[cap-talk] Another "core" principle - confused deputy?
David Hopwood
david.nospam.hopwood at blueyonder.co.uk
Wed Dec 27 08:22:13 CST 2006
Jonathan S. Shapiro wrote:
> On Tue, 2006-12-26 at 16:50 +0000, David Hopwood wrote:
>>Mark S. Miller wrote:
>>
>>>>>>(Note that Carol is a process, not a human user, and therefore is
>>>>
>>>>[I'll switch to using lowercase for names of processes.]
>>>
>>>Sorry to be annoyingly pedantic, but surely we mean "subject", "object",
>>>or "protection domain" above, not "process". The issues we're discussing
>>>are about access control and naming, not scheduling.
>>
>>OK. The important point was that they are instances of programs.
>
> Umm. No. The important point is that they are subjects.
I'm afraid I have to insist that the point I was trying to make (although just
as an aside in the original post) was the following one:
Note that Carol is an instance of a program, not a human user, and therefore
is fundamentally incapable of understanding the reasons why it may have been
requested to perform any given operation. This is also true if Carol happens
to be an instance of a "user agent" program. The only way we can avoid confused
deputy attacks is to ensure that subjects, because they are only instances of
programs, do not need any intelligence to determine when they can use a
particular reference.
Much of the access control literature is ambiguous about whether subjects are
human users, or instances of programs, and so saying "subject" here would not
have adequately conveyed the point.
--
David Hopwood <david.nospam.hopwood at blueyonder.co.uk>
More information about the cap-talk
mailing list