[cap-talk] The transitive access problem

[Jed Donnelley]

Karp, Alan H wrote:
> Jed wrote:
>   
>> I also don't see the connection.  To me this topic "The
>> Transitive Access Problem" amounts to re describing
>> with some bundling problems that we know by other names,
>>     
>
> Not entirely.  Maybe things will be clearer if I explain the motivating
> example from the Navy.  Alice, on a ship at sea, is responsible for
> weather predictions for a subset of the fleet.  She places a request to
> a service called WebCOP, which contains a database of ship locations.
> WebCOP only honors a request if Alice is allowed to ask about those
> ships.  WebCOP then forwards those locations to the weather predicing
> service, MetStat.  MetStat can produce high and low resolution forecasts
> depending on the rights of the requester.  Which should WebCOP request
> on behalf of Alice?
>   
Regarding the "transitivity" aspect, I consider the above to be two 
distinct two
party requests.  Alice makes requests of WebCOP.  WebCOP makes
requests of MetStat.

Of course Alice may (e.g. with a capability model) be able to communicate
some permissions to WebCOP that may enable it with additional access that
can help Alice (also WebCOP of course...).  At the grossest level Alice 
could
give WebCOP her full authority (e.g. with a username/password).  Regardless,
I still see the transactions as essentially two party.
>> When you (AlanK) say:
>>
>> "Bob may have some rights not granted to Alice, and ...
>> If Bob's rights are used, he may do something on behalf
>> of Alice that Alice is not allowed to do."
>>
>> I believe this is exactly the confused deputy problem.
>> Of course it may be that Bob is aware that Alice doesn't
>> have the access that Bob is deliberately exercising on
>> Alice's behalf - in which case this is simply intended
>> behavior.
>>
>>     
> Notice that in the motivating example, Alice doesn't pass any parameters
> relevant to MetStat.  Hence, she has no opportunity to confuse WebCOP.
> I guess you could say that WebCOP is inherently confused, but it is
> different from Norm's example.
>   
Perhaps I generalize the "Confused Deputy" example too much, but for me
that situation includes any case where a request can 'fool' a more
powerful entity to acting on my behalf beyond my permissions.  E.g.
if I ask the secretary to book me a flight and tell her that the boss
authorized it.  I may get my comeuppance  later, but if she does so
and I really didn't have authorization for such a flight, the I consider
the secretary a confused deputy.  Also in this case there is no relevant
parameter passing.  A common example is the unix "passwd" command,
though I guess there you could consider the username a relevant
parameter.

If these more general cases aren't examples of "confused deputies",
then I would like to have a more general term to use.
>> "Alice may have some rights not granted to Bob. If
>> Alice's rights are used, Bob may take an action that
>> Alice would not approve."
>>
>> I believe is the Trojan Horse problem.
>>
>>     
> It's a very strange form of the problem, since nobody has planted
> software on Alice's machine.  I think the issue is one of excess
> authority.
Same issue.  I agree it's a case of excess authority.  Excess authority can
be a problem because of inadvertent misuse or deliberate misuse (e.g.
the Trojan horse example).  If the Trojan horse example is considered
a limited subset of the problems of excess authority, then I'd like to
have a term for the more general "excess authority" case.

We have two cases here:

1.  I make a request with your authority and I may get you to
grant more authority than I have, and

2.  I make a request with my authority and you may use more
authority that I wish.

I'm just trying to associate these situations with commonly understood 
terms.
This also comes up in the background for the Horton discussion, so this
distinction is timely.
> Alice can let Bob impersonate her or not, granting him all
> of her authority or none of it.  There's no middle ground.
>   
>> One thing I don't understand about your abstract
>> is why you are considering three parties and you
>> refer to it as a problem with "transitivity".
>> I believe all the issues you described only require
>> two parties.  Leave out Carol and I believe all the
>> issues you are addressing apply.   
>>     
>
> There is a trust relationship between Alice and Bob.  Some might argue
> that relationsip makes it possible to adjust the access rights as
> needed.  Introducing a second trust relationship between Bob and Carol
> makes that harder.  In particular, there is no trust relationship
> between Alice and Carol, so there is no means to grant Carol the
> permission she needs.
>   
I'm not sure what you mean by a "trust relationship" in the above.  Any
form of granted permission I expect can be considered a "trust 
relationship".

When you say, "some might argue that the trust relationship makes it
possible to adjust the access rights as needed", do these include the access
rights for Bob making requests of Carol?  It seems these are the relevant
access rights in this case.

I'm of course sympathetic to the motivating example that you describe.
It seems clear that permissions communicated as parameters ("capabilities")
can make this situation relatively straight forward to deal with.  However,
it still seems to me that the issues can be factored to consider just
the two part cases independently - regardless of how the access
control is handled.  Sorry if I'm missing something here, but I'm still
not getting the essence of what makes this a "transitive" access problem.

--Jed  http://www.webstart.com/jed/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.eros-os.org/pipermail/cap-talk/attachments/20070730/9410ee60/attachment.html