[cap-talk] Toby's Confused deputy statement - minor mod

Jed Donnelley jed at nersc.gov
Wed Feb 6 14:34:43 EST 2008 

On 2/5/2008 2:31 PM, Toby Murray wrote:
...
> Good point. The service may also combine capabilities passed to it with
> ones that it already possesses but the client does not. (Of course, the
> client would have no way to ask the service to do this, but if we model
> the service to exhibit all possible behaviours, then we will of course
> cover this case and detect that it can be confused.)

I've been following everything said above with understanding.

 From my perspective the issue is one of terminology.  It think
it's important to find terminology that allows us to state
where is going on with the Confused Deputy problem as
succinctly as Toby said with:

Toby Murray said:
 >>>> In any case in which a service may get more authority than its client
 >>>> from a capability passed to it by its client, the service is potentially
 >>>> confusable.

but with language that we can agree makes sense.

This is what I was trying to get at with my rights amplification
example in:

http://www.eros-os.org/pipermail/cap-talk/2008-February/009824.html

We can imagine a situation where neither the client nor
the server have the capability - and the client is blocked
from communicating to the server.

Now if the capability is added to the client we can
imagine the additional authority that becomes available
(operations available that weren't available before,
no matter how emergent).

Ditto with the server - we can imagine how much additional
authority it gets with the addition of the capability.

If the server's additional authority is greater than
that of the client, then I believe we have a situation
where, if the client sends the capability to the server
that we can have a confused deputy situation.

The above is what I took Toby to mean when he referred
to the service getting more authority than the client
from the capability.

What about a very minor modification of Toby's statement:

 >>>> In any case in which a service may get more authority than its client
 >>>> from a capability, the service is potentially confusable by that
 >>>> capability sent from the client.

All I did was to change the "more authority" that the
service gets from the capability into an abstraction
independent of how it receives the capability, and only
refer to the confusion if/when the client sends the capability
to the service.

I wonder if that form of the statement makes any more
sense to Jonathan?  Others?

--Jed  http://www.webstart.com/jed/

More information about the cap-talk mailing list