[cap-talk] Confused Deputy, multiple authorities - Norm?

David Wagner daw at cs.berkeley.edu
Tue Oct 24 21:58:14 CDT 2006

Jed writes:
>If you are indeed using the term "Confused Deputy" in a more narrow
>sense, could you describe or point to the "very specific class of

I probably can't describe it crisply.  I think of it as a case where
the Deputy performs an operation that it truly wanted to take, but performs
the operation using the wrong set of authorities (normally, because the
default set of authorities are the wrong choice for this operation).
Notably, this operation would have been safe to perform, if it had been
performed using the correct set of authorities.

Buffer overrun attacks, where the attacker injects malicious code into
the Deputy's address space, don't count.  Buffer overruns are concerned
with a different layer of abstraction.  For instance, imagine a burglar
breaks into your home, gets physical access to your hard drive, plugs
your hard drive into his laptop, and replaces all your executable files
with malicious versions.  I doubt very much that we want to call that
a Confused Deputy attack.  Physical attacks, too, are at a different
layer of abstraction.

>In that case I think I would like to have a term for the broader case.
>Perhaps it's so broad as to include all "security vulnerabilities"?

Well, you tell me.  What did you mean, and in what way did it fall short
of including all security vulnerabilities?  I read your language as being
so broad as to include all security vulnerabilities, because just about
any attack I can think of could plausibly be described (at a very high
level of abstraction) as working by "confusing" the target into doing
something unwanted.

More information about the cap-talk mailing list