[cap-talk] Reducing Ambient user authority in a Type Safe/Memory Safe OS.

Ben Kloosterman bklooste at gmail.com
Sun Dec 20 23:08:31 PST 2009 

>>>>>> 1) However I still want to cover upgrading the capability from say
 >>>>>> browse to R/W when a browse capability is received via iPC.
 >>>>>
 >>>>> Then you are enabling confused deputy attacks.
 >>>>
 >>>> How so ? This is merely using the browse capability to indicate
 >>>> which file and then looking up a r/w capability within the
 >>>> application ( and hence upgrading to the higher level R/W)  , If an
 >>>> R/W capability was passed in there would be no need for a lookup .
 >>>
 >>> Alan is right; there's clearly a confused deputy vulnerability here.
 >>> If the browse cap gets amplified/escalated to a r/w capability just
 >>> because it is the browser that is sending it, then "being the
 >browser"
 >>> is an ambient authority.
 >>>
 >>> Note that the approach I suggested in which the browse cap is a
 >>> sealed r/w cap doesn't have that problem, because the unsealer is not
 >ambient.
 >>
 >> No I'm not trusting the browser anyone can send a File
 >> Explorer/browser or R/W capability in this case ( obviously this would
 >> be a browse capability on the file not the whole dir) .
 >
 >I don't understand what you're proposing at all, then. Under precisely
 >what conditions are you suggesting that a browse capability gets
 >amplified to a r/w capability? I.e. what mechanism controls when this
 >happens?



Say a word processor being called by clicking at a document in the GUI lets ignore associations for the moment.  Note I distinguish a file explorer/ browser window here as a folder with files on the desktop and not a file/open dialog.  
If you click on a doc file with the browser , the file explorer browser will invoke via a file association the word processor it will then pass in its own browse capability to the file to indicate the file ( this being more secure than passing in the file name) . The word processor itself will check if it has a higher level capability for the file.  I suppose an alternative would be for the association to be a capability which contains both the R/W rights and the invocation of the word processor.

Regards, 

Ben Kloosterman

More information about the cap-talk mailing list