ࡱ;   !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|~Root Entry  !r\V)䰱 PresentationStarImpress 5.0uSfxDocumentInfo  *}1 }}1 uK Info 0 Info 1 Info 2 Info 3 *}1T>< TASK,0,1,H 1,0,100,1,Oh+'0 h t 7@I@!@S @" XOutdevItemPool 1   )     &'()*+,-./06789:;UVWXYZ[\]c !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstt      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefd0w'@qXX',@X':@2fXXXX&' @X'@Arrow ArrowddXXXS'@ArrowddArrow}}Arrow XXX_X'F@,XXXX&X.':@F,XXXX&'@vXX'@X @ @ @ @ @  @! @7'@YXX' @'̙Gray 20%Gray 10%Gray 30%Gray 40%XX X2XDXVXpXX'6@22ddX'(@X':@ BMvv(@@SD@x^SI 0 s\ z 46ZBn8x)1̔.<觔B+̄ ޢ40:prf |q]~+H~|WFMbP@aoCē[ȡz6~U{߃XPXVXXXXX:@ _'''''''''''''' '' ''''' '' ''XXXX,X8XDXVXbXtXXXX**F@#XXXX X&X,77h@=+;(,,--..XXXX X&X,XJHH @ ;+'+''+'g* (@'A'1'+'!'''''''''  ' 'XXX X,X2X8X>XJXVXXXffZ@JJKKJJKKJJKKQQVVJJKKJJKKJJKKQQVVJJKK JJKK JJQQVV^^  QQVVOOQQVVJJKKXX X2XPXbXtXXXXXXXXXzz$@nnXX@XJ@s X8p}=\r H|<^t $ : P f |  , B X n   4 J ` v & < R h ~ J r ,BXn(G]s #9Oe{ 5Kaw'Gg (H^t R* PEditEngineItemPool  6f{0g* =@] ",StarBatsN -",StarBatsN -",StarBatsN -"` ` ,StarBatsN -" ,StarBatsN -",StarBatsN -"hh,StarBatsN -",StarBatsN -",StarBatsN -"pp,StarBatsN - "X,StarBatsN -",StarBatsN -",StarBatsN -"` ` ,StarBatsN -" ,StarBatsN -",StarBatsN -"hh,StarBatsN -",StarBatsN -",StarBatsN -"pp,StarBatsN - ",StarBatsN -",StarBatsN -",StarBatsN -"` ` ,StarBatsN -" ,StarBatsN -",StarBatsN -"hh,StarBatsN -",StarBatsN -",StarBatsN -"pp,StarBatsN - r,StarBats -r,StarBats -r,StarBats -r ,StarBats -r,StarBats -r,StarBats -rpp,StarBats -rXX,StarBats -r@@,StarBats -r(#(#,StarBats - "XX,StarBatsi -",StarBatsi -",StarBatsi -"` ` ,StarBatsi -" ,StarBatsi -",StarBatsi -"hh,StarBatsi -",StarBatsi -",StarBatsi - ",StarBatsN-",StarBatsN-",StarBatsN-"` ` ,StarBatsN-" ,StarBatsN-",StarBatsN-"hh,StarBatsN-",StarBatsN-",StarBatsN-"pp,StarBatsN-  Z d"|NAT5 tGIF89a f3̙f3f3ffffff3f3333f333f3f3̙f3̙̙̙̙f̙3̙ffffff3f3333f333f3̙f3̙̙f3̙f3ff̙ffff3f33̙33f333̙f3ffffff3ffff̙fff3fffffff3ffffffffffff3fff3f3f3f3ff33f3ffffff3f3333f333333̙3f3333333f3333f3f3f3ff3f33f33333333f333333333f333f3̙f3f3ffffff3f3333f333f3!, Q=HNuT9c(p!rJP$P,2J(]:{6C'ϐ=hSⳟTX(; )TimesO>>K` ` NAT5 tGIF89a f3̙f3f3ffffff3f3333f333f3f3̙f3̙̙̙̙f̙3̙ffffff3f3333f333f3̙f3̙̙f3̙f3ff̙ffff3f33̙33f333̙f3ffffff3ffff̙fff3fffffff3ffffffffffff3fff3f3f3f3ff33f3ffffff3f3333f333333̙3f3333333f3333f3f3f3ff3f33f33333333f333333333f333f3̙f3f3ffffff3f3333f333f3!, Q=HNuT9c(p!rJP$P,2J(]:{6C'ϐ=hSⳟTX(; )TimesO>>K"NAT5 tGIF89a f3̙f3f3ffffff3f3333f333f3f3̙f3̙̙̙̙f̙3̙ffffff3f3333f333f3̙f3̙̙f3̙f3ff̙ffff3f33̙33f333̙f3ffffff3ffff̙fff3fffffff3ffffffffffff3fff3f3f3f3ff33f3ffffff3f3333f333333̙3f3333333f3333f3f3f3ff3f33f33333333f333333333f333f3̙f3f3ffffff3f3333f333f3!, Q=HNuT9c(p!rJP$P,2J(]:{6C'ϐ=hSⳟTX(; )TimesO>>KNAT5 tGIF89a f3̙f3f3ffffff3f3333f333f3f3̙f3̙̙̙̙f̙3̙ffffff3f3333f333f3̙f3̙̙f3̙f3ff̙ffff3f33̙33f333̙f3ffffff3ffff̙fff3fffffff3ffffffffffff3fff3f3f3f3ff33f3ffffff3f3333f333333̙3f3333333f3333f3f3f3ff3f33f33333333f333333333f333f3̙f3f3ffffff3f3333f333f3!, Q=HNuT9c(p!rJP$P,2J(]:{6C'ϐ=hSⳟTX(; )TimesO>>K"ppNAT5 tGIF89a f3̙f3f3ffffff3f3333f333f3f3̙f3̙̙̙̙f̙3̙ffffff3f3333f333f3̙f3̙̙f3̙f3ff̙ffff3f33̙33f333̙f3ffffff3ffff̙fff3fffffff3ffffffffffff3fff3f3f3f3ff33f3ffffff3f3333f333333̙3f3333333f3333f3f3f3ff3f33f33333333f333333333f333f3̙f3f3ffffff3f3333f333f3!, Q=HNuT9c(p!rJP$P,2J(]:{6C'ϐ=hSⳟTX(; )TimesO>>K"  NAT5 tGIF89a f3̙f3f3ffffff3f3333f333f3f3̙f3̙̙̙̙f̙3̙ffffff3f3333f333f3̙f3̙̙f3̙f3ff̙ffff3f33̙33f333̙f3ffffff3ffff̙fff3fffffff3ffffffffffff3fff3f3f3f3ff33f3ffffff3f3333f333333̙3f3333333f3333f3f3f3ff3f33f33333333f333333333f333f3̙f3f3ffffff3f3333f333f3!, Q=HNuT9c(p!rJP$P,2J(]:{6C'ϐ=hSⳟTX(; )TimesO>>K" NAT5 tGIF89a f3̙f3f3ffffff3f3333f333f3f3̙f3̙̙̙̙f̙3̙ffffff3f3333f333f3̙f3̙̙f3̙f3ff̙ffff3f33̙33f333̙f3ffffff3ffff̙fff3fffffff3ffffffffffff3fff3f3f3f3ff33f3ffffff3f3333f333333̙3f3333333f3333f3f3f3ff3f33f33333333f333333333f333f3̙f3f3ffffff3f3333f333f3!, Q=HNuT9c(p!rJP$P,2J(]:{6C'ϐ=hSⳟTX(; )TimesO>>K"%%NAT5 tGIF89a f3̙f3f3ffffff3f3333f333f3f3̙f3̙̙̙̙f̙3̙ffffff3f3333f333f3̙f3̙̙f3̙f3ff̙ffff3f33̙33f333̙f3ffffff3ffff̙fff3fffffff3ffffffffffff3fff3f3f3f3ff33f3ffffff3f3333f333333̙3f3333333f3333f3f3f3ff3f33f33333333f333333333f333f3̙f3f3ffffff3f3333f333f3!, Q=HNuT9c(p!rJP$P,2J(]:{6C'ϐ=hSⳟTX(; )TimesO>>K"0*0*NAT5 tGIF89a f3̙f3f3ffffff3f3333f333f3f3̙f3̙̙̙̙f̙3̙ffffff3f3333f333f3̙f3̙̙f3̙f3ff̙ffff3f33̙33f333̙f3ffffff3ffff̙fff3fffffff3ffffffffffff3fff3f3f3f3ff33f3ffffff3f3333f333333̙3f3333333f3333f3f3f3ff3f33f33333333f333333333f333f3̙f3f3ffffff3f3333f333f3!, Q=HNuT9c(p!rJP$P,2J(]:{6C'ϐ=hSⳟTX(; )TimesO>>KZXX.XNXn XXHXh @^@%^XX@y_dddxdddxFdddFdddddDd  ddDd<ddDd\ddDd |ddDd8 ddDdX ddDdx Fddd ddDd  ddDd xdddxYddDd!XX!X4XGXZXmXXXXXXXXXX1<( n@ `)%  XXXX X&X,X2X8X>XD (Pr@Ho StarBats!"