[cap-talk] Confused deputies in hybrid systems (was: Loss of control)
Toby Murray
toby.murray at comlab.ox.ac.uk
Mon Feb 4 12:02:26 EST 2008
On Mon, 2008-02-04 at 16:51 +0000, Karp, Alan H wrote:
> Toby Murray wrote:
> >
> > Bob delegates it to some service that IS in the domain. The
> > service may
> > incorrectly use this capability on Bob's behalf, since the
> > capability is
> > more powerful in the hands of the service than it is in Bob's.
> >
> > This service is potentially confusable.
> >
> In other words, such a capability can't be allowed to re-enter the domain, even as a parameter.
So we have the Horton PDP implement two restrictions:
- block the invocation of caps marked for use in the domain if they are
used by someone outside of the domain
- deny anyone outside the domain to delegate these caps back into the
domain
Wouldn't it be easier to start with the caps IN the domain and have
Horton just enforce that they cannot be delegated outside the domain?
Imposing limits on who may delegate a capability to whom may be less
susceptible to confused deputy vulnerabilities, than imposing
restrictions on who may invoke a capability.
Cheers
Toby
More information about the cap-talk
mailing list