[cap-talk] Confused Deputies arising from object capabilities

Jed Donnelley capability at webstart.com
Mon Feb 4 12:51:40 EST 2008 

At 08:36 AM 2/4/2008, Karp, Alan H wrote:
>Jed wrote:
> >
> > it seems quite easy to choose access control policies
> > to impose inside Horton tunnels that will result
> > Confused Deputies.  I argue there that any policy
> > that doesn't restrict access for a delegatee to be
> > less than or equal to the minimum access for any
> > delegatee along the delegation chain will result
> > in the potential for Confused Deputies.
> >
>I also believe that confused deputy cannot arise if the policy 
>enforcement involves only strict reduction in rights.

I agree.  This relates to the rights amplification example
that I gave separately.  If there is no such (or other)
authority increase resulting from the exercise of a
communicated capability, then it seems clear that the
deputy can't be confused.

>However, there may be other cases that are safe.

Here also I agree.  In fact, it seems to me that the
examples I've been discussing (proprietary information,
MLS, even a capability implemented ACL system) can all
be made to work without creating confused deputies as
long as they adhere to this property that delegation
shouldn't increase authority.

Suppose, for example, at some point neither Alice nor
Bob are on an ACL for access to an object handled with
a capability API (e.g. in Horton tunnels).  Alice sends
her capability in a message to Bob - through a Horton
tunnel.  At the point of this communication the capability
won't provide any service for either Alice or Bob.

Later we can have some state changes:

1.  Alice is added to the ACL.
2.  Bob is added to the ACL.
3.  Of course both Alice and Bob could be added to the ACL.

In the first case Alice will get access, but not Bob, both
because of the necessary property of the Horton PDP and
because Bob just shouldn't have access.

In the second case neither Alice nor Bob will get access
for the same reasons.

In the third case both Alice and Bob will get access.

I believe this scenario is not subject to confused deputies.
I would consider the above a "hybrid" situation, but perhaps
not?

>Consider the classic case.  Bob compiles programs and keeps a 
>billing log.  Alice wants a program compiled.  If we're using 
>capabilities, Alice cannot confuse Bob into putting the compiler 
>output into the log file.

Hmmm.  Suppose Alice has a capability to the log file that is
she can't access because of some state kept by the server (e.g.
something in a Horton PDP).  Now Alice sends her capability to
Bob through a Horton tunnel.  Bob not receives a different capability.
If that different capability permits write access (which I argue
it shouldn't to avoid confused deputies), then Bob can be confused.

>Now let's say that Bob keeps a separate log for each customer.  The 
>Horton tunnel knows who is making the request and can provide Bob 
>with the authority to write to the correct log file.  I believe this 
>procedure is safe, even though it is not a strict reduction in authority.

Whew.  That would be pretty darn ACL of you Alan!  Still, I
also believe that it could be done safely - though it seems to
me to require considerable additional careful thought.  For
example, I don't know how the Horton tunnel would make the
identity information available to Bob.  Still, I suppose the
above is possible.  Wouldn't be my first choice for an
architecture ;-)

--Jed  http://www.webstart.com/jed-signature.html

More information about the cap-talk mailing list