-  StarBats!"- StarBats !KBM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3Lַ !K StarBats!"- StarBats!"-StarBats!"-StarBats!"- BM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3Lַ !K  StarBats!r-  StarBats!r- BM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3Lַ !K BM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3Lַ!"KBM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3Lַ!"KBM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3Lַ!"KBM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3Lַ!"KBM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3Lַ!"KBM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3Lַ!"K StarBatsX!"-BM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3Lַ!"KBM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3Lַ !KBM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3LַX!"KBM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3LַX!KBM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3LַX!"KBM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3LַX!"KBM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3LַX!"KBM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3LַX!"KBM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3LַX!"K!BM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3Lַ!"K"BM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3Lַ!"K#BM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3Lַ !K%BM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3Lַ !K&BM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3Lַ!"K'BM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3Lַ!"K(BM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3Lַ !K)BM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3Lַ !K*BM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3Lַ!"K+BM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3Lַ!"K,BM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3Lַ!"K-BM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3Lַ !K.BM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3Lַ!"K/BM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3Lַ!"K2BM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3Lַ !K3BM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3Lַ!"K4BM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3Lַ!"K5BM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3Lַ!"K6BM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3Lַ !K7BM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3Lַ!"K8BM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3LַX!"K9BM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3Lַ!"K:BM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3Lַ !K;BM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3LַX!"K<BM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3LַX!"K=BM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3Lַ !KABM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3Lַ!"KBBM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3Lַ !KCBM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3Lַ !KDBM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3Lַ!"KEBM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3Lַ !KFBM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3Lַ !KGBM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3Lַ!"KHBM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3Lַ !KIBM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3Lַ!"KJBM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3Lַ!"KKBM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3Lַ!"KLBM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3Lַ !KMBM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3Lַ!"KNBM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3Lַ !KOBM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3Lַ!"KPBM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3Lַ !KQBM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3Lַ !KRBM6( SDtx^q0PqS0lU*}_>9C)h 鏤}Rgh w Ma-u0ɑ{14ML |t]z.uPG)tG)|(:CSl=4 Qah ʣhRgh /3434$M0<14Qgh ʣBD)<ȣ.ee&wyCSDu0< Ma2yBC34}bKYɭ!G74G2/G-*G(%G# [Vf۲Eَ,}9KReYkxi͐<]Syu}?sţ~vyv}|ۍL>y|}. {'3Lַ !KXXGXXXXXX.XgX1XjXXmX7 X X XX_X)XbX,XXXXTXXX X|"XF$X&X'X)Xn+X8-X/X0X2X`4X*6X7X9X;XR=X?X@XBXzDXDFXHXIXKXlMX6OXQXRXTX^VX(XXYX[X]XP_XaXbXdXxfXBhX jXkXmXjo@'f@dddddXdddd ,dd|d@ddd`  dddhddddddpddd  xddd (#ddd% 'ddd0* dddX,dd|dddd,dd|d@ddd`  dddhddddddpddd xddd (#ddd%'ddd0* @ddd` dddYXX!X4XGXZXmXXXXXXXXXX+X>XQXdXwXXXXXXA'@wddddddddddddd,ddddddXXX&X2X>XJXVXb1'@dX+'(@ XXX' @!'@(X':@jTimes bookman lightXX'@ Nd 4d d d {d d d ,hd d d d id d XXX"X,X6X@XJXTX^XhXrX|X?( @T'@tXX'@X'@X'@XX'@X'@X%' @6S' @L"' @b' @x @@<X{( @:=P=z=??