[cap-talk] More Heresey: ACLs not inherently bad
Tyler Close
tyler.close at gmail.com
Wed Oct 8 17:56:18 CDT 2008
On Wed, Sep 24, 2008 at 9:37 AM, David Wagner <daw at cs.berkeley.edu> wrote:
> Marcus Brinkmann writes:
>>But frankly, what's the big fuzz then?
... <snip>
> So my hypothesis is that the more seriously you take the principle
> of least privilege(authority), the more you have to be careful about
> confused deputy bugs.
I just cherry picked a message out of this thread that I haven't kept
up with, so someone may have already pointed out the following, though
hopefully not...
Web applications typically only provide for coarse-grained authority.
For example, all my authority to my online banking account and all my
authority to my Google identity. Many of these applications (most?)
are also vulnerable to Cross-site-Request-Forgery attacks and
click-jacking attacks (two webisms for a Confused Deputy attack). So,
I don't think the granularity of authority has much effect on the
prevalence of Confused Deputy attacks.
I think all you need for Confused Deputy vulnerability in an ACL
design is three distinct principals. The crucial step is for an
identifier to pass through an intermediate principal without being
checked against the access matrix. For example, in Norm's original
compiler example, a filename passes through the compiler process on
its way from the compiler user to the filesystem.
I was thinking of writing a paper on this for the Oakland conference
this year, but don't know if I'll get to it with the @inert paper that
I also want to do.
--Tyler
More information about the cap-talk
mailing list