CSE 227: Lecture 3

The topics covered in this lecture are FIPS 140-2, TCSEC, Tenex, IFS,

FIPS 140-2

We covered notions of tamper resistance, tamper evidence, and tamper responding. Bank vaults are tamper resistant: they are hard to drill through. Medicine bottle caps are tamper evident: it is hard to open the bottle (to tamper with the pills) without breaking the seals. A home alarm system that silently calls the police is tamper responding.

FIPS 140 has four levels. Ranging from no protection, an enclosure with locks, basic tamper detection, and full tamper response.

The IBM 4758 is a product that meets the requirements of the highest.


A, B, C major levels. MAC and DAC. Bell-Lapadula security model. Covert channels.

Tenex passwords: accidental information leak

User programs change their login account by supplying string buffers containing the new account and the password in a system call. The kernel has all passwords in string form, so no one-way hashing is used. Furthermore, the kernel code determines whether the supplied password is correct by performing a string comparison, e.g., with something like the C strcmp function, which can be implemented by:
int strcmp(const char *s1, const char *s2)
	char c; int d;
	while (0 == (d = (c = *s1++) - *s2++))
		if (!c) return 0; /* same */
	return d; /* different */
Note that the function returns with the difference as soon as a difference is found.

By exploiting the virtual memory timing, we can determine guesses for the password one character at a time.


The system(3) library routine is used to fork a subprocess and have it execl(2) the /bin/sh program with argv[1] being -c and argv[2] being the string argument to system(3).

IFS is an inherited environment variable. The vi program catches the SIGHUP signal to save partially complete edits in a protected directory so that a modem hangup will not cause too much loss of work. Upon catching SIGHUP, vi runs expreserve, a setuid to root program, to write the partially edited file to a root-only directory and to send email to the user to inform him/her that the partial edits may be recovered.

Additional Info

If you do not understand how the Unix setuid mechanism works or are unfamiliar with the details, read this paper. (This is required reading.)
[ search CSE | CSE | bsy's home page | links | webster | MRQE | google | yahoo | citeseer | pgp certserver | openpgp certserver ]
picture of bsy

bsy+cse227w03@cs.ucsd.edu, last updated Fri Jan 17 18:25:28 PST 2003. Copyright 2003 Bennet Yee.
email bsy.

Don't make me hand over my privacy keys!