[cap-talk] the "flaw" of separating designation from authority
Karp, Alan H
alan.karp at hp.com
Thu Oct 26 21:47:37 CDT 2006
Fred Spiessens wrote:
> The flaw is not "separating designation from authority" but "losing
> track of the connection between the origin of the designation
> and the
> origin of the authority". The former would have indicated a flaw in
> the system, while the latter is a programming error.
Look at the example again (with the attack of specifying the log file).
The attacker invokes
MyFileSystem.writeFile(fileID: 67890 certificate: Fcert1 data: "XYZ"
which the service turns into
MyFileSystem.logWriteFile(fileID: 67890 fileID: 67890 data: "XYZ"
certificates: Fcert1, Fcert2)
Fcert1 comes from the attacker and allows writing of fileID: 12345.
Fcert2 comes from the service and allows writing of fileID: 67890. The
system I described and participated in building :( had no mechanism for
matching up certs with arguments. Since there is a cert that allows
writing fileID: 67890, the log ends up with "XYZ". Where is the
programming error in the code that invokes logWriteFile? The point is
that this system doesn't provide a way for the programmer to keep the
connection between the origin of the designation and the origin of the
Virus Safe Computing Initiative
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
More information about the cap-talk