November 13, 2015: Invited Speaker Seminar: An Application and a Standards-Driven Revisitation of Setuid

Prof. Mahesh V. Tripunitara  

Friday, November 13, 2015, 11:00 a.m.
Room EV001.165

Abstract

In this talk, I will discuss two pieces of my work, with students, related to setuid. Setuid is a POSIX standard for privilege-management.

In the first part of the talk, I will discuss work that adopts the semantics of the setuid bit for assessing security properties of stored-procedure authorization in a commercial database system. Our work has demonstrated that the system does not possess three desirable properties that we posed. I will discuss also the broader context: a systematic approach to testing real-world authorization systems for security properties.

In the second part of the talk, I will discuss work that revisits the setuid family from the standpoint of the POSIX standard. Specifically, I will address three questions. (1) Is the POSIX standard indeed broken, as prior work suggests? (2) Are implementations POSIX-compliant as claimed? (3) Are wrapper functions, that prior work proposes to circumvent issues, correct and usable? This is joint work with my students Paul Bottinelli, Mark Dittmer and Alireza Sharifi.

Biography

Mahesh Tripunitara is an Associate Professor in the ECE department at the University of Waterloo in Canada, where he had been since 2009. He works mostly in information security, on problems in access control, conditional payments, cryptographic key transport and the security of digital ICs. He has a PhD in computer science from Purdue University, and about 9 years of industry-experience. His work with students has been awarded 'Best Paper' and 'Best Paper Runner-Up,' respectively, at the ACM Symposium on Access Control Models and Technologies (SACMAT) 2013 and 2015, and 'Best Student Paper' at the Usenix Security Symposium 2013.