[cap-talk] Need help with the confused deputy problem and Object-capability model
Toby Murray
toby.murray at comlab.ox.ac.uk
Wed May 21 16:16:01 CDT 2008
On Wed, 2008-05-21 at 13:12 -0600, Ricky Liu wrote:
> Hi, I am reading the paper of Mark S. Miller about the object
> capability model.
> However, I am still not very clear about how the confused deputy is
> solved using
> this model. So could anyone please give me some clue or advice to help
> me out?
The essence (for me) is:
In the object-capability model, one can name a resource if and only if
they can access it.
In the confused deputy scenario, the user of a compiler invokes the
compiler, naming a file to receive the output of the compilation. A
security breach can occur if the user names a file that they don't have
access to but the compiler does. In this case, the compiler incorrectly
overwrites the file.
The object-capability model solves this problem because here, the user
can name the file if and only if they can access it. Hence, if they
cannot access a file, they cannot name it and hence, the vulnerability
doesn't arise.
See also Norm Hardy's original paper
http://portal.acm.org/citation.cfm?id=871709
and the Wikipedia article:
http://en.wikipedia.org/wiki/Confused_Deputy
Hope that helps. Email again if not.
Cheers
Toby
More information about the cap-talk
mailing list