMD,DrOb<SVDr&T C(0DrObqSVDr& 3G#Home~LT~Notizen 3GxV4B1Linux provides two devices, /dev/mem and /dev/kmem, that can be used to access kernel memory. Any audit of UML security should examine /proc and /dev for more such files and devices.Home~LT~Notizen<( ( @' ]In the cases of /dev/mem and /dev/kmem, the CAP_SYS_RAWIO is required in order to open them. Home~LT~Notizen<( ( @' These devices are disabled in 'jail' mode by removing CAP_SYS_RAWIO from the capability bounding set, which is the set of capabilities that any process is ever allowed to have.Home~LT~Notizen<( ( @' \Since no process can ever get this capability, /dev/mem and /dev/kmem may never be accessed.Home~LT~Notizen<( ( @' This is a bit heavy-handed, since other useful things may also require CAP_SYS_RAWIO. In limited testing, this has seemed to cause no trouble.Home~LT~Notizen<( ( @' Another problem is that this could be a signature of a honeypot, allowing nasty people to know that they are in a virtual machine.Home~LT~Notizen<( ( @' CFor these reasons, this mechanism may need to change in the future.Home~LT~Notizen<( ( @' DrXXdevicesgg RHome~LT~GliederungDrPgJoeM]PFDrML8DrMD,DrObSVDr&V! Home~LT~Titel~V_xV4B1Jlcall system calls Home~LT~Titel<( ( @'DrObSVDr&V?( Home~LT~Gliederung 1V?axV4B1@#Alternate x86 system call mechanismHome~LT~Gliederung 1 <( (@'SysV ABIHome~LT~Gliederung 1 <( (@')from when SCO compatibility was importantHome~LT~Gliederung 2 <( (@'not intercepted by ptraceHome~LT~Gliederung 1 <( (@'execute directly on hostHome~LT~Gliederung 2 <( (@' Fix on hostHome~LT~Gliederung 1 <( (@'-new personality that segfaults lcall attemptsHome~LT~Gliederung 2 <( (@'DrXXlcallgg RHome~LT~GliederungDrPgJoeMVTlDrML8DrMD,DrOb<SVDr&T C(0DrObeSVDr& 3G#Home~LT~Notizen 3GxV4B1The last known possible way of breaking out of UML is to use a different system call mechanism. Linux recognizes lcall system calls as well as the standard int 0x80 calls.Home~LT~Notizen<( ( @' These are part of the iBCS binary calling standard and, I believe, support was added to Linux when SCO compatibility was considered important.Home~LT~Notizen<( ( @' That is no longer the case, but the support remains. The reason this is a problem is that lcall system calls are not seen by ptrace, which is how UML intercepts and annulls int 0x80 system calls.Home~LT~Notizen<( ( @' wTherefore, any process running inside UML that knows how to make lcall system calls will run them directly on the host.Home~LT~Notizen<( ( @' YThis must be fixed on the host. There is nothing that can be done to UML to fix this. The way this will be done is to add a new personality to the host which disallows any iBCS compatibility by segfaulting any process which attempts to use it. UML will then set its personality to that and relay any resulting segfaults to its own processes.Home~LT~Notizen<( ( @' DrXXlcallgg RHome~LT~GliederungDrPgJoeM]PFDrML8DrMD,DrObSVDr&V! Home~LT~Titel}V^xV4B1IJail vs. Honeypot Home~LT~Titel<( ( @'DrObFSVDr&q+*d@  Standardq+*d@xV4B1processStandard<( (@' addressStandard<( (@' spaceStandard<( (@'+' DrObRSVDr&4'~@~@  Standard4'~@~@xV4B1processStandard<( (@'+' addressStandard<( (@'+' spaceStandard<( (@'+' DrObSVDr& ] Standardk ]LxV4B17JailStandard<( (@'DrObSVDr&3]@ Standardo3]@PxV4B1;HoneypotStandard<( (@'DrObSVDr&W?29A  StandardN~@[1~@DrObSVDr&";$ AStandardh";$ AIxV4B140Standard<( (@'DrObSVDr&W&2k(  StandardN'[1'DrObSVDr&(a+, Standardq(a+,RxV4B1= 0xa0000000Standard<( (@'DrObSVDr&q'  Standardyq'ZxV4B1E UML kernelStandard<( (@' DrObSVDr&4? ~@'  Standardy4? ~@'ZxV4B1E UML kernelStandard<( (@' DrObSVDr&W 2  StandardN[1DrObSVDr&f,5%Standardqf,5%RxV4B1= 0xc0000000Standard<( (@'DrObSVDr&4~@?  