[cap-talk] the "flaw" of separating designation from authority
Karp, Alan H
alan.karp at hp.com
Thu Oct 26 21:47:37 CDT 2006
Fred Spiessens wrote:
>
> The flaw is not "separating designation from authority" but "losing
> track of the connection between the origin of the designation
> and the
> origin of the authority". The former would have indicated a flaw in
> the system, while the latter is a programming error.
>
Look at the example again (with the attack of specifying the log file).
The attacker invokes
MyFileSystem.writeFile(fileID: 67890 certificate: Fcert1 data: "XYZ"
which the service turns into
MyFileSystem.logWriteFile(fileID: 67890 fileID: 67890 data: "XYZ"
certificates: Fcert1, Fcert2)
Fcert1 comes from the attacker and allows writing of fileID: 12345.
Fcert2 comes from the service and allows writing of fileID: 67890. The
system I described and participated in building :( had no mechanism for
matching up certs with arguments. Since there is a cert that allows
writing fileID: 67890, the log ends up with "XYZ". Where is the
programming error in the code that invokes logWriteFile? The point is
that this system doesn't provide a way for the programmer to keep the
connection between the origin of the designation and the origin of the
authority.
________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
https://ecardfile.com/id/Alan_Karp
http://www.hpl.hp.com/personal/Alan_Karp
More information about the cap-talk
mailing list