Please read the instructions and questions carefully. You will be graded for clarity and correctness. All
work must be your own or you will receive a failing grade.
Questions
1. (10pts) De ne a mandatory protection system and its concepts. What is the purpose of each concept?
Identify the mapping between MPS concepts and the following SELinux rules. What do these rules
mean?
allow httpd t user home t:dir f read getattr search g;
allow httpd t user home t:f file lnk file g f read getattr g;
type transition httpd t httpd tmp t:file httpd tmp t;
allow httpd t sysadm t:process transition;
type transition sysadm t httpd exec t:process httpd t;
2. (10pts) Detail how the Scomp reference validation mechanisms (in multiple rings) satisfy the reference
monitor concept (or fail to satisfy). Assume that all objects mediated outside the kernel are les
(some reading between the lines is necesary here).
3. (10pts) What is a disclosure vulnerability? How is this exploited by JIT-ROP? How does Readactor
prevent such a vulnerability from being exploited? Why does replacing readable code pointers with
trampolines prevent indirect JIT-ROP attacks?
4. (10pts) Restate in your own words what you learned about driver isolation techniques from the
Related Work of Herder et al. paper. De ne each of the categories of driver operations that must
be mediated and identify at least one technical challenge in mediating that type of operation. What
problem is being solved by memory grants? How does this approach di er from the use of paging?
5. (10pts) What are CDIs and UDIs in the Clark-Wilson integrity model? What does Clark-Wilson
integrity require of programs that process UDIs to maintain their integrity? What do programmers
need to do to meet this requirement such that their programs satisfy Clark-Wilson integrity? How
does CW-Lite approximate this requirement? What do programer need to do to their programs to
satisfy the CW-Lite requirement (and enable their program to function)?
6. (10pts) De ne con nement. Specify three ways to ensure that capability systems enforce con ne-
ment of their processes. Which approach has better performance and why? Does CHERI achieve
con nement if a process has secret and public components and wishes to enforce MLS among them?
7. (10pts) Consider the access matrix below. Does it enforce protection of O1 data’s integrity for subject
S2? Does it enforce integrity security over O1 for subject S2? Explain. If a traditional capability
system (e.g., Hydra) is used to enforce this access matrix policy, how does this impact our ability to
enforce security? Explain.
8. (10pts) What is information ow control? How does Flume enable a secret process to reply to a
message from a public process? How does Flume prevent the self-revocation problem in LOMAC
from occuring? Can you express SELinux policies in the Flume model? Explain.
2
9. (10pts) Under what conditions can an adversary launch exploits against name resolution in le access
operations? Under what conditions can an adversary successfully exploit a program to cause it to
use an adversary-chosen lepath in an open system call? How does Jigsaw use a name ow graph to
prevent these two attacks? What should Jigsaw do if a system call is performed that is outside the
name ow graph that Jigsaw has available so far?
10. (10pts) What is control- ow integrity for kernel software (i.e., what are all the indirect control transfer
events?)? Describe why it is di cult to enforce CFI for a preemptive kernel? Why is it di cult for
the kernel to ensure control- ow integrity on kernel exits to user-space code?