[cap-talk] Confused deputies in hybrid systems (was: Loss of control)

Karp, Alan H alan.karp at hp.com
Mon Feb 4 01:11:07 EST 2008 

David Hopwood wrote:
>
> Alice creates a document which contains FooCo proprietary information,
> and puts it on the web server marked as only readable by FooCo logins.
> She also writes an email about the collaborative project, which is
> mostly fine for BarCo employees to read, but also contains a YURL to
> the document. She reasons (incorrectly, but plausibly), that it is
> okay to send this email to the list because the login check will only
> allow the document to be accessed by FooCo employees.
>
Interesting example.  It's almost exactly the situation that caused HP to announce its quarterly results a couple of days ahead of schedule last year.  The only difference is that the proprietary data was in the email, not on a web page.  Had that data been on a web page behind the firewall, there would have been no leak.  The choice is between hoping that employees never make such a mistake and having a mechanism in place to protect you when they do.  That's the essence of VOC.

The check that I proposed cut off access if the invoker wasn't in my domain.  (Note that I never suggested that the check could add privileges, as in some of the discussion on this thread.)  In the absence of the ability to keep YURLs from leaking outside the domain, as in your email example, not letting them back in might be useful.

I'm having trouble seeing how a strict reduction of authority can lead to a confused deputy.  If the filter (Horton or non-cap) allows access, the invocation involves only capabilities.  If the filter blocks the request, there is no invocation, so there can't be a deputy to be confused.

________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
http://www.hpl.hp.com/personal/Alan_Karp

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.eros-os.org/pipermail/cap-talk/attachments/20080204/ac37b388/attachment.html

More information about the cap-talk mailing list