New User Special Price Expires in

Let's log you in.

Sign in with Facebook


Don't have a StudySoup account? Create one here!


Create a StudySoup account

Be part of our community, it's free to join!

Sign up with Facebook


Create your account
By creating an account you agree to StudySoup's terms and conditions and privacy policy

Already have a StudySoup account? Login here

Computer Security

by: Libby Kuhlman

Computer Security CSE 543

Libby Kuhlman
Penn State
GPA 3.53


Almost Ready


These notes were just uploaded, and will be ready to view shortly.

Purchase these notes here, or revisit this page.

Either way, we'll remind you when they're ready :)

Preview These Notes for FREE

Get a free preview of these Notes, just enter your email below.

Unlock Preview
Unlock Preview

Preview these materials now for free

Why put in your email? Get access to more of this material and other relevant free materials for your school

View Preview

About this Document

Class Notes
25 ?




Popular in Course

Popular in Computer Science and Engineering

This 0 page Class Notes was uploaded by Libby Kuhlman on Sunday November 1, 2015. The Class Notes belongs to CSE 543 at Pennsylvania State University taught by Staff in Fall. Since its upload, it has received 11 views. For similar materials see /class/233115/cse-543-pennsylvania-state-university in Computer Science and Engineering at Pennsylvania State University.

Popular in Computer Science and Engineering


Reviews for Computer Security


Report this Material


What is Karma?


Karma is the currency of StudySoup.

You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!

Date Created: 11/01/15
CSE 543 Computer Security Lecture 13 Capability Systems October 9 2007 URL httpwwwcsepsuedutiaegercse543f07 PENNSTATE Processspecific Permissions Design the permissions of a process specific to its use 39 quot h 39 How do we change the permissions of a process in an ACL system CSE543 Computer and Network Security Fall 2007 Professor Jaeger Page PENNSTATE Confused Deputy Problem Imagine a multiclient server Each client has a different set of objects that they can access In an ACL system the server always has access to all the objects What happens if a client tricks the server into accessing into another client s objects Shouldn t the server only have access to that client s objects for its requests CSE543 Computer and Network Security Fall 2007 Professor Jaeger PENNSTATE Capabilities A capability is the tuple object rights A capability system implements access control by checking if the process has an appropriate capability Simple right This is a little like a ticket in the Kerberos system Q Does this eliminate the need for authentication Capabilities PENN A Well yes and no Capabilities remove the overhead of managing per object rights but add the overhead of managing capabm es Moreover to get any real security they have to be unforgeable Hardware tags to protect capabilities Protected address spaceregisters Language based techniques Enforce access restrictions on caps Cryptography Make them unforgeable I J PENNSTATE Real 08 Capabilities Process Table The OS kernel manages capabilities in the process table out of reach of the process Capabilities added by user requests that comply with policy I J PENNSTATE User space capability Well what are the requirements Authenticityintegrity do not want malicious process to forge capabilities Start with the data itself object rights Object is typically encoded with identifier or by some other tag capabilities are sometimes known as tags Rights are often fixed read modify write execute etc Now do what you with any other data assume the kernel has a secret key k Ek 0 r1 r2 rn What s wrong with this construction I got it from the website of one of the experts in the area I J PENNSTATE The right construction v Encryption does not provide authenticityintegrity it provides confidentiality Oh r1 r2 rnHMACk Oh r1 r2 rn So how would you attack the preceding construction PENNSTATE A fictional Capability Example We use the Is lt command to view the contents of our home directory in a OS implementing capabilities Initially our shell process has RWX capabilities for our home directory and RX capabilities for all the directories to the root The ls lt command is execed and the shell delegates the directory permissions by giving Is the capabilities Note that the capabilities are not tied to any subject The ls lt process exercises the rights to read the directories structure all the way down to the local Of course the Is lt process now need to obtain read rights to the files to get their specific metainformation and obtains them by appealing to the security manager in kernel the request fulfills the policy and they are added and exercised The ls lt uses access rights given to the terminal to write output Note there are many ways that the policy can be implemented rights handed off etc We will talk about a couple in the following discussions I J ProcedureLevel Protection Domains PENNSTATE HYDRA Each procedure defines a new protection domain Procedure Code Data Capabilities to other objects Callerindependent Callerdependent templates Local Name Space Capabilities are bound here Record of a procedure invocation procedure instance Process Stack of LNSs How HYDRA works Call Callee Capabilities Create Callee LNS Q Which object defines the protection domain I l PENNSTATE Implications of FineGrained Protection Programmer Must define templates for procedure Connect the procedure rights together Performance Impact Q Do we need to manage rights at this level CSE543 Computer and Network Security Fall 2007 Page 12 PENNSTATE Linden s Capability View Achieve flexible effective security by Small protection domains Extensible set of types lmplies a capability system Small protection domains with least privilege permissions Extensible types enable composition of systems reliably Capabilities can be passed among protection domains and into new subsystems Protected Procedures Like HYDRA Change domain with each procedure invocation New procedure is a new instance Protection Domain switch time is key high in modern processors I l Correctness Claim It is far more difficult to build a 50000 line program than 1000 programs that are each 50 lines longquot What is your opinion of this ls itjust the procedure development that is important Two problems Decomposition results in inefficiencies Interactions between procedures are not captured PENNSTATE Flexibility vs Security Small protection domains are desirable because Enables solving finergrained problems Less rigid protection Independent accounting Reliable and redundant security controls Individual controls are easier to understand i x Flexibility Topdown vs bottomup Fine vs coarsegrained CSE543 Computer and Network Security Fall 2007 Professor Jaeger Page 15 Secure Capability Systems SCAP Karger s extension of the Cambridge CAP system EROS Shapiro s reimplementation of the KeyKOS system PENNSTATE PENNSTATE Capabilities and the Property Capabilities and Lattice Models Don t Mix Suppose A is higher secrecy than B Acan read B s capabilities Q Can a Trojan horse running as A write to Obj PENNSTATE SCAP security Mediate requests to load capabilities Must be loaded into a capability cache before use Enforce MLS requirements on capability load If subject label dominates capability s object label then Change the capability to readonly Expensive to test for MLS on every load For general con nement test against confinement property for every load uses ACLs PENNSTATE EROS security Define weak capabilities If a weak capability is used to fetch a capability transitively then the fetched capability becomes read only and weak Assign weak capabilities to highersecrecy subjects for accessing a lowersecrecy write capability becomes readonly and weak No need to test against a policy at runtime Faster performance is possible For general con nement use an confined processes or authorized capability sets Not clear these really worked for general confinement I J Capability Management PM How d you get those capabilities Stored with program user Compare with getting permissions by a process label How do I get them back Once granted nearly impossible to revoke EROS Revocation WEE Defined by Redell Use a layer of indirection Revoker capabilities If you may revoke create a revoker The grant capabilities to the revoker When you delete the revoker all descendants become invalid SCAP Revocation PM Chain the capabilities revocation by chaining All capabilities to an object are stored in a ring Can then revoke one Motivate reassessment of all others How do I know that I am revoking a particular capability Compare with using revoker capabilities the memoryperformance cost the flexibility of revocation Result Generally the security problems with capability systems can be solved So why aren t cap systems more broadly used Capability management is difficult How do I know what rights to give out in the first place Defining and testing confinement is expensive or limiting Test every grant is expensive supposed to be lots Predefine a safe domain is limiting and counterintuitive Setup per process is key For ACLs it is setup per object may be less volatility


