{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,9]],"date-time":"2025-10-09T20:57:10Z","timestamp":1760043430434,"version":"3.41.0"},"publisher-location":"New York, NY, USA","reference-count":50,"publisher":"ACM","license":[{"start":{"date-parts":[[2017,9,24]],"date-time":"2017-09-24T00:00:00Z","timestamp":1506211200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/100000001","name":"National Science Foundation","doi-asserted-by":"publisher","award":["1547457,1319076,1314945"],"award-info":[{"award-number":["1547457,1319076,1314945"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2017,9,24]]},"DOI":"10.1145\/3127479.3131209","type":"proceedings-article","created":{"date-parts":[[2017,9,27]],"date-time":"2017-09-27T12:34:00Z","timestamp":1506515640000},"page":"128-141","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":5,"title":["CapNet"],"prefix":"10.1145","author":[{"given":"Anton","family":"Burtsev","sequence":"first","affiliation":[{"name":"University of California"}]},{"given":"David","family":"Johnson","sequence":"additional","affiliation":[{"name":"University of Utah"}]},{"given":"Josh","family":"Kunz","sequence":"additional","affiliation":[{"name":"University of Utah"}]},{"given":"Eric","family":"Eide","sequence":"additional","affiliation":[{"name":"University of Utah"}]},{"given":"Jacobus","family":"Van der Merwe","sequence":"additional","affiliation":[{"name":"University of Utah"}]}],"member":"320","published-online":{"date-parts":[[2017,9,24]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"Amazon Web Services Inc. 2017. Amazon EC2 Security Groups for Linux Instances. (2017). http:\/\/docs.aws.amazon.com\/AWSEC2\/latest\/UserGuide\/using-network-security.html  Amazon Web Services Inc. 2017. Amazon EC2 Security Groups for Linux Instances. (2017). http:\/\/docs.aws.amazon.com\/AWSEC2\/latest\/UserGuide\/using-network-security.html"},{"key":"e_1_3_2_1_2_1","unstructured":"Amazon Web Services Inc. 2017. AWS Identity and Access Management (IAM). (2017). https:\/\/aws.amazon.com\/iam\/  Amazon Web Services Inc. 2017. AWS Identity and Access Management (IAM). (2017). https:\/\/aws.amazon.com\/iam\/"},{"key":"e_1_3_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1145\/972374.972382"},{"key":"e_1_3_2_1_4_1","volume-title":"Welcome to Apachae Hadoop!","author":"Foundation Apache Software","year":"2017","unstructured":"Apache Software Foundation . 2017. Welcome to Apachae Hadoop! ( 2017 ). https:\/\/hadoop.apache.org\/ Apache Software Foundation. 2017. Welcome to Apachae Hadoop! (2017). https:\/\/hadoop.apache.org\/"},{"key":"e_1_3_2_1_5_1","volume-title":"Proc. HotNets. http:\/\/conferences.sigcomm.org\/hotnets\/2005\/papers\/ballani.pdf","author":"Ballani Hitesh","year":"2005","unstructured":"Hitesh Ballani , Yatin Chawathe , Sylvia Ratnasamy , Timothy Roscoe , and Scott Shenker . 2005 . Off by Default! . In Proc. HotNets. http:\/\/conferences.sigcomm.org\/hotnets\/2005\/papers\/ballani.pdf Hitesh Ballani, Yatin Chawathe, Sylvia Ratnasamy, Timothy Roscoe, and Scott Shenker. 2005. Off by Default!. In Proc. HotNets. http:\/\/conferences.sigcomm.org\/hotnets\/2005\/papers\/ballani.pdf"},{"key":"e_1_3_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2014.23212"},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.5210\/fm.v18i10.4879"},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1145\/1282380.1282382"},{"key":"e_1_3_2_1_9_1","volume-title":"Proc. USENIX Security. 