Standard4~@? cxV4B1N process stackStandard<( (@'+' DrObSVDr&A^T !  StandardNB? T? DrObSVDr&A V'% StandardA V'%nxV4B1Y0xc0000000 - eStandard<( (@'  DrObSVDr&q'+* Standardq'+*cxV4B1N process stackStandard<( (@'+' DrObSVDr&qS  StandardzqS[xV4B1F host kernelStandard<( (@' DrObSVDr&4S~@  Standardz4S~@[xV4B1F host kernelStandard<( (@' DrObSVDr&W2  StandardSS1SDrObSVDr&)J Standardq)JRxV4B1= 0xffffffffStandard<( (@'DrXX honeypotgg NHome~LT~GliederungDrPgJoeMVTlDrML8DrMD,DrOb<SVDr&T C(0DrObSVDr& 3G-d#Home~LT~Notizen 3G-dixV4B1NXThis diagram illustrates the difference between plain 'jail' mode and 'honeypot' mode. Home~LT~Notizen<( ( @' With 'jail', process address spaces are contiguous, with the stack located at the top, just below the area reserved for the UML kernel.Home~LT~Notizen<( ( @' With 'honeypot', the process stack is separated from the rest of the process address space and located above the UML kernel area to where it would be on the host.Home~LT~Notizen<( ( @' Home~LT~Notizen<( ( @' DrXX honeypotgg RHome~LT~GliederungDrPg\JoeM]PFDrML8DrMD,DrObSVDr&V! Home~LT~TiteltVUxV4B1@Honeypot Home~LT~Titel<( ( @'DrOb*SVDr&V?( Home~LT~Gliederung 1V?xV4B1Stack smashes must workHome~LT~Gliederung 1 <( (@'Process stack top at 0xc0000000Home~LT~Gliederung 1 <( (@'above UML kernelHome~LT~Gliederung 2 <( (@'#'jail' puts stack top at 0xa0000000Home~LT~Gliederung 1 <( (@' below kernelHome~LT~Gliederung 2 <( (@'DrXX! honeypot2gg VHome~LT~GliederungDrPguJoeMVTlDrML8DrMD,DrOb<SVDr&T C(0DrObSVDr& 3G#]#Home~LT~Notizeny 3G#]ZxV4B1E The reason that 'honeypot' mode locates the process stack in the same place that it is on the host is that stack smash attacks must work. If they didn't, UML would not be useful as a honeypot because it would be impossible (or at least difficult) to break into them.Home~LT~Notizen<( ( @' DrXX! honeypot2gg VHome~LT~GliederungDrPghJoeM]PFDrML8DrMD,DrObSVDr&V! Home~LT~Titel{V\xV4B1GHoneypot quirks Home~LT~Titel<( ( @'DrOb/SVDr&V?( Home~LT~Gliederung 1V?xV4B1STACK_TOP > TASK_SIZEHome~LT~Gliederung 1 <( (@''Filesystem assumes STACK_TOP==TASK_SIZEHome~LT~Gliederung 1 <( (@'<Filenames checked in getname() without calling verify_area()Home~LT~Gliederung 1 <( (@':Stack must be prevented from expanding into kernel VM areaHome~LT~Gliederung 1 <( (@'DrXXquirksgg VHome~LT~GliederungDrPgJoeMVTlDrML8DrMD,DrOb<SVDr&T C(0DrObSVDr& 3G/#Home~LT~Notizen 3G/nxV4B1QfSeparating the process stack from the rest of the process address space and locating it above the kernel is untraditional, to say the least. And it causes problems. This arrangement causes the value of STACK_TOP, which defines the top address of process stacks, to be greater than the value of TASK_SIZE, which defines the end of the process address space.Home~LT~Notizen<( ( @' Reasonably, the generic kernel expects that STACK_TOP will be less than or equal to TASK_SIZE. The fact that it isn't causes surprisingly few problems. This can