ܱN =Syɶ/Nmŷ۷Pg* "XX,StarBatsN -",StarBatsN -",StarBatsN -"` ` ,StarBatsN -" ,StarBatsN -",StarBatsN -"hh,StarBatsN -",StarBatsN -",StarBatsN -"pp,StarBatsN - ( StarBats!"-!''Times'Od 08s2 +OStandardStandard#'''''''''''''''+;(,,--..g* (@'A'1'+'!'''''''''Object with arrowStandardObject with arrow'''''''Object with shadowStandardObject with shadow+;(,,--..Object without fillStandardObject without fill'TextStandardText'' Text bodyStandard Text body'''Text body justfiedStandardText body justfied''+'First line indentStandardFirst line indent''g*@'TitleStandardTitle'''Title1StandardTitle1 '''+;(,,--..+''Title2StandardTitle2 ''+;(,,--..g*@'A'+''HeadingStandardHeading''A''Heading1StandardHeading1''A'''Heading2StandardHeading2''A''''Dimension LineStandardDimension Line'''''''Home~LT~Gliederung 1Home~LT~Gliederung 1''g* @'A'+'!'''''''''Home~LT~Gliederung 2Home~LT~Gliederung 1Home~LT~Gliederung 2@'A'' Home~LT~Gliederung 3Home~LT~Gliederung 2Home~LT~Gliederung 3@'A''Home~LT~Gliederung 4Home~LT~Gliederung 3Home~LT~Gliederung 4@'A'' Home~LT~Gliederung 5Home~LT~Gliederung 4Home~LT~Gliederung 5@'A'' Home~LT~Gliederung 6Home~LT~Gliederung 5Home~LT~Gliederung 6@'A'' Home~LT~Gliederung 7Home~LT~Gliederung 6Home~LT~Gliederung 7@' A'' Home~LT~Gliederung 8Home~LT~Gliederung 7Home~LT~Gliederung 8@' A'' Home~LT~Gliederung 9Home~LT~Gliederung 8Home~LT~Gliederung 9@' A'' Home~LT~Titel Home~LT~Titel''QQg*+'!''' ''''''Home~LT~UntertitelHome~LT~Untertitel''QQg*@' +'!''' ''''''Home~LT~NotizenHome~LT~Notizen ''!'''''''''Home~LT~HintergrundobjekteHome~LT~Hintergrundobjekte+;(,,--..Home~LT~HintergrundHome~LT~Hintergrund''TitleTitle@SubtitleSubtitle@Background objectsBackground objects@ Background Background@NotesNotes@ Outline 1 Outline 1@ Outline 2 Outline 1 Outline 2@ Outline 3 Outline 2 Outline 3@ Outline 4 Outline 3 Outline 4@ Outline 5 Outline 4 Outline 5@ Outline 6 Outline 5 Outline 6@ Outline 7 Outline 6 Outline 7@ Outline 8 Outline 7 Outline 8@ Outline 9 Outline 8 Outline 9@tPDP8> p< n  x H t & Y %DrMdc T JoeMn0*}1}}1}}1 ODrLy LAYER_LAYOUTDrLy LAYER_BCKGRNDDrLy LAYER_BACKGRNDOBJDrLyLAYER_CONTROLSDrLy!LAYER_MEASURELINESDrMP'JoeMlVTDrML DrOb<SVDr&y1A&DrOb<SVDr&;LdA&DrOb<SVDr&y.1LDrOb<SVDr&;.LdLDrXXgg fHome~LT~GliederungDrMPJoeM`mRDrML DrObSVDr&_mR'Home~LT~Hintergrund_mRDrObSVDr& oe! Home~LT~Titel oepxV4B1[#Click to edit the title text format Home~LT~Titel<( ( @'DrObWSVDr& oe{J(Home~LT~Gliederung 1 oe{J xV4B1 %Click to edit the outline text formatHome~LT~Gliederung 1<( (@'Second Outline LevelHome~LT~Gliederung 2<( (@'Third Outline LevelHome~LT~Gliederung 3<( (@ 'Fourth Outline LevelHome~LT~Gliederung 4<( (@'Fifth Outline LevelHome~LT~Gliederung 5<( (@'Sixth Outline LevelHome~LT~Gliederung 6 <( (@'Seventh Outline LevelHome~LT~Gliederung 7 <( (@'Eighth Outline LevelHome~LT~Gliederung 8 <( (@'Ninth Outline LevelHome~LT~Gliederung 9<(  (@' DrXXgg ^Home~LT~GliederungDrMPJoeMVTlDrML DrObSVDr&T C(0! Home~LT~TitelT C(0dxV4B1OClick to move the slide Home~LT~Titel<( ( @'DrObSVDr& 3G"]#Home~LT~Notizen 3G"]mxV4B1XClick to edit the notes formatHome~LT~Notizen<( (@' DrXXgg VHome~LT~GliederungDrPgcJoeMlVTDrML8DrMD,DrXX Handoutsgg FHome~LT~GliederungDrPgSSJoeM`mRDrML8DrMD,DrObSVDr& oe! Home~LT~Titel oejxV4B1UUser-mode Linux and Security Home~LT~Titel<( ( @'DrObSVDr&7we|J( Home~LT~Gliederung 17we|JdxV4B1G What is UML?Home~LT~Gliederung 1 <( (@' HoneypotsHome~LT~Gliederung 1 <( (@'JailingHome~LT~Gliederung 1 <( (@' SandboxingHome~LT~Gliederung 1 <( (@' ConclusionHome~LT~Gliederung 1 <( (@'DrObNSVDr&g B0G Standardg B0GzN[NNAT5 =NPNG  IHDRx"gAMA a IDATxܽieU31gdeT%AB вm mԘtCp7,c `7 {YդȈx?{'o)>+VT7>{{QlRO(RZl68wZt^˲$"1Fk$Iiq @{yQEy>F<{[fdV\p{nڜ˗~˗/y.q$I^o4FVy޳9vpy_x4#Yx4yq, JO2$I\Ubm ʗ/_vEQqZ(Dpʲh0v:NzA tUcxɲ^_(B|/nkmeYγMs( 0Xk86ƈpA?88vbBp8U|æj@Rd8>#q,-ʲ~/R@Ҫ)ι Tv;IM>enw̓\&ijzE38^~'WyTH$IR*b2h\X>R\dɎ 3"FTaJ6Bkת(cqie˲t:^ODx4%r&Ib -IGzZF)&gq: ݽ="M"KtsH<<}e jQ)LՒ˗/YF{k1Fh8m;#R[k$ɲ,Zmqqqqqn'L=W >OR bh`0CZx<p(,ECn9Շ~8șB~ggȦZ 4IDQvΏFyQA0N#,beaiqɔH0i6,8"K UB]Ն,߈Jqb‚(qnvw*uw,p([vuu뉤ão$WLhgk#fE?ޡ|%5`B6vيkh/hbc8g&fL]!Q & 5X`DpU1ㅅQF#c _!SU=XBAYԄ*oy+dRb8 ը jZFޣ^7 ݭhceYy.bd A^,///-----j5IDU>6W/ZPJA Rg#ɜO<͐;wclpd~ot!4z-O;TUۼsrVkZ+++ T >/ \5_ǧ"b"Uѳ7;Cq֒h #тfhR#3" 嵵7@5CBWjr7*L1S2f+E޹¹yb Ϙa̦0Sb+BNDiZ-ar g b*3 lQYZUD恞0tG7+=jGԘ{;>sO`Yk%ےeY{ c]C<2 @=$R|51[V,KV,ˌI(4`|XCp mɲLh‚F!LX hO}AXSfN!3mcT|T&DH$LQo6̶(pGe9sD8$bZmJp+cyq&q2 S5EDi_eWs{qF/S$h^NTJ=hT*8:l$t%3(jf*m%meYFu:E^k7Na{wun%,[ <8oW[5$q&,W_H0J4RdS~_I¤gGt^oAC,;yfAC*hj |djc˔C^<Beq*9/qϸ3GtRZ8#̋Ղ #:;!Qo3r'YB]s=v.+f͡(2QdOl8F OT')EZkIH^V*U)/WX5߱":恖' EAj ÓUeAˇ $qe9.w<O]'$E frd[PtH(3bO]Mu:e˲0Jy]m R%AgZkx Ģ.f ~)LBդV LQY;4f@[=4gf)ujuO!aU2*;ueԴd 9rx') (t0Ł6flYqWJq}YT=8thtUUpUZjn{xx({^ءnKd=o$ dClZ=3S'Zgj5_})`ęgṅfJX;6Օݕ$|}AEewHԜτ/ uQuw+Ar{w{{{lJ%.