[cap-talk] Need help with the confused deputy problem and Object-capability model

[Mark Miller]

On Wed, May 21, 2008 at 2:16 PM, Toby Murray
<toby.murray at comlab.ox.ac.uk> wrote:
> The object-capability model solves this problem because here, the user
> can name the file if and only if they can access it. Hence, if they
> cannot access a file, they cannot name it and hence, the vulnerability
> doesn't arise.


This is a good start, but I don't think it goes to the heart of the
matter. For example, if the user happens to have read-only access to
the compiler's billing record file, then the user can name the file.
The reason the attack still fails is that the rights the compiler will
bring to bear on writing the compilation output is only those rights
bundled with the designator provided by the user, even though the
compiler itself separately possesses adequate rights to the designated
object.

-- 
Text by me above is hereby placed in the public domain

 Cheers,
 --MarkM