mostly be papered over in the verify_area macro, which the architecture gets to define.Home~LT~Notizen<( ( @' 3However, filename arguments are not checked for validity by verify_area. Instead, the filesystem checks the addresses itself by comparing them to TASK_SIZE. Since filenames that are on the stack will have address greater than that, they will fail the address check and the system call will return -EFAULT.Home~LT~Notizen<( ( @' A second problem resulting from this arrangement is that the process stack will extend into the kernel VM area if it's allowed to grow too big. This is dealt with in the UML segfault handler.Home~LT~Notizen<( ( @' Home~LT~Notizen<( ( @' DrXXquirksgg RHome~LT~GliederungDrPg|JoeM]PFDrML8DrMD,DrObSVDr&V! Home~LT~TitelVbxV4B1MHoneypot quirk solved Home~LT~Titel<( ( @'DrObSVDr&V?( Home~LT~Gliederung 1KV?,xV4B1 6Pretend system calls with filenames called from kernelHome~LT~Gliederung 1 <( (@'disables address checkHome~LT~Gliederung 2 <( (@''Problems with system calls with outputsHome~LT~Gliederung 1 <( (@'i.e. readlink, statHome~LT~Gliederung 2 <( (@'output buffers aren't checkedHome~LT~Gliederung 2 <( (@'check them by hand beforehandHome~LT~Gliederung 2 <( (@'DrXXsolvedgg VHome~LT~GliederungDrPgJoeMVTlDrML8DrMD,DrOb<SVDr&T C(0DrObcSVDr& 3G#Home~LT~Notizen 3GxV4B1,The filename problem is solved by two steps.Home~LT~Notizen<( ( @' First, all system calls which have filenames as arguments are called as though they were invoked from inside the kernel rather than by a process. This disables the address checks which would otherwise fail.Home~LT~Notizen<( ( @' However, there are system calls which a filename as an argument which also have an output buffer as an argument. With argument checking disabled, this would open the system call hole described previously.Home~LT~Notizen<( ( @' 7To deal with this, all such system calls were identified, and those buffers are checked for validity by the UML system call code before entering the actual system call. If a buffer fails the verify_area test, EFAULT is returned directly from the UML system call handler rather than from the system call itself.Home~LT~Notizen<( ( @' DrXXsolvedgg RHome~LT~GliederungDrPg+JoeM]PFDrML8DrMD,DrObSVDr&V! Home~LT~Titel~V_xV4B1JLong-term solution Home~LT~Titel<( ( @'DrObXSVDr&V?( Home~LT~Gliederung 1V?xV4B1 That sucksHome~LT~Gliederung 1 <( (@'=Ultimate solution - put UML kernel in different address spaceHome~LT~Gliederung 1 <( (@'Many problems vanishHome~LT~Gliederung 1 <( (@'UML totally undetectableHome~LT~Gliederung 2 <( (@'0can't probe upper addresses to test for honeypotHome~LT~Gliederung 2 <( (@'DrXX% really solvedgg VHome~LT~GliederungDrPgIJoeMVTlDrML8DrMD,DrOb<SVDr&T C(0!DrObSVDr& 3G#Home~LT~NotizenM 3G.xV4B1Obviously, that is a non-optimal solution. It's bad from a security standpoint because it's unnecessarily complex and if any mistakes were made, they could be exploitable holes.Home~LT~Notizen<( ( @' {I consider the long-term solution to this to be moving the UML into a completly different address space from its processes.Home~LT~Notizen<( ( @' This would completely solve UML's security problems because processes would not even be able to form a kernel address, so they would not be able to request that kernel data be modified.Home~LT~Notizen<( ( @' `This