[cap-talk] (no subject)

Karp, Alan H alan.karp at hp.com
Sat Feb 2 18:13:12 EST 2008 

ross mcginnis wrote:
>
> Confused Deputy : Caps v's Identity access control-

The essence of the confused deputy is the separation of designation and authorization.  Whether or not the file names are unguessable (making them password caps) is irrelevant.  I'll rephrase Norm Hardy's example to see if that helps.

Bob compiles programs for money.  To keep track of that, he keeps a billing file, call it log.  Alice is a client of Bob's and is granted read permission to the log so she can track her spending.  When Alice invokes Bob's service, she provides the name of an input file and the name of an output file.  Bob's code might be

                void compile(in,out){
                  log.append();
                  out.write(cc(in.read());}

Bob is expecting Alice to say "compile foo.c a.out".  The confused deputy arises when Alice says "compile foo.c log".  The result is that Bob uses his write permission to replace the contents of the log file with the output of the compiler.  Note that Alice has a legitimate need to know the name of the log file, so making it unguessable doesn't help.

Bob could check to make sure Alice didn't specify the log file, but the program might have been written before it was decided that Alice should be able to see the log.  See Norm Hardy's description at http://cap-lore.com/CapTheory/ConfusedDeputy.html for more detail.

Now it should be clear that the problem arises from Alice's ability to designate something, the log file, without needed to attach specific rights to it.  If she were forced to do that, then the log file would be safe because Alice only has read permission.  Because capabilities necessarily combine designation with authorization, the problem cannot arise.  For example, Bob's program could take file handles instead of file names.  Alice would say "compile <foo.c >log".  In that case, the log file is safe because Alice does not have permission to open log for writing.

________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
http://www.hpl.hp.com/personal/Alan_Karp

More information about the cap-talk mailing list