137--151","author":"Casado Martin","year":"2006","unstructured":"Martin Casado , Tal Garfinkel , Aditya Akella , Michael J. Freedman , Dan Boneh , Nick McKeown , and Scott Shenker . 2006 . SANE: A Protection Architecture for Enterprise Networks . In Proc. USENIX Security. 137--151 . https:\/\/www.usenix.org\/legacy\/event\/sec06\/tech\/casado.html Martin Casado, Tal Garfinkel, Aditya Akella, Michael J. Freedman, Dan Boneh, Nick McKeown, and Scott Shenker. 2006. SANE: A Protection Architecture for Enterprise Networks. In Proc. USENIX Security. 137--151. https:\/\/www.usenix.org\/legacy\/event\/sec06\/tech\/casado.html"},{"key":"e_1_3_2_1_10_1","volume-title":"Lee","author":"Alliance Cloud Security","year":"2013","unstructured":"Cloud Security Alliance , Ryan Ko , and Stephen S. G . Lee . 2013 . Cloud Computing Vulnerability Incidents: A Statistical Overview . (March 2013). https:\/\/cloudsecurityalliance.org\/group\/cloud-vulnerabilities\/#_downloads Cloud Security Alliance, Ryan Ko, and Stephen S. G. Lee. 2013. Cloud Computing Vulnerability Incidents: A Statistical Overview. (March 2013). https:\/\/cloudsecurityalliance.org\/group\/cloud-vulnerabilities\/#_downloads"},{"key":"e_1_3_2_1_11_1","unstructured":"David M. Johnson. 2017. OpenStack-Capnet CloudLab Profile. (2017). https:\/\/www.cloudlab.us\/p\/TCloud\/OpenStack-Capnet  David M. Johnson. 2017. OpenStack-Capnet CloudLab Profile. (2017). https:\/\/www.cloudlab.us\/p\/TCloud\/OpenStack-Capnet"},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/365230.365252"},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1038\/ng.2897"},{"key":"e_1_3_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1186\/1742-7622-10-12"},{"key":"e_1_3_2_1_16_1","volume-title":"Capnet: An SDN Controller and Tools for Capability-based Networks.","author":"Flux Research Group","year":"2017","unstructured":"Flux Research Group . 2017 . Capnet: An SDN Controller and Tools for Capability-based Networks. (2017). https:\/\/gitlab.flux.utah.edu\/tcloud\/capnet Flux Research Group. 2017. Capnet: An SDN Controller and Tools for Capability-based Networks. (2017). https:\/\/gitlab.flux.utah.edu\/tcloud\/capnet"},{"key":"e_1_3_2_1_17_1","unstructured":"Google Inc. 2016. Protocol Buffers. (2016). https:\/\/developers.google.com\/protocol-buffers  Google Inc. 2016. Protocol Buffers. (2016). https:\/\/developers.google.com\/protocol-buffers"},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"crossref","unstructured":"Dick Hardt. 2012. The OAuth 2.0 Authorization Framework. RFC 6749. Internet Engineering Task Force (IETF). http:\/\/www.rfc-editor.org\/rfc\/rfc6749.txt  Dick Hardt. 2012. The OAuth 2.0 Authorization Framework. RFC 6749. Internet Engineering Task Force (IETF). http:\/\/www.rfc-editor.org\/rfc\/rfc6749.txt","DOI":"10.17487\/rfc6749"},{"key":"e_1_3_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1145\/858336.858337"},{"key":"e_1_3_2_1_20_1","unstructured":"Imperva. 2013. How Malware and Targeted Attacks Infiltrate Your Data Center. (2013). http:\/\/www.ten-inc.com\/presentations\/Imperva_How_Malware_and_Targeted_Attacks_Infiltrate_Your_Data_Center.pdf  Imperva. 2013. How Malware and Targeted Attacks Infiltrate Your Data Center. (2013). http:\/\/www.ten-inc.com\/presentations\/Imperva_How_Malware_and_Targeted_Attacks_Infiltrate_Your_Data_Center.pdf"},{"key":"e_1_3_2_1_21_1","volume-title":"Intel Small Business Technology, and Intel Standard Manageability Escalation of Privilege. (May","author":"Intel Corporation","year":"2017","unstructured":"Intel Corporation . 