[cap-talk] Confused deputies in hybrid systems (was: Loss of control)

Toby Murray toby.murray at comlab.ox.ac.uk
Tue Feb 5 04:09:06 EST 2008 

On Mon, 2008-02-04 at 14:04 -0500, Jonathan S. Shapiro wrote:
> You all apparently agree that a pure capability system is not subject to
> the confused deputy.

No. I think this is a long-held belief that this current discussion has
disproved.

>  This is of course false. The use of capabilities as
> an underlying permissions substrate does not preclude the presence of
> buggy programs.
> 
> Provided that it requires capabilities to be designated (i.e. the
> capability portion is not an ambient capability system), a hybrid system
> (i.e. one intersectiong capabilities and ACLs) is precisely as
> unconfused as the system lacking the intersection restrictions.

Can you provide any evidence (or, even better) a proof to support this
claim?

> On Mon, 2008-02-04 at 08:19 +0000, Toby Murray wrote:
> > In any case in which a service may get more authority than its client
> > from a capability passed to it by its client, the service is potentially
> > confusable.
> 
> Your statement confuses permission with authority. The service did not
> get more authority than its client held. The client had sufficient
> authority to pass the capability into the service domain. In
> consequence, any authority granted thereby to the service already feel
> within the client's authority BY DEFINITION.

I see what you're trying to say but I disagree. Note that these are
different KINDS of authority. When in the hands of the client, the
authority is "authority to cause the service to perform X on my behalf",
when in the service's hands its "authority to perform X directly". 

Now depending on your notion of authority, one may argue that the
authority to do something directly vs. the authority to cause another to
do it for you, that the former is always strictly GREATER than the
latter because one need not rely on anyone else to exercise it.

Hence, I stand by my claim that the problem is that the cap is more
poweful in the hands of the sevice than the client (i.e. grants the
service more authority than it does the client).

More information about the cap-talk mailing list