would also solve a problem with the current arrangement that UML is detectable by a process looking for strange data in the upper reaches of its address space. It may not be writeable, but it is certainly detectable. Even if it could be unmapped totally, there would still be a mysterious hole there that would be the signature of being in a UML.Home~LT~Notizen<( ( @' DrXX% really solvedgg RHome~LT~GliederungDrPg+JoeM]PFDrML8DrMD,DrObSVDr&V! Home~LT~TitelrVSxV4B1>chroot Home~LT~Titel<( ( @'DrObSVDr&V?( Home~LT~Gliederung 1V?zxV4B1YUML runs as 'nobody' userHome~LT~Gliederung 1 <( (@'"/proc/self/maps no longer requiredHome~LT~Gliederung 1 <( (@'so /proc not neededHome~LT~Gliederung 2 <( (@'some /dev nodes may beHome~LT~Gliederung 1 <( (@'&UML can be configured to not need themHome~LT~Gliederung 2 <( (@'#Only need UML binary and filesystemHome~LT~Gliederung 1 <( (@')theoretically, I haven't checked this yetHome~LT~Gliederung 2 <( (@'DrXXchrootgg RHome~LT~GliederungDrPgOJoeMVTlDrML8DrMD,DrOb<SVDr&T C(0#DrOb$SVDr& 3GK#Home~LT~Notizen 3GKxV4B1_Even if UML security is airtight, it is still wise to wrap some security around it on the host.Home~LT~Notizen<( ( @' The obvious thing to do is put it in a chroot jail. UML lends itself well to this. It has minimal requirements for outside files to be present in the chroot. Home~LT~Notizen<( ( @' IIt is a statically linked binary, so it has no need for shared libraries.Home~LT~Notizen<( ( @' It used to need to read /proc/self/maps, requiring /proc to be mounted in the jail. This is no longer the case and /proc is not needed.Home~LT~Notizen<( ( @' Some /dev nodes might be necessary, depending on how UML is configured at run-time. For example, if its consoles or serial lines are attached to host pty or pts devices, then those device nodes will need to be present in the jail.Home~LT~Notizen<( ( @' OHowever, it is possible to avoid that and avoid having any devices in the jail.Home~LT~Notizen<( ( @' }So, a chroot jail for UML would need to contain only two files - the UML binary itself and the filesystem that it boots from.Home~LT~Notizen<( ( @' pThis needs to be verified - I haven't actually booted UML (or heard from anyone who has) in such an environment.Home~LT~Notizen<( ( @' DrXXchrootgg RHome~LT~GliederungDrPg}JoeM]PFDrML8DrMD,DrObSVDr&V! Home~LT~TitelVgxV4B1RHow to break out of chroot Home~LT~Titel<( ( @'DrObSVDr&V?( Home~LT~Gliederung 1AV?"xV4B1&Assume black hat has broken out of UMLHome~LT~Gliederung 1 <( (@' needs toolsHome~LT~Gliederung 1 <( (@'"has UML binary and root filesystemHome~LT~Gliederung 2 <( (@'*copies tools out of filesystem or ftp themHome~LT~Gliederung 1 <( (@'#make chroot directory non-writeableHome~LT~Gliederung 2 <( (@'can't create new filesHome~LT~Gliederung 2 <( (@'DrXX$ breaking outgg VHome~LT~GliederungDrPgXJoeMVTlDrML8DrMD,DrOb<SVDr&T C(0%DrObSVDr& 3Gs#Home~LT~Notizen\ 3Gs=xV4B1$ There are further things that can be done to tighten up a chroot jail. Let us assume that a black hat has found a way of breaking out of UML and also has a way of breaking out of a chroot jail as a normal user. Let us assume that he has complete control of the UML.Home~LT~Notizen<( ( @' To break out of the chroot jail, he will presumably need some tools. The only files available in the jail