[cap-talk] Loss of control (was: Re: A paper on web-keys)
Toby Murray
toby.murray at comlab.ox.ac.uk
Sun Feb 3 04:57:56 EST 2008
On Sat, 2008-02-02 at 21:14 -0800, Mark Miller wrote:
> On Feb 2, 2008 4:58 PM, David Hopwood
> <david.hopwood at industrial-designers.co.uk> wrote:
> > Alan Karp had written:
> > > [...] Actually, I was thinking along the lines of an additional, non-ocap
> > > check. [...] For example, "This capability can only be used by clients in
> > > my domain."
> >
>
> > [...] As I replied to Sandro, the main
> > issue is that:
> >
> > "If the domain restriction [mentioned by Alan Karp] prevents any attacks,
> > then confused deputies in the domain become possible vectors for those
> > attacks."
> >
> > Conversely, if there are no attacks prevented by the domain restriction,
> > then it is providing no security benefit.
>
> This puts the point more clearly than I've ever been able to. Thanks!
>
> > Does this clarify the issue sufficiently? If it doesn't, I will try to come
> > up with a more concrete example.
>
> Concrete examples always help. I suspect they'd help a lot here. ;)
Confused Deputy vulnerabilities are possible whenever capability
possession is not sufficient for access. In these cases, ambient
authority necessarily exists and thus opens up the possibility of
confused deputies. The deputy cannot know whose authority it is using on
behalf of its client if there is the possibility that the deputy is
using ambient authority to access whatever resource the client has
designated.
In a hybrid system, the deputy is necessarily using ambient authority
when it exercises the cap passed to it by its client and is thus totally
confusable.
More information about the cap-talk
mailing list