2017. INTEL-SA-00075: Intel Active Management Technology , Intel Small Business Technology, and Intel Standard Manageability Escalation of Privilege. (May 2017 ). https:\/\/security-center.intel.com\/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr Intel Corporation. 2017. INTEL-SA-00075: Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability Escalation of Privilege. (May 2017). https:\/\/security-center.intel.com\/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr"},{"volume-title":"Lightweight Capability Domains: Toward Decomposing the Linux Kernel. Master's thesis","author":"Jacobsen Charles","key":"e_1_3_2_1_22_1","unstructured":"Charles Jacobsen . 2016. Lightweight Capability Domains: Toward Decomposing the Linux Kernel. Master's thesis . University of Utah. http :\/\/www.flux.utah.edu\/paper\/235 Charles Jacobsen. 2016. Lightweight Capability Domains: Toward Decomposing the Linux Kernel. Master's thesis. University of Utah. http:\/\/www.flux.utah.edu\/paper\/235"},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICNP.2014.42"},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1109\/INFOCOM.2016.7524508"},{"key":"e_1_3_2_1_25_1","volume-title":"Proc. NSDI. 87--101","author":"Jin Xin","year":"2015","unstructured":"Xin Jin , Jennifer Gossels , Jennifer Rexford , and David Walker . 2015 . CoVisor: A Compositional Hypervisor for Software-Defined Networks . In Proc. NSDI. 87--101 . https:\/\/www.usenix.org\/node\/188955 Xin Jin, Jennifer Gossels, Jennifer Rexford, and David Walker. 2015. CoVisor: A Compositional Hypervisor for Software-Defined Networks. In Proc. NSDI. 87--101. https:\/\/www.usenix.org\/node\/188955"},{"key":"e_1_3_2_1_26_1","volume-title":"Biederman","author":"Kerrisk Michael","year":"2017","unstructured":"Michael Kerrisk and Eric W . Biederman . 2017 . namespaces - overview of Linux namespaces. (May 2017). http:\/\/man7.org\/linux\/man-pages\/man7\/namespaces.7.html Michael Kerrisk and Eric W. Biederman. 2017. namespaces - overview of Linux namespaces. (May 2017). http:\/\/man7.org\/linux\/man-pages\/man7\/namespaces.7.html"},{"key":"e_1_3_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1145\/1629575.1629596"},{"key":"e_1_3_2_1_28_1","volume-title":"Proc. NDSS. https:\/\/www.isoc.org\/isoc\/conferences\/ndss\/10\/pdf\/20","author":"Mettler Adrian","year":"2010","unstructured":"Adrian Mettler , David Wagner , and Tyler Close . 2010 . Joe-E: A Security-Oriented Subset of Java . In Proc. NDSS. https:\/\/www.isoc.org\/isoc\/conferences\/ndss\/10\/pdf\/20 .pdf Adrian Mettler, David Wagner, and Tyler Close. 2010. Joe-E: A Security-Oriented Subset of Java. In Proc. NDSS. https:\/\/www.isoc.org\/isoc\/conferences\/ndss\/10\/pdf\/20.pdf"},{"key":"e_1_3_2_1_29_1","unstructured":"Mark Samuel Miller. 2006. Robust Composition: Towards a Unified Approach to Access Control and Concurrency Control. Ph.D. Dissertation. Johns Hopkins University. http:\/\/www.erights.org\/talks\/thesis\/markm-thesis.pdf  Mark Samuel Miller. 2006. Robust Composition: Towards a Unified Approach to Access Control and Concurrency Control. Ph.D. Dissertation. Johns Hopkins University. http:\/\/www.erights.org\/talks\/thesis\/markm-thesis.pdf"},{"key":"e_1_3_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1145\/1780.1786"},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1145\/268998.266669"},{"key":"e_1_3_2_1_34_1","unstructured":"Mark Nevill. 2012. An Evaluation of Capabilities for a Multikernel. Master's thesis. ETH Zurich. http:\/\/www.barrelfish.org\/publications\/nevill-master-capabilities.pdf  Mark Nevill. 