+5@˔b!OO(J殞rho40=36p:NW@I S!V515ƨU8C$g){pR-8r%"iV uazDtsi]?3w$0qhe1ψLWXuppy[n's)ed 2KEj՚p8hZxC\eg. JHt>I¹sExe^GV7$ 3'nM~ە:~uwjJLD x< $ẏq020'9)ϝ;'Aj݃ il0)R." jaaAf"Zj $h` O+ dKSp$KKKgPJYyI"R#zg31cth̻p~d[oݺS}aFHhxI$"pytItTȬ te\ř)?A!q9gD0MOzKt !z!Ϯpp t9gY.S^kD{eº2FYs% 3e޳RV7ny.[X4‚E"DyfUwSNGx_>ུF+Z#8QL]Ȇ|z,_zukky.3^K$6BJKc<i0j4):3H4)c@ypOZ"FCvqpzAjZ`uڵmC(.p8:;g}D0'&$nmgŵ&@1$DFX앞g4JpcyyjIgQ`{{ƍach58E]H"-9Q' >{CddfJk 03zY&"QUMut͛7766$,Uմ<2p9`LRJ(KDI<'ѵItEV+IQr5{- 3E#'Bȿ#+e_V5 C龸6 %Cd>]u yyB =ϔF y~xx(fwwwE$g:ݼ\$kkvpppco2(Vonnw&l\2,e\tP|`KpfqT96C!βluW~ےF{חGjן= ] eYz=!E̗t%s}\!Bg(z]z_kZDKI!/?RK]p?zauͫwŋ7nHqfl({cl1$)a~qm(("`0tpЛAYիE^~g4!EQz#jϦX悋`ӯc @Y;)QZD;8Kd屰y}Rׯ_zͥnفgDXϦy`Y^'48d=}uጶO^$˝xf|~c/^ڥd'RȆ@8F| N$z8v]ʕ+~)yȑ\\$z/}CObwwF÷+j5Ŝ6m|^拏< ϏF4^M TBHg KDm&el8}2=seiޞɾ٥Y֯x{e[7 CB&(T_:],/-g??b*___m|;0ի+1tVHDWrl{{{A1<^׿uo$n~ҥK. Yyk^Nwڳ.>WH iW*m&A9~0_`NIFozӗt6vw)I/ IDAT~VK\kxxpеZC͛կ~Dpt^ͮ]_n/H$}g8^jH$9B޳s7LnWn-Ν4)ސ_]timm';=fC=wG'I~NhwS} Phqo~MQ3'IQFe>I7>s$`7f:^Ҫֺ]wW1.=yZ1͛X]}=gf* Y}9=Pi%`+E"h2^3 %W45PS%/uE)ZC-//+++w ,'#_ Ҧ^ss+tGrrrrK$I2t=裋Ǟ wʪR9JsQc'ƉҪ<1yN{{{77]vU6>2釗.Ƙ㯾i3i"K_?ܯWz{LNBj۷;p Уo;k4|Yj^gwwwggwK-r;T {ݼc[qH_YshՑDS6HS1wܹz_7\=lí%(7·Z۽y~(胟:KC54G;.lnn187M]ڼv&;)nҕe2M:*^Z%GLg"s8fꍋwҧé2=oW~WO;c~0Nh}g$um"ӎk^]k7o9$j֌17n8]բ<(j=#{ڿ&occCГO>|S4HO'r|@ƹ Ҁ!cݨF7o֩UGf b.M]rتĪ*bRM'U62apfʙw[-"IFXV&(ΚCϗHl`!exxaSc nnoXAlň#DqughdFk Ob',"h& 8<`"Ri g:K'7{|cEHd5j/hw6n01{vv8Mzû?zïgo|,K" iVV i4FP=E#$E!ΐHcO,و V4HywN9=vX' 4t7k˭V35˥dvawVp׾++j}Y1C?:8cfJ#Kj 42RR42jhըY(Jj&XihO\ENŐ˼,T\cw[E|ZO$=.`8۷n3dY^k-/=6|`xŒC՞x?bE ԮSPS#M(MR*8h`+x(V (0QHSʍʲ<,eai{{{ׯ_;;;vA.$\2ussҒ%~'Ъam.bҘ"Kư50LJ&Q&Q0AMJ iR:Rhhie)큟@d:ݳ>{xxW{l6WEΝ޷ZO~{st?")bJF#Қ=OpD$%I7WqPړJ[3Ù֩VVM  zkטn_x;kkkVG+W D;ۈyX)&={G`TpHAYφ%`B$ bY14-7G_ϟ____[[s, y2Q[ ّiCN^yΕJF(NB3c)RPyt-`I)E16PmeD4볤tn,.\/|4 ͍76^ascbvFJA8 j)j VQD?@ʓq*̊; MdKUl=iMFYxS)}ܝ.͛?veeYCWWW`0v;jeu.jd"E:ҥ֬Un u%E4EM&45TMA g&)"C'xdLʑq`֊f_zSv[ ͋:n)6bvx=\YZF>2(R1KDPF :"Kd &RAy^i"O VAP :- MCbJ"h)J+Fv`kнYewE/po5jJ36ZCk4 Y,C(C l CGSM&I3L%EdN+}!%HKΊHKA4^j@hl?~Q:aIac1X6!cT N001de4+x&DJ7k uj2J +eRD t1 :CC\ ` 7:\S?1kk*%3 F*2|وl L eo Y&x"O.P%+ Ꮶ+y*`@D15 _חe0`w-s_?6rǍ:{W:ibAR@1:unрhLT$1bL&r'nʏoY]=0 9 5[`r2#'D!6a 2$RN)/|DAv'cǵk/_t+++24{eg?%km*wE}>O~|h-G5 ?jr :Y]V]MKTF%:E,a"h 1O>E3 kPJn77$fۿ*GEdDvy6SӉbIM ̓*bALjSR &3S[s,1B5("& jg=WY@ b4bhJ%"hMZ[(K)MHcd1Y4Awm<53wDܼDaI$0V(t:.@GO ijD !שGOae)i]TZCI4$B9%t6" %;sțDu02'[GO:'i$x"WgL 8&KM/k0 "v@)_'Iζab3>?.8W ZSR=C-E#E=E=E-E=FCI$F#(GDG#F"HW+D)ud(UU"xĺ&.l":z)Q#Ƽ%5e2DG䙱 S$ 8PN!Њ` !hdԨj{BjTFqXű6\ ﴇl4Y *+Ɂ 3;xtSO5F yewe8-f[:F;O5FS (+q_aMya)VH#\@soUЀє%hdR=&VXibVZjf*h#cc5Ql Q2E`M B<@jy1RSq\Pi?E)2i 0De-xjz{!! ')b A#rtYd1J KM2j$TOUM*FRS Pz_nІ0,`8p v? /38=9A"LSTc4Jb#> ;qa9Lit22HcYf + ڦ6-6Pv ̈́k1҄%5) h-sDpLpn:PfUpz҂tOK oܩ ʋbv)ޣiA#!9Ň)b904q4'yլ5"K Hy6[PjzkOc$؛iM رvcS:)<{K<8"D- 3?sI5K>ZMY1;r[M г4 Kb& CB (SݣxŇz_ Ԅ&@<֘MJUbVZܢ:5$džc$B#F A)2"֬s*w;*A?Y"f⦂ohbyV!#jMnyrȬx$5wPg p4ň=H>*(p>f6fDqDMlP&-Qd4(BAG K4i#(=CyL)2^ 4MUZ/V/fN%$L L 5)-g9 00%b.@BlQOAZ5XhZG6Xmڂ" *Y(-OmP0rDYLB4hzLp%4ITtE W1S=#)JI)" aTDIOjtRZ2%K#E#xF"8"fjآxXhFSĩ6+$> @eNJd䘴C.lw9+.F4/1 M85OG\T T5D)vFGx t5rFy$@h*0PHt)eǻ8B-ADhnDZIkcjSR{GW(31 l&Ž|d?z\h*p5f.ѩ}}2`~7s+n\QzyXP=U4|= \X_U}|Zz;EoF[| 1 %&MAwS-D1OP~ @}6w TL3樾.̎0d2F`&O7J"Ed*D5 IDAT Rc<=~wǮik㒹@!AS+#ZXZO>Z-_}{*(JDV.8j̍^_ 6Xݪm (5v_];.~W%1#L xHxʘ% xi)VBY𻾧Oޓo{~hƻjzRۆ4@$*{ O;kgyOw?OyhLxK6 㫾L}wFrUKᇞWSSV*&yJhT)t;|V=O_c1MO0|My+2z̆Qw(~` ?yᗿ7'|?k=}Zc'꛾~}7KcrDRhfQ|ݷ.^Peɋm/EQs?<)dS?X7ĿVymj|uӊZeL;=z -.o5g~dYW? ??_ڷ'58"H`I4P̅dЌD2DZ/o7qZs~hdC< $*r&{'.=>"\on=$g/╏7~j?0zur0b{}9We%8>-o1~yW ~]rOoP KO,-%hP#*1hHm5*cIk_+_WKٟO<;?Ӹ(ܹG]]q{=v$ yy'B$#b"hHG" 38[T *FA`!<$oBBM݄;9W ӂ,S0-ӄikY"K_d}UZ!"ܨ9lfc%^H}ys-y6Yg6 ;t`0;HU5[)+ʾ^ƍ |h:t9`" F Qk8$IVUG#z 3,Ssଢ଼fO[F*k31f?~c>;z" /3/'V 쎇چ f i60)| =-b^kd̂8>J-_vk"qUgh!%۞m˴߹Ji=`,"FUfI@er&pқmКɖ:Sm(pڅe` ω2#!&eUFI;FsKi*>Đޛf^$.,BV%:R"f'b&ĭ#K #e^V\JyǬk ;6F[~}dZY{=o ѩ$l"±p&,MCt:CLZo bp:0oJ/" DG?o2%Ե` , E"J5O\V,h| {4e+ ۝4yglꪀfe*GcI, '*)6R۩Q,_kpKlzӂ9\UyAO\/q/L%|YhV`g7j:bB{V-UsYW _Ucnf)G\ ۶jstK<]̹G;6m*͜xe{򴦋y3lvyAsVf4MMj%r5ۈ[cLUUBDU%8ܽx濾hZfv[dܭ S<>=aoO[, Y"A q&k6/^'Fǿ70q }~?ݐNSf@isg_n}: &f2^硣zZxFy M"?Uj"ck8WO M|RojWdV8Rb<1U|\/ O7} >򘻊tӂ$'{'OaeKumk.?]gCrBtgOLvN~/=Q giđ38,є9#ÉHZd%y.