[cap-talk] "ACLs don't" paper rejected from Oakland 09

Toby Murray toby.murray at comlab.ox.ac.uk
Mon Feb 2 03:34:10 CST 2009 

On Sat, 2009-01-31 at 07:48 -0800, Tyler Close wrote:
> No part of the Confused Deputy attack relies on either systems
> (in)ability to confine any of the involved principals, so rules
> restricting delegation are not relevant to the attack.

No but rules *allowing* delegation are.

In the confused deputy scenario, there is an implicit assumption that
capabilities can be passed from the User to the Compiler (iff the User
has a capability that designates the Compiler and allows it to pass it
capabilities of course). 

One could imagine a cap system that used some form of out-of-band
communications to pass capabilities. In this case, confused deputies may
or may not still exist or may or may not even be relevant.

My point is that when people start talking about Confused Deputies, they
also implicitly assume object-capability rules for capability passing.
Protection makes no such assumptions.

(Indeed the "Oxford" equivalence statement was made speicfically without
reference to any such assumption, in which case I firmly believe it
holds).


> CapMyths did argue that ACLs and capabilities are not equivalent, but
> it did not do this by pointing out that the outputs are different.

Note that the different "outputs" here are authority not permission. In
the ACL example, authority propagates differently than in the
capability-based example, even though the behaviour of the Compiler is
the same in both cases and the permissions in both cases are identical.

All equivalence claims between caps and ACLs are about expressible
static configurations of permissions. In this case, they *are*
equivalent -- both can express the same static configurations of
permissions. The inequivalences start to arise because ACLs and caps
(usually) have different rules for how permissions can propagate
relative to names. (With ACLs names can propagate without permissions
doing so but of course this can't usually happen with caps)

When propagation and dynamism are not taken into account, the
equivalence holds. It is in this sense that the "Oxford" story should be
read and I also believe that it is in this sense that Protection argues
the equivalence. 


Cheers

Toby

More information about the cap-talk mailing list