[cap-talk] Need help with the confused deputy problemand Object-capability model
Norman Hardy
norm at cap-lore.com
Fri May 23 11:54:48 CDT 2008
On 2008 May 23, at 1:34 , Toby Murray wrote:
> On Thu, 2008-05-22 at 11:17 -0600, Pan Liu wrote:
>> Thank you for your help.
>>
>> Could you answer me another question? Since the confused deputy
>> problem is mainly because of the separation of designation and
>> authority, but do you think that the excess authority is also a
>> reason
>> for that?
>>
>
> The Confused Deputy problem arises because designation and authority
> are
> separated. It manifests itself as the user of the compiler having
> excess
> authority -- the user of the compiler can *cause* the compiler to
> write
> to the billing file on the user's behalf. Hence the user has excess
> authority because the compiler is a confused deputy, due to the
> separation of designation and authority.
>
> Hope that helps,
Indeed I think the above captures the lessons for system design.
Some readers of the paper reasonably presumed that the compiler needed
write access to billing.
The particular event that inspired the paper happened on a machine
serving hundreds of users with 64MB total disk memory.
Directories were expensive and the compiler lived in the same
directory as the billing file and thus had write access that it did
not need.
More information about the cap-talk
mailing list