[cap-talk] Confused deputy article
Charles Landau
clandau at macslab.com
Tue Feb 19 11:49:02 EST 2008
At 9:29 PM -0800 2/14/08, Dean Tribble wrote:
>FWIW here's the pattern I use to specify and/or recognize Confused
>Deputy bugs (that I used to find numerous examples in the DARPA
>review :):
>
>A deputy is a program with a private authority that it uses to
>provide service to a client. The deputy has authority A for purpose
>X and authority B for purpose Y. If the client can cause the deputy
>to use authority B for purpose X, the deputy is confused. Typically,
>the client has purpose X and provided authority A, and B is internal
>to the deputy (e.g., provided by the deputy's creator).
>
>All the confused deputy errors that I know of match that pattern.
>Does that fit your model of confused deputy?
You say, the deputy has authority B for purpose Y, but uses it for purpose X.
I say, the deputy misuses its authority.
So far I think we are in agreement.
You say the client causes the misuse. As we've seen on this list,
causation is a slippery concept. And, I prefer to reserve the term
"confused deputy" for cases where capabilities would solve the
problem. After all, Norm's original article was subtitled "or why
capabilities might have been invented".
More information about the cap-talk
mailing list