[cap-talk] POLA and Mungi / Iguana style APIs
daw at cs.berkeley.edu
Mon May 16 21:35:20 EDT 2005
Toby Murray <toby.murray at dsto.defence.gov.au>
>In the Iguana API (which I believe inherits a lot from Mungi), the
>programmer presents an "Object ID" which designates the target of a
>method invocation. The kernel then searches the c-lists of the caller to
>find a capability that might grant the access. [...]
That's an ambient authority system.
>With this system, has designation and authorisation been separated? Does
>this separation reduce the ability to provide /enable POLA? More
>specifically, does it allow the application to become "confused" and use
>the wrong authority at the wrong time.
The system is vulnerable to confused deputy attacks. Think about the
classic confused deputy example due to Norm Hardy (of the billing compiler),
and you will see that the very same vulnerability could have arisen (with
no essential change to the example) in Iguana, given how you have described
Iguana. The vulnerability to confused deputy attacks is one of the principle
drawbacks of ambient authority.
More information about the cap-talk