Buy Material

Are you sure you want to buy this material for

25 Karma

Buy Material

BOOM! Enjoy Your Free Notes!

We've added these Notes to your profile, click here to view them now.


You're already Subscribed!

Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'

Why people love StudySoup

Steve Martinelli UC Los Angeles

"There's no way I would have passed my Organic Chemistry class this semester without the notes and study guides I got from StudySoup."

Anthony Lee UC Santa Barbara

"I bought an awesome study guide, which helped me get an A in my Math 34B class this quarter!"

Bentley McCaw University of Florida

"I was shooting for a perfect 4.0 GPA this semester. Having StudySoup as a study aid was critical to helping me achieve my goal...and I nailed it!"

Parker Thompson 500 Startups

"It's a great way for students to improve their educational experience and it seemed like a product that everybody wants, so all the people participating are winning."

Become an Elite Notetaker and start selling your notes online!

Refund Policy


All subscriptions to StudySoup are paid in full at the time of subscribing. To change your credit card information or to cancel your subscription, go to "Edit Settings". All credit card information will be available there. If you should decide to cancel your subscription, it will continue to be valid until the next payment period, as all payments for the current period were made in advance. For special circumstances, please email


StudySoup has more than 1 million course-specific study resources to help students study smarter. If you’re having trouble finding what you’re looking for, our customer support team can help you find what you need! Feel free to contact them here:

Recurring Subscriptions: If you have canceled your recurring subscription on the day of renewal and have not downloaded any documents, you may request a refund by submitting an email to

Satisfaction Guarantee: If you’re not satisfied with your subscription, you can contact us for further help. Contact must be made within 3 business days of your subscription purchase and your refund request will be subject for review.

Please Note: Refunds can never be provided more than 30 days after the initial purchase date regardless of your activity on the site.