[cap-talk] basic question: concerning confused deputy

Matej Kosik kosik at fiit.stuba.sk
Mon Feb 26 06:53:41 CST 2007


Friends,

Can anyone please shed more light on "confused deputy"? This basic definition

http://www.cis.upenn.edu/~KeyKOS/ConfusedDeputy.html

confused me. It is either very simple or very intricate. Can you give me some more examples, for example in context of ordinary UNIX-like system?

Might `system task' in Minix3 be a good example of confused deputy?

Details: All device drivers in Minix3 were "lifted to user space". These device drivers cannot do "dangerous" operations themselves (such as copying whatever whereever in memory or using IN and OUT instructions for talking to the hardware devices directly). However, the `system task' which runs in the privileged mode happily does that for them.

Here
http://www.minix3.org/doc/AppendixB.html
the file `kernel/table.c' on lines 06000--06121 actually defines the security policy via access-control lists. It defines
- which kinds of processes can use which communication primitives
  (the device drivers, line 06057, are allowed to use all primitives)
- which processes can talk to which other processes
  (the device drivers, line 06071, are allowed to talk to the `system task')
  (this is necessary because so called `endpoints' in Minix are ambient, i.e. forgeable)
- which processes can use which kernel calls (various services provided by the `system task')
  (the device drivers, line 06084, can, among other things use
   - SYS_VIRCOPY (they can ask system task memory between arbitrary address spaces)
   - SYS_DEVIO (they can ask the system task to perform any kind of I/O operation
  )

Thus, effectively, although device drivers (clients) cannot do dangerous operations themselves, the security model and security policy gives them authority to do that because `system task' is confused deputy?

Such separation indeed reduces the impact of unintentional errors (that is indeed an improvement), but it still does not prevent malicious behavior. 
-- 
Matej Kosik

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
Url : http://www.eros-os.org/pipermail/cap-talk/attachments/20070226/a6e17f45/attachment.bin 


More information about the cap-talk mailing list