[W%o_OEѥ_n*tloJeQZV@R_٦rNd w:75* 0ssBjH4۾U22**N&]%c%OO(wOv,y 1 T v&Mq HYӢd ߱) #ϻI"S\v~i-jX54M] m5[bU·$keeԪWV4׀pTp詖Β[33zyI# ^k_Ux8gJbx8WGdP][j 1z`FkUx5dPQ;pa਴dǎn1NyS46A,C@(s懲OtCuG14*>Ӣ7>sv[u7vTLucZZNCUҖPU:fPXdY!j:t,r!B\  ڤ?NC  Standard ;>CxV4B1Architecture LayerStandardg*<( (@'A'1'+'!'''''''''DrObSVDr& 4/h;  Standard 4/h;xV4B1Generic kernelStandardg*<( (@'A'1'+'!'''''''''DrObSVDr&>;/hB  Standard>;/hBxV4B1DriversStandardg*<( (@'A'1'+'!'''''''''DrObSVDr& uE/hL  Standard uE/hLxV4B1m.Hardware - CPU, disks, network, terminals, ...Standard<( (@'+''DrXXblocksgg NHome~LT~GliederungDrPg JoeMVTlDrML8DrMD,DrOb<SVDr&T C(0DrObSVDr& 3Gv#Home~LT~Notizen 3GvexV4B1LThis is the standard blocks picture which has probably appeared in every UML slide slow. It shows the host kernel, consisting of a hardware-dependent layer talking to the hardware and a hardware-independent layer which talks to the interface exposed by the hardware layer.Home~LT~Notizen<( (@' gAbove that is the system call interface exposed by the generic kernel which is used by Linux processes.Home~LT~Notizen<( (@' 2Analogous to this is the UML picture above that. It consists of the same layers, except that its "hardware" layer talks to the host system call interface. Everything above that is the same, and if UML and the host Linux are the same kernel version, then the generic kernel piece is exactly the same code.Home~LT~Notizen<( (@' +'DrXXblocksgg RHome~LT~GliederungDrPgJoeM`mRDrML8DrMD,DrOb SVDr& oe! Home~LT~Titel oexV4B1z:Physical vs. Virtual Honeypots: Typical physical honeypot Home~LT~Titel<( ( @' DrOb SVDr&'? B!/  Standard'? B!/xV4B1GatewayStandard<( (@'+'(traffic logging)Standard<( (@'+'DrObSVDr&L? e3/  StandardoL? e3/PxV4B1;HoneypotStandard<( (@'DrObSVDr&L6eE  StandarduL6eEVxV4B1ALogging systemStandard<( (@'DrObSVDr&&( )  Standard?*''5'DrObSVDr&{S1  Standardo{S1PxV4B1;InternetStandard<( (@'DrObSVDr&;B&Mn(  StandardB'L'DrObSVDr&Xc. ZP7  StandardLY!/LY6DrXX! honeypot1gg JHome~LT~GliederungDrPglJoeMVTlDrML8DrMD,DrOb<SVDr&T C(0DrObSVDr& 3G#]#Home~LT~Notizenp 3G#]QxV4B14rTo lead into a comparison of physical and virtual honeypots, I describe a typical physical honeypot configuration.Home~LT~Notizen<( (@' 2This is a diagram, showing three physical machinesHome~LT~Notizen<( (@' +a gateway which is attached to the internetHome~LT~Notizen<( (@' the honeypot itselfHome~LT~Notizen<( (@' Ba logging system, which is used to record activity on the honeypotHome~LT~Notizen<( (@' DrXX! honeypot1gg VHome~LT~GliederungDrPgoJoeM`mRDrML8DrMD,DrOb SVDr& oe! Home~LT~Titel oexV4B1z:Physical vs. Virtual Honeypots: Typical physical honeypot Home~LT~Titel<( ( @' DrObSVDr& oe|J( Home~LT~Gliederung 1 oe|JxV4B1i4Gateway machine is the only one with internet accessHome~LT~Gliederung 1<( ( @'ALogging machine is a secure isolated machine on a private networkHome~LT~Gliederung 1<( ( @'IHoneypot communicates through the gateway and logs to the logging machineHome~LT~Gliederung 1<( ( @'DrXX! honeypot2gg RHome~LT~GliederungDrPgUJoeMVTlDrML8DrMD,DrOb<SVDr&T C(0 DrObSVDr& 3G#]#Home~LT~NotizenY 3G#]:xV4B1IThese are the constraints which lead to the requirement of three boxes. Home~LT~Notizen<( (@' }A separate gateway is needed to firewall the honeypot, log network traffic, and to block its access to the net, if necessary.Home~LT~Notizen<( (@' A separate logging machine is needed in order to log activity with a minimum of possible interference from nasty people inside the honeypot.Home~LT~Notizen<( (@' Home~LT~Notizen<( (@' DrXX! honeypot2gg VHome~LT~GliederungDrPghJoeM`mRDrML8DrMD,DrOb SVDr& oe! Home~LT~Titel oexV4B1z:Physical vs. Virtual Honeypots: Typical physical honeypot Home~LT~Titel<( ( @' DrObSVDr& oe|J( Home~LT~Gliederung 1 oe|J{xV4B1`Three physical machinesHome~LT~Gliederung 1<( (@'Private networkHome~LT~Gliederung 1<( (@'+Careful configuration of all three machinesHome~LT~Gliederung 1<( (@'.root can interfere with networking and loggingHome~LT~Gliederung 1<( (@'DrXX! honeypot3gg RHome~LT~GliederungDrPgJoeMVTlDrML8DrMD,DrOb<SVDr&T C(0 DrObSVDr& 3GHo#Home~LT~Notizen 3GHosxV4B1V*Here are the disadvantages of this setup. Home~LT~Notizen<( (@' 6 It's logistically complicated, requiring three boxes.Home~LT~Notizen<( (@' aYou need to set up a private network so that the only access to it is through the gateway machineHome~LT~Notizen<( (@' You need to be very careful about configuring them to minimize the chances of an intruder using the honeypot as a platform for attacking the other boxesHome~LT~Notizen<( (@' If the intruder gains root access on the honeypot, which you would expect, then he can interfere with the local net and logging by killing daemons and shutting down interfaces or filtering network traffic leaving the honeypotHome~LT~Notizen<( (@' DrXX! honeypot3gg RHome~LT~GliederungDrPgJoeM`mRDrML8DrMD,DrObSVDr& oe! Home~LT~Titel oexV4B1y9Physical vs. Virtual Honeypots: Typical virtual honeypot Home~LT~Titel<( ( @' DrObSVDr&? I8cL  Standardy? I8cLZxV4B1EHostStandard<( (@'+' DrObSVDr&{+*>  Standardo{+*>PxV4B1;InternetStandard<( (@'DrObSVDr&2o!G5  Standard4? 