[cap-talk] Confused deputies in hybrid systems (was: Loss of control)

Jonathan S. Shapiro shap at eros-os.com
Mon Feb 4 14:04:04 EST 2008 

On Mon, 2008-02-04 at 08:19 +0000, Toby Murray wrote:
> Suppose I'm in the domain and, hence, can use the capability. I delegate
> it to Bob who isn't in the domain -- he can't use it since he's not in
> the domain.
> 
> Bob delegates it to some service that IS in the domain. The service may
> incorrectly use this capability on Bob's behalf, since the capability is
> more powerful in the hands of the service than it is in Bob's. 
> 
> This service is potentially confusable.

All:

This discussion seems greatly confused. That is: it seems self-evident
that it cannot possibly be correct.

You all apparently agree that a pure capability system is not subject to
the confused deputy. This is of course false. The use of capabilities as
an underlying permissions substrate does not preclude the presence of
buggy programs.

Provided that it requires capabilities to be designated (i.e. the
capability portion is not an ambient capability system), a hybrid system
(i.e. one intersectiong capabilities and ACLs) is precisely as
unconfused as the system lacking the intersection restrictions. It is,
in fact, strictly less powerful than the pure system. In consequence, it
has precisely the same degree of inherent confusion as the pure
capability system.

The danger in a hybrid system does not lie in the intersection of a
second, orthogonal permissions system. It lies in the laziness of
programmers, who may come to pass capabilities promiscuously in the
mistaken belief that the ACL system is sufficient.

> In any case in which a service may get more authority than its client
> from a capability passed to it by its client, the service is potentially
> confusable.

Your statement confuses permission with authority. The service did not
get more authority than its client held. The client had sufficient
authority to pass the capability into the service domain. In
consequence, any authority granted thereby to the service already feel
within the client's authority BY DEFINITION.


Jonathan

More information about the cap-talk mailing list