[cap-talk] (no subject)

ross mcginnis ross_mcginnis at hotmail.com
Sun Feb 3 12:21:40 EST 2008 

> From: ross_mcginnis at hotmail.com
> To: cap-talk at mail.eros-os.org
> Date: Sun, 3 Feb 2008 08:12:45 +1000
> Subject: Re: [cap-talk] (no subject)
>
>
.....
> Confused Deputy : Caps v's Identity access control-
> The way I've often seen the confused deputy problem presented draws the conclusion that the deputy is confused due to an inherent limitation within any identity based access control mechanism.
> But the confused deputy problem already implicitly uses a capability control mechanism along with an identity based access control mechanism. The capability controls used are password caps, ie: the file system uses visible publicly transferrable references - it names the files. The identity controls used are ACLs, ie: each file lists those users/groups/others that can access it.
> In the confused deputy problem it appears to me that it is not the authority by identity part that fails but rather the authority by caps. ie: People are blaming the wrong access mechanism for the failure- the identity bit works fine, it is the way that the caps are handled that causes the problem.
> I say this because -as regularly pointed out- that if the user was required to pass the complier an object-cap then the problem would never occur. ie: if the user was forced to upgrade the file-name (a password cap) to a file-descriptor (an object cap) by calling open("filename", tags) themselves and handed the deputy the resulting file-descriptor then the deputy would never be confused.
>
> Thus it appears to me that the deputy's confusion it is due to the fact that the user passes a password-cap instead of an object-cap, it is not a failing of the identity access control per se.
>


Hmm, I've just re-read my above email and I have realised that I didn't do a very good job trying to explain my argument.  I shall give an example to help explain my point:

Storeman Deputy Darrence is in charge of the chemical store at a farm.  Unfortunately Deputy Darrence is a bit of a chemical dunce and doesn't know which chemicals may safely be stored with which.  So to make it safe an identity control system was implemented. The system works thus:
Each chemical has a list of employees attached who are allowed to ask Darrence to store that chemical.  If two chemicals are reactive then any person listed on one reactant's access list is never listed on the other reactant- except Darrence- he has to be able to all access all of the chemicals and is listed on each one so that he can perform his job*.  Outside his store door is a machine that verifies that the identity of the person presenting the object is listed on the objects access list.
Now malicious Mallory is listed on the bag of ammonium nitrate fertilizer, so consquently she is not listed on the drum of spray oil because these two chemicals are explosively reactive.

case 1: objects themselves are used, and not references (ie: physically handover the chemicals, don't name the chemicals)
Mallory physically hands a bag of ammonium nitrate and a drum of spray oil to Deputy Darrence and asks him to store them. Since he is physically presented the objects by Mallory he stores the fertilizer but not the oil because Mallory is verified by the machine as being on one list but not the other.  Result : safe storage.

case 2: a reference to an object used (ie: a name is used), not all chemicals are physically presented to Darrence by someone.
A new delivery of farm supplies has arrived containing a drum of spray oil.  Mallory leaves insturctions on the to-do-joblist for Darrence to go to the truck to collect and store the "spray oil" (here a reference is used- ie, the name "spray oil").  In this case Darrence isn't physically presented the object by an employee, thus he resorts to using his own identity to store it. She also physically presents him a bag-of-fertilizer which he stores since the machine verifies it because she is listed.  Result : confusion->unsafe storage, explosion occurs.

Now the difference between successful storage and unsuccessful storage is that the unsuccessful storage used a reference while successful storage used only the objects themselves, ie: references are the cause of confusion. 
References are caps by the general definition of caps.  Thus I claim that it is the use of caps that caused the problem.

Furthermore, we know that if an object-cap system was used then the confusion never occurs.  So we asked ourselves, "What is the difference between case2 and object-caps?",  the difference is that the chemical reference name used are password caps. 

Thus it is specifically the use of password caps that caused the access control failure and not the identity access control system per se.  The separation of designation and authorization results from the use of a password cap.

(A note about file systems : Admittedly, a file system is useless if you can't use references.  If you can't use references and can only use objects: then to retrieve a copy of a file you must already have a copy of the file. Consequently you must use references(caps).  But caps in a file-system are almost always password caps-since the name is normally required to be easily seen and exchanged without confinement.  Thus you *must* upgrade the file-name password-cap to an object-cap such as a file-descriptor to achieve access control.)

*This system is very artificial:  To be effective than it must prevent anyone else from storing the reactive partner of a chemical, thus in a reactive pair, one reactant may have employees listed, but the list on the other should be empty of employees.  Once it is empty of people besides Darrence, Darrence himself no longer needs access so safety is achieved if it is completely empty (ie: not even Darrence can access it).  I acknowledge how manipulated the above cases are but I just made this example scheme up to be demostrate my belief that there is a difference with respect to authority between an object (which has a control list attached) and a reference to that object (where the reference itself doesn't have a control list attached, but rather the object that it references).

Thanks (I hope this example helped explain my argument)
ross
 
_________________________________________________________________
New music from the Rogue Traders - listen now!
http://ninemsn.com.au/share/redir/adTrack.asp?mode=click&clientID=832&referral=hotmailtaglineOct07&URL=http://music.ninemsn.com.au/roguetraders

More information about the cap-talk mailing list