[cap-talk] basic question: concerning confused deputy
kosik at fiit.stuba.sk
Mon Feb 26 06:53:41 CST 2007
Can anyone please shed more light on "confused deputy"? This basic definition
confused me. It is either very simple or very intricate. Can you give me some more examples, for example in context of ordinary UNIX-like system?
Might `system task' in Minix3 be a good example of confused deputy?
Details: All device drivers in Minix3 were "lifted to user space". These device drivers cannot do "dangerous" operations themselves (such as copying whatever whereever in memory or using IN and OUT instructions for talking to the hardware devices directly). However, the `system task' which runs in the privileged mode happily does that for them.
the file `kernel/table.c' on lines 06000--06121 actually defines the security policy via access-control lists. It defines
- which kinds of processes can use which communication primitives
(the device drivers, line 06057, are allowed to use all primitives)
- which processes can talk to which other processes
(the device drivers, line 06071, are allowed to talk to the `system task')
(this is necessary because so called `endpoints' in Minix are ambient, i.e. forgeable)
- which processes can use which kernel calls (various services provided by the `system task')
(the device drivers, line 06084, can, among other things use
- SYS_VIRCOPY (they can ask system task memory between arbitrary address spaces)
- SYS_DEVIO (they can ask the system task to perform any kind of I/O operation
Thus, effectively, although device drivers (clients) cannot do dangerous operations themselves, the security model and security policy gives them authority to do that because `system task' is confused deputy?
Such separation indeed reduces the impact of unintentional errors (that is indeed an improvement), but it still does not prevent malicious behavior.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 252 bytes
Desc: OpenPGP digital signature
Url : http://www.eros-os.org/pipermail/cap-talk/attachments/20070226/a6e17f45/attachment.bin
More information about the cap-talk