are the UML binary and the filesystem. Presumably, these are not directly usable, so he will have to import them somehow.Home~LT~Notizen<( ( @' This leads to our first requirement - that the chroot directory be non-writeable by the uid running UML. This prevents any new files from being created.Home~LT~Notizen<( ( @' DrXX$ breaking outgg RHome~LT~GliederungDrPgjJoeM]PFDrML8DrMD,DrObSVDr&V! Home~LT~TitelVgxV4B1RHow to break out of chroot Home~LT~Titel<( ( @'DrOb&SVDr&VC( Home~LT~Gliederung 1VCxV4B1*Needs to convert existing files into toolsHome~LT~Gliederung 1<( ("@'UML binary executableHome~LT~Gliederung 1<( (#@'&rewrite it to construct chroot-breakerHome~LT~Gliederung 2<( ($@'&install it non-writeable and immutableHome~LT~Gliederung 2<( (&@''Filesystem writeable but non-executableHome~LT~Gliederung 1<( ('@'!rewrite it and make it executableHome~LT~Gliederung 2<( ((@'.writeable by UML uid, but owned by another uidHome~LT~Gliederung 2<( ()@'DrXX&breaking out 2gg RHome~LT~GliederungDrPg\JoeMVTlDrML8DrMD,DrOb<SVDr&T C(0'DrObSVDr& 3Gg#Home~LT~Notizen` 3GgAxV4B1$PSo, the two existing files will need to be converted into chroot-breaking tools.Home~LT~Notizen<( ( @' The UML binary is already an executable binary, so it is an obvious choice. It can be rewritten so that it becomes the chroot breakout tool.Home~LT~Notizen<( ( @' This can be prevented by making the binary non-writeable and immutable. Actually, immutable is sufficient, but making it unwriteable avoids confusion about what's intended.Home~LT~Notizen<( ( @' Next is the filesystem. It is not an executable binary, but with sufficient rewriting and a permissions change, it could become one. It is writeable, and this is a requirement, since if it weren't, UML would not be able to change its contents and have to mount it as a read-only filesystem. However, if it is owned by a different uid than the UML uid, then the black hat will not be able to make it executable.Home~LT~Notizen<( ( @' Home~LT~Notizen<( ( @' DrXX&breaking out 2gg RHome~LT~GliederungDrPghJoeM]PFDrML8DrMD,DrObSVDr&V! Home~LT~TitelsVTxV4B1?Summary Home~LT~Titel<( ( @'DrObSVDr&V@( Home~LT~Gliederung 1HV@)xV4B1 3chroot jail contains only UML binary and filesystemHome~LT~Gliederung 1 <( (@'UML runs as 'nobody'Home~LT~Gliederung 1 <( (@'Directory non-writeableHome~LT~Gliederung 1 <( (@'UML non-writeable and immutableHome~LT~Gliederung 1 <( (@'Filesystem non-executableHome~LT~Gliederung 1 <( (@'''nobody' accesses everything as 'other'Home~LT~Gliederung 1 <( (@'DrXXsummarygg RHome~LT~GliederungDrPgAJoeMVTlDrML8DrMD,DrOb<SVDr&T C(0)DrObSVDr& 3G#]#Home~LT~Notizen 3G#]xV4B1FThis simply summarizes the guidelines from the previous set of slides.Home~LT~Notizen<( ( @' DrXXsummarygg VHome~LT~GliederungDrPg(JoeM]PFDrML8DrMD,DrObSVDr&V! Home~LT~TitelyVZxV4B1E Other attacks Home~LT~Titel<( ( @'DrObSVDr&V?