[cap-talk] confused deputy problem
Norman Hardy
norm at cap-lore.com
Mon Jun 2 23:17:16 CDT 2008
On 2008 May 27, at 9:32 , Charles Landau wrote:
> Norman Hardy wrote:
>> Some readers of the paper
>
> that would be "The Confused Deputy" at
> http://www.cis.upenn.edu/~KeyKOS/ConfusedDeputy.html
>
>> reasonably presumed that the compiler needed
>> write access to billing.
>
> I was one of those readers. That error shows up in my contributions to
> http://en.wikipedia.org/wiki/Confused_Deputy.
>
>> The particular event that inspired the paper happened on a machine
>> serving hundreds of users with 64MB total disk memory.
>> Directories were expensive and the compiler lived in the same
>> directory as the billing file and thus had write access that it did
>> not need.
>
> In that case, this problem could have been solved by using the
> Principle
> of Least Authority, which does not require capabilities. It seems to
> me
> that to justify the subtitle "or why capabilities might have been
> invented", the compiler would have to need write access to the billing
> file.
Architecturally yes, logistically no. (space was tight.)
I suspect that the mis-reading of the paper may improve it.
More information about the cap-talk
mailing list