2012. An Evaluation of Capabilities for a Multikernel. Master's thesis. ETH Zurich. http:\/\/www.barrelfish.org\/publications\/nevill-master-capabilities.pdf"},{"key":"e_1_3_2_1_35_1","volume-title":"CVE-2014-2523: netfilter: remote memory corruption. (March","author":"NIST National Vulnerability Database. 2014.","year":"2014","unstructured":"NIST National Vulnerability Database. 2014. CVE-2014-2523: netfilter: remote memory corruption. (March 2014 ). https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2014-2523 NIST National Vulnerability Database. 2014. CVE-2014-2523: netfilter: remote memory corruption. (March 2014). https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2014-2523"},{"key":"e_1_3_2_1_36_1","unstructured":"OpenMUL Foundation. 2015. OpenMUL Controller. (Sept. 2015). http:\/\/www.openmul.org\/openmul-controller.html  OpenMUL Foundation. 2015. OpenMUL Controller. (Sept. 2015). http:\/\/www.openmul.org\/openmul-controller.html"},{"key":"e_1_3_2_1_37_1","unstructured":"OpenStack Foundation. 2014. Neutron\/SecurityGroups. (Aug. 2014). https:\/\/wiki.openstack.org\/wiki\/Neutron\/SecurityGroups  OpenStack Foundation. 2014. Neutron\/SecurityGroups. (Aug. 2014). https:\/\/wiki.openstack.org\/wiki\/Neutron\/SecurityGroups"},{"key":"e_1_3_2_1_38_1","volume-title":"Identity API protection with role-based access control (RBAC). (Aug","author":"Foundation OpenStack","year":"2017","unstructured":"OpenStack Foundation . 2017. Identity API protection with role-based access control (RBAC). (Aug . 2017 ). https:\/\/docs.openstack.org\/keystone\/latest\/admin\/identity-service-api-protection.html OpenStack Foundation. 2017. Identity API protection with role-based access control (RBAC). (Aug. 2017). https:\/\/docs.openstack.org\/keystone\/latest\/admin\/identity-service-api-protection.html"},{"key":"e_1_3_2_1_39_1","unstructured":"OpenStack Foundation. 2017. Neutron\/ML2. (April 2017). https:\/\/wiki.openstack.org\/wiki\/Neutron\/ML2  OpenStack Foundation. 2017. Neutron\/ML2. (April 2017). https:\/\/wiki.openstack.org\/wiki\/Neutron\/ML2"},{"key":"e_1_3_2_1_40_1","volume-title":"OpenStack Networking Guide. (Aug","author":"Foundation OpenStack","year":"2017","unstructured":"OpenStack Foundation . 2017. OpenStack Networking Guide. (Aug . 2017 ). http:\/\/docs.openstack.org\/newton\/networking-guide\/ OpenStack Foundation. 2017. OpenStack Networking Guide. (Aug. 2017). http:\/\/docs.openstack.org\/newton\/networking-guide\/"},{"key":"e_1_3_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2015.23222"},{"key":"e_1_3_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1145\/2342441.2342466"},{"key":"e_1_3_2_1_43_1","volume-title":"Introducing CloudLab: Scientific Infrastructure for Advancing Cloud Architectures and Applications. ;login: 39, 6 (Dec","author":"Ricci Robert","year":"2014","unstructured":"Robert Ricci , Eric Eide , and the CloudLab Team . 2014. Introducing CloudLab: Scientific Infrastructure for Advancing Cloud Architectures and Applications. ;login: 39, 6 (Dec . 2014 ), 36--38. https:\/\/www.usenix.org\/publications\/login\/dec14\/ricci Robert Ricci, Eric Eide, and the CloudLab Team. 2014. Introducing CloudLab: Scientific Infrastructure for Advancing Cloud Architectures and Applications. ;login: 39, 6 (Dec. 2014), 36--38. https:\/\/www.usenix.org\/publications\/login\/dec14\/ricci"},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1145\/2556610.2556621"},{"key":"e_1_3_2_1_45_1","unstructured":"Jonathan S. Shapiro Eric Northup M. Scott Doerrie Swaroop Sridhar Neal H. Walfield and Marcus Brinkmann. 