( Home~LT~Gliederung 1V?pxV4B1UDOS the host from inside chrootHome~LT~Gliederung 1 <( (@' fork bombHome~LT~Gliederung 1 <( (@')attack disk space by extending filesystemHome~LT~Gliederung 1 <( (@'#quotas can prevent some DOS attacksHome~LT~Gliederung 1 <( (@'DrXXattacksgg VHome~LT~GliederungDrPg0JoeMVTlDrML8DrMD,DrOb<SVDr&T C(0+DrObSVDr& 3Gِ#Home~LT~Notizen 3GِxV4B1mWhat other sorts of trouble can be caused by someone who has managed to break out of UML, but has not managed to break the chroot?Home~LT~Notizen<( ( @' DOS attacks are the only things that come to mind. A fork bomb could certainly be set off in there, and the rest of the system would probably notice it.Home~LT~Notizen<( ( @' cThe disk space of the filesystem housing the jail can be attacked by extending the filesystem file.Home~LT~Notizen<( ( @' "A file quota can limit the amount of disk space that can be consumed. Per-user process limits would shut down a fork bomb, although this might be detectable from inside UML. The reason is that UML creates a host process for each UML thread. If a low per-user process limit is imposed, then processes would start mysteriously failing to be created inside UML. Worse, if multiple honeypots were in use and all shared a uid, then if one honeypot caused the process limit to be hit, then all the honeypots would start failing to create processes.Home~LT~Notizen<( ( @' DrXXattacksgg RHome~LT~GliederungDrPg`JoeM]PFDrML8DrMD,DrObSVDr&V! Home~LT~TiteltVUxV4B1@jailtest Home~LT~Titel<( ( @'DrObSVDr&V?( Home~LT~Gliederung 1:V?xV4B1jailtestHome~LT~Gliederung 1<( (@'utility to probe UML securityHome~LT~Gliederung 2<( (@'2maybe run in honeypot before it opens for businessHome~LT~Gliederung 2<( (@'DrXX jailtestgg VHome~LT~GliederungDrPgBJoeMVTlDrML8DrMD,DrOb<SVDr&T C(0-DrObSVDr& 3G#]#Home~LT~NotizenF 3G#]'xV4B1jailtest is a little utility that probes the UML security mechanisms from the inside. It is currently a quick kludge which checks only a few things. It needs to be made more thorough, modular, and extensible.Home~LT~Notizen<( ( @' The intent is that it run in a jail or honeypot before it opens up for customers. This would provide a last-minute check that everything is OK, possibly spotting configuration errors before a nasty person does.Home~LT~Notizen<( ( @' DrXX jailtestgg VHome~LT~GliederungDrPg[JoeM]PFDrML8DrMD,DrObSVDr&V! Home~LT~TitelzV[xV4B1FBest practices Home~LT~Titel<( ( @'DrObSVDr&V?( Home~LT~Gliederung 11V?xV4B1provide jail/honeypot kitHome~LT~Gliederung 1<( (@'set up chroot correctlyHome~LT~Gliederung 2<( (+@'make best practice the defaultHome~LT~Gliederung 2<( (,@'DrXXrandomgg VHome~LT~GliederungDrPgnJoeMVTlDrML8DrMD,DrOb<SVDr&T C(0/DrObCSVDr& 3Gk#Home~LT~Notizen 3GkxV4B1I think it is fairly important that some best practices be established from the beginning of UML being deployed as a honeypot or jail. An early embarassing security fiasco would hurt for a long time to come.Home~LT~Notizen<( ( @' uA good way to make sure this happens is to make the default jail/honeypot setup practice the current state of the art of UML security. This would take the form of a UML jail kit which implements those practices and is sufficiently easy to set up that it appeals to peoples' laziness and flexible enough that it can be adapted to whatever purposes they intend to put it to.Home~LT~Notizen<( ( @' DrXXrandomgg RHome~LT~GliederungDrXXKGeneric PrinterSGENPRT PostScriptH`Tl`Tld,,lprdefault_queueSGENPRT DrVwP SVDr SVDr:SVDr{{SVDrALayout:SVDr{{SVDr#SVDr SVDr# SVDr0 SVDr1 SVDr3 SVDr4SVDr@SVDr SVDrD SVDrP SVDrQ DrHL DrHL DrHL title Root Entry!r\V)䰱CompObjEOle persist elements" SfxDocumentInfo uStarBASIC BasicManager24SfxWindowsSfxStyleSheetswStandardjSummaryInformation( (StarDrawDocument3$E