[cap-talk] Authority Must Not Exceed Trust, revisited

Toby Murray toby.murray at comlab.ox.ac.uk
Tue Sep 18 05:32:04 EDT 2007 

I think I need to go back to the beginning on this one.

This definition arose out of my work on the formal modelling of
capability-based systems to reason about their security properties.

The primary example I've been considering is the confused deputy
example, in which a compiler, Carol, has permission to write to a
billing file, Bill. Alice, a user, has permission to invoke Carol. When
invoking Carol, Alice supplies the name of a file to receive the
compilation output. By supplying the name of "Bill", Alice can cause
Carol to overwrite the billing file.

Now this example should be considered to be insecure only if Alice is
not trusted to be able to (cause Carol to) write to Bill. This is the
key to why we should consider the system to be insecure. 

>From Alice's point of view, she may see no insecurity -- and this is
likely to be the case. But from the point of view of Carol, or any
stakeholder to whom the correct functioning of Carol's billing log is
important, there definitely exists insecurity because they trust noone
other than Carol to be able to overwrite the billing log.

I've found this definition generally useful when thinking about
insecurity. People naturally feel insecure when authority exceeds trust.
(This is a large part of why I like the definition, because it matches
my intuitions.)

Someone who trusts their government's intelligence services, doesn't
worry that they can listen in on their phone conversations. Someone else
who doesn't trust the intel. services to be able to listen in on their
conversations, does feel insecure when they realise that the intel.
services have the power to do so. 

I believe that a fundamental characteristic of insecurity is the
presence of authority in excess of trust.

I'm hoping that having restated the definition, and given some clues as
to its use, that the debate about its utility can proceed a bit further.

I hope I'm not coming across as being too stubborn here. I hope I'm not
willfully ignoring valid arguments and that so far it's just been a case
of misunderstanding, but we'll see.

Cheers

Toby

More information about the cap-talk mailing list