[cap-talk] Derivative rights
ross_mcginnis at hotmail.com
Mon Feb 4 19:02:58 EST 2008
> From: alan.karp at hp.com
> To: cap-talk at mail.eros-os.org
> Date: Mon, 4 Feb 2008 05:45:12 +0000
> Subject: Re: [cap-talk] (no subject)
> ross mcginnis wrote a bunch of stuff I didn't follow about storing chemicals:
I'll give a (hopefully) better example which is the exact analogy of the traditional confused deputy below. But first :
> The confused deputy problem is not possible if designation and authorization are combined, the defining characteristic of a capability. A file name is not a capability, password or otherwise, because it designates a file but does not authorize access to it.
This is the crux of the matter. To me it appears that *any* reference is a cap. In this case a file-name is reference thus it is a cap. BUT the question in this case is "What is the authorization that the file-name carries?". The file-name doesn't carry the authorization to access a file, but rather it carries the authority to *attempt* to access a file. This is a definite and distinct authorization.
For exampe: my computer has two user accounts: ross and mum. There is a file "/home/ross/Documents/taxnotes.txt" that's access permission is set so that only ross is able to read it. If I give this file-name to mum she can now call open("/home/ross/Documents/taxnotes.txt", tags). The fact that the file doesn't open doesn't detract from the right she has to attempt to open it. She has obviously been granted a definite right by been given this file-name -because- If I never gave her the name then she could never have made the attempt.
You could call this right a derivative right- it doesn't grant access to the base object, but it grants access to a right derived from the existence of the base object. Derivate rights are very common in everyday life: eg- share put/call options, first-right rights on next lease, etc...
Ok, now for an example that is an exact analogy of the traditional confused deputy problem:
Deput Darrence has landed a new job. He does the photocopying at a law firm. Most documents at the law firm are confidential, thus the partners of the firm have created an identity based access mechanism to control the use of the photocopying. Thus method works as follows:
Every piece of paper has a list of employees (directly attached) who are authorised to write/read from that document. Darrence is listed on every list because he needs to be able to access any document to do his job. There is a device that is part of the photocopier thats verifies that the person holding a piece of paper is one of the people listed to read/write that piece paper.
Now Malicious Mallory had a complaint of bad quality service made against her by a client of hers. The partners of the firm have filed this letter on Mallory's personal record and have labelled it to be read but not written to by Mallory. Mallory also happens to have read access to a fully-black page. Mallory would like to destory this letter-of-complaint by photocopying the fully-black page over it.
Case 1: objects themselves used, and not references (ie: Mallory physically hands the papers in person to Darrence and doesn't name them).
Mallory approaches Darrence and says that she would like to photocopy the black-page to the letter. Darrence requires Mallory to verify with the machine before he will photocopy. Mallory verifies the black page and the complaint letter- the machine says that mallory can read the black-page but not print to the complaint letter. Because of the verification result Darrence will not photocopy.
Result: access controls worked perfectly. The letter is not destroyed.
Case 2: a reference to an object used (ie: a name is used), not all of the documents are physically present to Darrence in person by someone.
Mallory approaches Darrence and says that she would like would like him to retrieve the "Customer XYZ's letter of complaint against Mallory" (here a reference is used- ie, the name "Customer XYZ's ... Mallory") and to photocopy the black-page she is holding over the top of the letter. Darrence requires Mallory to verify with the machine that she is allowed to read the black-page. The machine verifies it. Mallory now leaves and Darrence continues on with her request. He returns with the letter and proceeds to verify. Because he can no longer use Mallory's identity for verification, he resorts to using his own- he has to because this is the only option he has. The machine verifies that he is allowed to write onto the document. So he proceeds to copy that black page over the letter.
Result: access controls failed. The letter is destroyed.
So the access controls in case1 worked but not in case2. Thus I argue that whatever is the difference between the two cases is the thing that caused the failure.
The difference between the cases is that the failing system used a reference (a document name) instead of the actual document, ie: references are the cause of confusion.
References are caps by the general definition of caps.
(In this specific case the reference is a document name: it is cap because- 1) it designates an object -ie: the document named, 2) it carries an authorisation due to the fact that mere possession of the document-name allows you to test the document in the verifier- this is a definite and distinct derived right! )
** Thus I claim that it is the use of caps that caused the problem. **
Furthermore, we know that if an object-cap system was used then the confusion never occurs. So we asked ourselves, "What is the difference between case2 and object-caps?". The difference is that the caps used in case2 used are password caps.
** Thus it is specifically the use of password caps that caused the access control failure. **
MORAL OF STORY:
1) password caps are extremely dangerous to have floating around in a high-security (ie: confined and defined communcation channels) system
2) password caps can easily arise upsuspectingly from situations that produce derived-rights.
3) identity based access controls don't deserve all of the bad reputation that they have.
Hopefully this example has demostrated my point that passing objects themselves has completely different authority semantics to being able to pass references(caps) based on those objects.
Hopefully it has explained my point that the deputy gets confused because of the (mis)use of a password cap- (ie: the document name). In this case identity access control is perfect provided that the documents themselves are passed to the deputy and not references (caps) to the document. It is the use of references that cause the failure.
It's simple! Sell your car for just $30 at CarPoint.com.au
More information about the cap-talk