4DrObSVDr&"14;  Standardo"14;PxV4B1;HoneypotStandard<( (@'DrObSVDr&`O1`;  Standardo`O1`;PxV4B1;HoneypotStandard<( (@'DrObSVDr& 91jJ;  Standardo 91jJ;PxV4B1;HoneypotStandard<( (@'DrObSVDr&6~@LjJ  Standardn6~@LjJOxV4B1:NetworkStandard<( (@'DrObSVDr&6"L,  Standardn6"L,OxV4B1:LoggingStandard<( (@'DrObSVDr&*&s7}2  Standard!h+1h+'6'DrCn$DrCn$;(#PFLDrObSVDr&@+B}2  StandardA1A,DrCn$DrCn$;(#xiIDrObSVDr&L&X}2  Standard!X1X'L'DrCn$DrCn$;(#LDrObSVDr&*:s7UF  Standard!h+;h+tE6tEDrCn$DrCn$;xiPFLDrObSVDr&@:B_A  StandardA;A~@DrCn$DrCn$;xi(#IDrObSVDr&L:XUF  Standard!X;XtELtEDrCn$DrCn$;xiLDrXX! honeypot4gg NHome~LT~GliederungDrPg;JoeMVTlDrML8DrMD,DrOb<SVDr&T C(0 DrObSVDr& 3G#]#Home~LT~Notizen? 3G#] xV4B1 This is a picture of a virtual honeypot setup. There are three honeypots, plus logging and network access, running on a single host, which has internet accessHome~LT~Notizen<( (@' Home~LT~Notizen<( (@' DrXX! honeypot4gg VHome~LT~GliederungDrPgJoeM`mRDrML8DrMD,DrObSVDr& oe! Home~LT~Titel oexV4B1r2Physical vs. Virtual Honeypots: Virtual honeypots Home~LT~Titel<( ( @' DrObSVDr& oe|J( Home~LT~Gliederung 1J oe|J+xV4B1 One physical hostHome~LT~Gliederung 1<( (I@'!Network traffic goes through hostHome~LT~Gliederung 1<( (J@'logged with iptablesHome~LT~Gliederung 2<( (L@'Logging goes out to hostHome~LT~Gliederung 1<( (M@'3can be done in such a way that root can't interfereHome~LT~Gliederung 2<( (N@'.The actual honeypot can be distributed on a CDHome~LT~Gliederung 1<( (K@'DrXX! honeypot5gg RHome~LT~GliederungDrPgXJoeMVTlDrML8DrMD,DrOb<SVDr&T C(0DrObSVDr& 3GHo#Home~LT~Notizen\ 3GHo=xV4B1 ,Here are the advantages of virtual honeypotsHome~LT~Notizen<( (@' yIt's logistically a lot simpler, since it requires a single physical machine which can be one that's already lying aroundHome~LT~Notizen<( (@' UThe host is a natural gateway since all network traffic has to pass through it anywayHome~LT~Notizen<( (@' Logging is done directly to the host rather than over the network. Later, there is a description of a mechanism to do logging in such a way that root inside the honeypot can't interfere with it, or even detect itHome~LT~Notizen<( (@' <The honeypot can be distributed on a CD rather than a palletHome~LT~Notizen<( (@' DrXX! honeypot5gg RHome~LT~GliederungDrPg7JoeM`mRDrML8DrMD,DrObSVDr& oe! Home~LT~Titel} oe^xV4B1IUML as a honeypot Home~LT~Titel<( ( @'DrObeSVDr& oe|J( Home~LT~Gliederung 1 oe|JxV4B1!Fully authentic Linux environmentHome~LT~Gliederung 1<( (*@'Full network, file systems, etcHome~LT~Gliederung 1<( (+@'full root accessHome~LT~Gliederung 1<( (,@'fully controllable from hostHome~LT~Gliederung 1<( (.@'DIn honeypot mode, UML is vulnerable to the same exploits as the hostHome~LT~Gliederung 1<( (/@'DrXX% UML honeypot1gg VHome~LT~GliederungDrPghJoeMVTlDrML8DrMD,DrOb<SVDr&T C(0DrOb6SVDr& 3Gg#Home~LT~Notizen 3GgxV4B1{After you are convinced of the advantages of virtual honeypots over physical ones, we get into the advantages of using UML.Home~LT~Notizen<( (@' It's a completely authentic Linux environment with all the protocols, devices, and filesystems that are available with a physical Linux machine. An intruder can be root without endangering the host. Home~LT~Notizen<( (@' There is also a honeypot mode, in which UML is vulnerable to the same stack smash exploits as the host. Normally, it's not, since it puts process stacks in a different location than the host. Home~LT~Notizen<( (@' DrXX% UML honeypot1gg RHome~LT~GliederungDrPgOJoeM`mRDrML8DrMD,DrObSVDr& oe! Home~LT~Titel oekxV4B1VVirtual machine vs. virtual OS Home~LT~Titel<( ( @'DrObSVDr& oe|J( Home~LT~Gliederung 1 oe|JxV4B1e=UML is technically a virtual OS rather than a virtual machineHome~LT~Gliederung 1<( (!@'No machine emulation layerHome~LT~Gliederung 2<( ( @' UML can talk directly to host OSHome~LT~Gliederung 1<( ("@'$pseudo-terminals can log to the hostHome~LT~Gliederung 2<( (#@'"syslog can go directly to the hostHome~LT~Gliederung 2<( (#@'invisible to rootHome~LT~Gliederung 2<( (#@'root can't interfereHome~LT~Gliederung 2<( (#@'DrXX$ UML honeypotgg VHome~LT~GliederungDrPgVJoeMVTlDrML8DrMD,DrOb<SVDr&T C(0DrOb%SVDr& 3G(~#Home~LT~Notizen 3G(~xV4B1Here, I make a distinction between a virtual OS, which UML is, and a virtual machine, such as VMWare or Bochs, and describe its significance.Home~LT~Notizen<( (@' A virtual machine separates the host and guest OSes with a hardware emulation layer. This allows a standard OS kernel to run on top of another, but it also isolates them.Home~LT~Notizen<( (@' UML, as a virtual OS, is aware of the host OS and is able to use all of its capabilities. UML takes advantage of this by having its pseudo-terminals logging directly to files on the host. Similarly, syslog output can go directly to the host by tying the /dev/log socket to a socket on the host. These