2007. Coyotos Microkernel Specification. (2007).  Jonathan S. Shapiro Eric Northup M. Scott Doerrie Swaroop Sridhar Neal H. Walfield and Marcus Brinkmann. 2007. Coyotos Microkernel Specification. (2007)."},{"key":"e_1_3_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.1145\/319151.319163"},{"key":"e_1_3_2_1_48_1","volume-title":"Proc. NDSS. https:\/\/www.internetsociety.org\/sites\/default\/files\/07_2_0.pdf","author":"Shin Seungwon","year":"2013","unstructured":"Seungwon Shin , Phillip Porras , Vinod Yegneswaran , Martin Fong , Guofei Gu , and Mabry Tyson . 2013 . FRESCO: Modular Composable Security Services for Software-Defined Networks . In Proc. NDSS. https:\/\/www.internetsociety.org\/sites\/default\/files\/07_2_0.pdf Seungwon Shin, Phillip Porras, Vinod Yegneswaran, Martin Fong, Guofei Gu, and Mabry Tyson. 2013. FRESCO: Modular Composable Security Services for Software-Defined Networks. In Proc. NDSS. https:\/\/www.internetsociety.org\/sites\/default\/files\/07_2_0.pdf"},{"key":"e_1_3_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.1145\/2185376.2185386"},{"key":"e_1_3_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-39038--8_7"},{"key":"e_1_3_2_1_51_1","unstructured":"Verizon RISK Team. 2013. 2013 Data Breach Investigations Report. (2013). http:\/\/www.verizonenterprise.com\/resources\/reports\/rp_data-breach-investigations-report-2013_en_xg.pdf  Verizon RISK Team. 2013. 2013 Data Breach Investigations Report. (2013). http:\/\/www.verizonenterprise.com\/resources\/reports\/rp_data-breach-investigations-report-2013_en_xg.pdf"},{"key":"e_1_3_2_1_52_1","volume-title":"Proc. USENIX Security. 29--45","author":"Watson Robert N. M.","year":"2010","unstructured":"Robert N. M. Watson , Jonathan Anderson , Ben Laurie , and Kris Kennaway . 2010 . Capsicum: Practical Capabilities for UNIX . In Proc. USENIX Security. 29--45 . https:\/\/www.usenix.org\/legacy\/event\/sec10\/tech\/full_papers\/Watson.pdf Robert N. M. Watson, Jonathan Anderson, Ben Laurie, and Kris Kennaway. 2010. Capsicum: Practical Capabilities for UNIX. In Proc. USENIX Security. 29--45. https:\/\/www.usenix.org\/legacy\/event\/sec10\/tech\/full_papers\/Watson.pdf"},{"key":"e_1_3_2_1_53_1","doi-asserted-by":"publisher","DOI":"10.5555\/1060289.1060313"},{"key":"e_1_3_2_1_54_1","doi-asserted-by":"publisher","DOI":"10.1145\/2987550.2987558"}],"event":{"name":"SoCC '17: ACM Symposium on Cloud Computing","sponsor":["SIGMOD ACM Special Interest Group on Management of Data","SIGOPS ACM Special Interest Group on Operating Systems"],"location":"Santa Clara California","acronym":"SoCC '17"},"container-title":["Proceedings of the 2017 Symposium on Cloud Computing"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3127479.3131209","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3127479.3131209","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3127479.3131209","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T03:30:28Z","timestamp":1750217428000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3127479.3131209"}},"subtitle":["security and least authority in a capability-enabled cloud"],"short-title":[],"issued":{"date-parts":[[2017,9,24]]},"references-count":50,"alternative-id":["10.1145\/3127479.3131209","10.1145\/3127479"],"URL":"https:\/\/doi.org\/10.1145\/3127479.3131209","relation":{},"subject":[],"published":{"date-parts":[[2017,9,24]]},"assertion":[{"value":"2017-09-24","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}