[cap-talk] Confused deputies in hybrid systems

David Hopwood david.hopwood at industrial-designers.co.uk
Mon Feb 4 20:07:34 EST 2008 

Jonathan S. Shapiro wrote:
> On Mon, 2008-02-04 at 13:12 -0800, Jed Donnelley wrote:
>> On 2/4/2008 11:04 AM, Jonathan S. Shapiro wrote:
>>> This is of course false. The use of capabilities as
>>> an underlying permissions substrate does not preclude the presence of
>>> buggy programs.
>> A confused deputy is at least a very special case of a
>> "buggy" program - even if one tries to fit it into that
>> category.  The deputy in the "confused" case doesn't
>> have enough information to know how to proceed, bug
>> or no bug.  Perhaps you could call this a "buggy"
>> architecture, but don't blame the deputy (the program).
> 
> I did not say that ambient authority systems could somehow avoid the
> possibility of a confused deputy. I agree that in such a system, the
> deputy has insufficient information.
[...]

>>> Provided that it requires capabilities to be designated (i.e. the
>>> capability portion is not an ambient capability system), a hybrid system
>>> (i.e. one intersectiong capabilities and ACLs) is precisely as
>>> unconfused as the system lacking the intersection restrictions. It is,
>>> in fact, strictly less powerful than the pure system.
>>
>> As David Hopwood pointed out, being strictly less powerful
>> doesn't necessarily make it any less likely to result in
>> confused deputies.
> 
> I am not caught up with the exchanges on this thread, so I haven't read
> David's note. I did note one error in his use of the term authority,
> which led directly to a fundamental error in his description of what is
> going on when a capability is transferred from a more restricted to less
> restricted domains. No change in authority takes place in this scenario.

If you mean,

   "Being able to reify authorities to access something at some time in the
    future, is generally useful and important."

then possibly this should have been "...to reify permissions...", but this
seems like a technicality that did not affect the argument. I haven't used
the term "authority" in this technical sense in any other post in the
past week, and I didn't use it in the post that I think Jed is referring to.
Are you sure you're not confusing me with someone else?

> From first principles, it seems necessary that his position must rely on
> the assumption that a security-sensitive programs will be implemented
> with less care than the same program in a pure capability system. I see
> absolutely no reason to accept this supposition.

I do not see anywhere I made such an assumption, which would indeed be
unjustified. My main point was that if mechanisms that are more vulnerable
to (i.e. less able to support the prevention of) confused deputy attacks
than pure capability mechanisms are added to a system, then user and
administrator behaviour would very likely change to sometimes rely on
those mechanisms.

This argument does not rely on programs being implemented with less care.
We agree, as you state above, that the use of ambient authority mechanisms
(including ACLs) does not allow programs to avoid confused deputy attacks,
because they do not have sufficient information to do so.

-- 
David Hopwood

More information about the cap-talk mailing list