logging mechanisms are invisible to anyone inside UML, including root, and there is nothing that root inside UML can do to interfere with it.Home~LT~Notizen<( (@' DrXX$ UML honeypotgg RHome~LT~GliederungDrPg"JoeM`mRDrML8DrMD,DrObSVDr& oe! Home~LT~Titels oeTxV4B1?Logging Home~LT~Titel<( ( @'DrOb`SVDr& oe|J( Home~LT~Gliederung 1 oe|JxV4B1/Log keystrokes directly from tty driver to hostHome~LT~Gliederung 1<( (A@'!small patch to tty driver and UMLHome~LT~Gliederung 2<( (B@'allows real-time monitoringHome~LT~Gliederung 2<( (C@'undetectable, unbreakableHome~LT~Gliederung 2<( (H@'$Log system messages directly to hostHome~LT~Gliederung 1<( (O@'Attach /dev/log to host socketHome~LT~Gliederung 2<( (P@'No apparent logging inside UMLHome~LT~Gliederung 2<( (Q@'undetectable, maybe unbreakableHome~LT~Gliederung 2<( (R@'DrXXLogginggg VHome~LT~GliederungDrPgHJoeMVTlDrML8DrMD,DrOb<SVDr&T C(0DrObSVDr& 3GP#Home~LT~NotizenL 3GP-xV4B1yThe pseudo-terminal logging patch changes the pty driver so that it logs all data going through it to a file on the host.Home~LT~Notizen<( (@' <With 'tail -f', it is possible to monitor activity inside UML in real time. Since it involves no cooperation from processes inside UML, it is undetectable and unbreakable. It is also able to capture all keystrokes unencrypted since it is inside the pty driver, which is on the decrypted side of any ssh connection.Home~LT~Notizen<( (@' It will also be possible to log system messages directly to the host by tying /dev/log to a socket on the host. There would be no detectable logging happening inside UML, which would increase the comfort level of anyone breaking in. This is also undetectable. It may be partly breakable, since messages from daemons could be prevented from being logged if the intruder removed the /dev/log socket. However, kernel messages would still make it out.Home~LT~Notizen<( (@' DrXXLogginggg RHome~LT~GliederungDrPg JoeM`mRDrML8DrMD,DrObSVDr& oe! Home~LT~Titelu oeVxV4B1A Forensics Home~LT~Titel<( ( @'DrObSVDr& oe|J( Home~LT~Gliederung 1x oe|JYxV4B18 COW filesHome~LT~Gliederung 1<( (3@'1Copy-on-write layer on top of readonly filesystemHome~LT~Gliederung 2<( (2@'records changed blocksHome~LT~Gliederung 2<( (2@'!much smaller than full filesystemHome~LT~Gliederung 2<( (2@'Union filesystemHome~LT~Gliederung 1<( (5@' hostfs hackHome~LT~Gliederung 2<( (6@')COW filesystem will contain changed filesHome~LT~Gliederung 2<( (6@'DrXX! Forensicsgg VHome~LT~GliederungDrPg)JoeMVTlDrML8DrMD,DrOb<SVDr&T C(0DrObSVDr& 3G(~#Home~LT~Notizen 3G(~xV4B1fkThere are several other aspects of UML which simplify the analysis of a break-in and subsequent activities.Home~LT~Notizen<( (@' UML COW files, which capture all the changed blocks in a filesystem, provide a compact representation of the modifications that were made to a system. It can be compressed to a very small fraction of the filesystem size, allowing the changes to be conveniently passed around.Home~LT~Notizen<( (@' LA forthcoming improvement on this is a hostfs union filesystem. Like a COW file, this will capture the changes made to a system in the course of an intrusion. However, the changes are represented on a file basis, rather than a block basis. This makes it easier to see what files changed and to see exactly how they were changed. Home~LT~Notizen<( (@' DrXX! Forensicsgg RHome~LT~GliederungDrPguJoeM`mRDrML8DrMD,DrObSVDr& oe! Home~LT~Titel} oe^xV4B1IUML as a honeypot Home~LT~Titel<( ( @'DrObSVDr& oe|J( Home~LT~Gliederung 1A oe|J"xV4B19A sufficiently careful intruder can detect a UML honeypotHome~LT~Gliederung 1<( ('@' device namesHome~LT~Gliederung 2<( (%@'boot logHome~LT~Gliederung 2<( (%@' miscellaneous - /proc/interruptsHome~LT~Gliederung 2<( ((@'A disguise kit is in the worksHome~LT~Gliederung 1<( (&@'+make a UML look identical to a physical boxHome~LT~Gliederung 2<( (-@'DrXX% UML honeypot2gg VHome~LT~GliederungDrPg JoeMVTlDrML8DrMD,DrOb<SVDr&T C(0DrObkSVDr& 3Gs#Home~LT~Notizen 3GsxV4B1 There are currently some limitations to using UML as a honeypot. The main one is that UML can be distinguished from a physical machine if you look carefully enough. The major things that distinguish UML from a physical box are its device names, the boot log, and various files in /proc.Home~LT~Notizen<( (@' MThere are plans for disguising these so that UML honeypots will be much harder to detect. The main piece of this will be a replacement for /proc which will allow the contents of the UML /proc to be specified from the host. With this, and already-existing mechanisms for changing UML device names, UML will be much harder to detect.Home~LT~Notizen<( (@' DrXX% UML honeypot2gg