[cap-talk] Confused deputies in hybrid systems (was: Loss of control)

[Jed Donnelley]

At 10:11 PM 2/3/2008, Karp, Alan H wrote:
>David Hopwood wrote:
> >
> > Alice creates a document which contains FooCo proprietary information,
> > and puts it on the web server marked as only readable by FooCo logins.
> > She also writes an email about the collaborative project, which is
> > mostly fine for BarCo employees to read, but also contains a YURL to
> > the document. She reasons (incorrectly, but plausibly), that it is
> > okay to send this email to the list because the login check will only
> > allow the document to be accessed by FooCo employees.

I can explain how I imagine this example to work with Horton,
in case that might help.

When Alice sends her message to Bob (the BarCo employee)
through the Horton tunnel (either VOC or because Alice is
confined to use Horton tunnels) the label on the capability
that Bob receives is transformed by Horton to indicate the
delegation from Alice to Bob.  Now when Bob tries to read
the object that contains FooCo proprietary information,
Horton's PDP checks whether the access should be allowed.
Since in this case Bob isn't a FooCo employee and the
object is labeled as FooCo sensitive, Horton denies
the request.

Just to pursue the Confused Deputy example a bit,
if Bob were to re delegate the capability to the
FooCo sensitive "file" to another FooCo employee,
Carol, then Carol's efforts to access the file
must be denied by Horton.

I consider this the right thing to do, not
an "illegitimate" denial of access as I'm
wildly guessing MarkM might have thought of
it as.

--Jed  http://www.webstart.com/jed-signature.html