[cap-talk] confused deputy problem
Pan Liu
liupa200 at cs.uregina.ca
Tue May 27 13:33:04 CDT 2008
I am confused that if the compiler should have the authority to write on the
BILL file. Or should we just let the compiler has no authorities to write on
any files? The debugging info is written on the files specified by the user
through a capability, and the billing info is written on the files specified by
other part(system) though a capability.
----- Original Message -----
From: "Charles Landau" <clandau at macslab.com>
To: "General discussions concerning capability systems." <cap-talk at mail.eros-os.org>
Sent: Tuesday, May 27, 2008 10:32 AM
Subject: Re: [cap-talk] confused deputy problem
> Norman Hardy wrote:
>> Some readers of the paper
>
> that would be "The Confused Deputy" at
> http://www.cis.upenn.edu/~KeyKOS/ConfusedDeputy.html
>
>> reasonably presumed that the compiler needed
>> write access to billing.
>
> I was one of those readers. That error shows up in my contributions to
> http://en.wikipedia.org/wiki/Confused_Deputy.
>
>> The particular event that inspired the paper happened on a machine
>> serving hundreds of users with 64MB total disk memory.
>> Directories were expensive and the compiler lived in the same
>> directory as the billing file and thus had write access that it did
>> not need.
>
> In that case, this problem could have been solved by using the Principle
> of Least Authority, which does not require capabilities. It seems to me
> that to justify the subtitle "or why capabilities might have been
> invented", the compiler would have to need write access to the billing
> file.
>
>
More information about the cap-talk
mailing list