[cap-talk] Toby's Confused deputy statement

[Sandro Magi]

Toby Murray wrote:
> The essence of the confused deputy problem is that the server is granted
> more permission than the client, but the client can cause the server to
> (incorrectly) exercise its permission on behalf of the client.
> 
> Suppose the client has sa capability that in the server's hands, allows
> the server to directly perform some action that the client cannot
> directly perform (i.e. grants the server more permission than it does
> the client).
> 
> The server is now potentially confusable, depending on how it has been
> coded.
> 
> Suppose this extra permission granted to the server should not be used
> on the client's behalf.
> If in delegating the capability to the server, the client may cause the
> server to use this extra permission on the client's behalf, then the
> server has become a confused deputy.
> 
> This applies equally to authority, but now we have to be more careful.
> 
> Suppose the client has a capability that in the server's hands, allows
> the server to cause some action to occur that the client cannot cause
> with the same capability WITHOUT DELEGATING IT TO THE SERVER. (This last
> part is the important part, because if the server is confusable, then by
> definition the client may be able to cause the server to cause this
> other action on the client's behalf, in which case the client can
> (indirectly) cause the action and it is part of its authority.) 
> 
> The server is now potentially confusable, depending on how it has been
> coded.
> 
> If this action that the server can cause is not permitted to be caused
> by the client and if by delegating the capability to the server, the
> client can cause the server to cause this action  to occur, then the
> sever has become a confused deputy.
> 
> I think that's right now. Do you agree?

I think the "confused deputy" is a safety property of an access control 
system (call this property C). If the access control system provides 
enough information to deputies to avoid misusing their authority, then 
the access control system has property C. Pure capability systems have 
property C.

Whether the deputy in question is programmed to use this information 
correctly and thus avoids confusing itself is another matter entirely. 
As Jonathan stated, this is a buggy program, not a confused deputy.

An interesting question is whether a Horton-like mechanism built ON 
capabilities can introduce real confused deputies. I think it's quite 
plausible. However, Horton is built on a rights amplification primitive, 
EQ, if I recall correctly. This leads me to wildly conjecture that 
rights amplification can lead to confused deputies in capability 
systems. Proof is left as an exercise for the reader. :-)

Sandro