RHome~LT~GliederungDrPg%JoeM`mRDrML8DrMD,DrObSVDr& oe! Home~LT~Titel| oe]xV4B1HJailing with UML Home~LT~Titel<( ( @'DrObZSVDr& oe|J( Home~LT~Gliederung 1 oe|JxV4B1&Isolate untrusted things from the hostHome~LT~Gliederung 1<( (4@'potentially malicious usersHome~LT~Gliederung 1<( (4@'untrustworthy servicesHome~LT~Gliederung 1<( (4@'i.e. bind and sendmailHome~LT~Gliederung 2<( (@'8Bonus - by default, stack smashes don't work against UMLHome~LT~Gliederung 1<( (@'DrXXjailinggg VHome~LT~GliederungDrPgJoeMVTlDrML8DrMD,DrOb<SVDr&T C(0DrOb[SVDr& 3Gk#Home~LT~Notizen 3GkxV4B1Continuing with other security-related applications of UML, we have jailing. This is the isolation from the host of things that aren't necessarily trusted.Home~LT~Notizen<( (@' bThis includes users who may be malicious or just incompetent, and may damage the host in some way.Home~LT~Notizen<( (@' ,It also includes services that may be exploitable. bind and sendmail are particularly popular services for UML jailing. As a bonus for jailing services, by default, UML is immune from standard stack smash attacks since it puts process stacks in a different location from where they are on the host.Home~LT~Notizen<( (@' DrXXjailinggg RHome~LT~GliederungDrPg JoeM`mRDrML8DrMD,DrObSVDr& oe! Home~LT~Titel oe`xV4B1KSandboxing with UML Home~LT~Titel<( ( @'DrObSVDr& oe|J( Home~LT~Gliederung 1 oe|JbxV4B1I5Install new software in UML before putting it on hostHome~LT~Gliederung 1<( (7@'>Trojaned, infected, or insecure software can only hurt the UMLHome~LT~Gliederung 2<( ( @'+Observe malware from the safety of the hostHome~LT~Gliederung 2<( ( @'DrXX" sandboxinggg VHome~LT~GliederungDrPg:JoeMVTlDrML8DrMD,DrOb<SVDr&T C(0DrObSVDr& 3G#]#Home~LT~Notizen 3G#]xV4B1tAnother security application is sandboxing. This is running unknown (or potentially unkown, i.e. trojanned) software in an isolated environment before allowing it to run on the host.Home~LT~Notizen<( (@' RAny software that is infected, trojanned, or just malicious can only hurt the UML.Home~LT~Notizen<( (@' DrXX" sandboxinggg VHome~LT~GliederungDrPgKJoeM`mRDrML8DrMD,DrObSVDr& oe! Home~LT~Titel oefxV4B1QUML as a test environment Home~LT~Titel<( ( @'DrObSVDr& oe|J( Home~LT~Gliederung 1 oe|JxV4B1dCreate a virtual networkHome~LT~Gliederung 1<( (9@'*observe worms, viruses, and other exploitsHome~LT~Gliederung 2<( ()@' LightweightHome~LT~Gliederung 2<( ()@'Easy to createHome~LT~Gliederung 3<( (8@'Easy to destroyHome~LT~Gliederung 3<( (;@' ScriptableHome~LT~Gliederung 2<( (=@'SafeHome~LT~Gliederung 2<( (:@'3No connection to host or outside net if not desiredHome~LT~Gliederung 3<( (<@'DrXX# environmentgg VHome~LT~GliederungDrPg@JoeMVTlDrML8DrMD,DrOb<SVDr&T C(0DrObSVDr& 3Gh`#Home~LT~Notizen 3Gh`xV4B1{Finally, UML makes a fine tool for creating virtual networks. This is good for observing worms and viruses. The virtual network is easy to create and shut down, lightweight in its use of host resources. Home~LT~Notizen<( (@' VIt is scriptable, so networks can be created, controlled, and shut down automatically.Home~LT~Notizen<( (@' UML virtual networks can be completely isolated from the host and the physical network, so there is no chance that a worm or virus that's being observed can escape into the outside world.Home~LT~Notizen<( (@' DrXX# environmentgg RHome~LT~GliederungDrPg0JoeM`mRDrML8DrMD,DrObSVDr& oe! Home~LT~Titelv oeWxV4B1B Conclusion Home~LT~Titel<( ( @'DrObhSVDr& oe|J( Home~LT~Gliederung 1 oe|JxV4B15UML provides an authentic, isolated Linux environmentHome~LT~Gliederung 1<( (D@'<Authentic enough to fool script kiddies, worms, viruses, etcHome~LT~Gliederung 2<( (E@'OIsolated enough to allow them to run amok without endangering anything valuableHome~LT~Gliederung 2<( (F@'+Efficient, lightweight, logistically simpleHome~LT~Gliederung 1<( (G@'DrXX" Conclusiongg VHome~LT~GliederungDrPg JoeMVTlDrML8DrMD,DrOb<SVDr&T C(0!DrObmSVDr& 3G#]#Home~LT~Notizen 3G#]xV4B1In general, UML provides a Linux environment which is authentic enough to fool the casual observer, whether that is a person breaking into boxes or a worm or virus.Home~LT~Notizen<( (@' It provides sufficient isolation that intruders can be allowed to do whatever they want without any danger to the host or to any other physical machine.Home~LT~Notizen<( (@' Home~LT~Notizen<( (@' DrXX" Conclusiongg VHome~LT~GliederungDrXXFGeneric PrinterSGENPRT PostScriptH`Tl`Tld,,lprdefault_queueSGENPRT DrVwP SVDr SVDr:SVDr{{SVDrALayout:SVDr{{SVDr#SVDr SVDr# SVDr0 SVDr1 SVDr3 SVDr4SVDr@SVDr SVDrD SVDrP SVDrQ DrHL DrHL DrHL u Root Entry!r\V)䰱CompObjEOle persist elements"SfxDocumentInfo uSfxWindowsSfxStyleSheetsSummaryInformation((StarDrawDocument3$}