[cap-talk] Confused Deputies arising from object capabilities
Karp, Alan H
alan.karp at hp.com
Mon Feb 4 11:36:57 EST 2008
Jed wrote:
>
> it seems quite easy to choose access control policies
> to impose inside Horton tunnels that will result
> Confused Deputies. I argue there that any policy
> that doesn't restrict access for a delegatee to be
> less than or equal to the minimum access for any
> delegatee along the delegation chain will result
> in the potential for Confused Deputies.
>
I also believe that confused deputy cannot arise if the policy enforcement involves only strict reduction in rights. However, there may be other cases that are safe.
Consider the classic case. Bob compiles programs and keeps a billing log. Alice wants a program compiled. If we're using capabilities, Alice cannot confuse Bob into putting the compiler output into the log file. Now let's say that Bob keeps a separate log for each customer. The Horton tunnel knows who is making the request and can provide Bob with the authority to write to the correct log file. I believe this procedure is safe, even though it is not a strict reduction in authority.
________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
http://www.hpl.hp.com/personal/Alan_Karp
More information about the cap-talk
mailing list