[cap-talk] "ACLs don't" paper rejected from Oakland 09
David-Sarah Hopwood
david.hopwood at industrial-designers.co.uk
Mon Feb 2 11:05:59 CST 2009
Toby Murray wrote:
> One could imagine a cap system that used some form of out-of-band
> communications to pass capabilities. In this case, confused deputies may
> or may not still exist or may or may not even be relevant.
>
> My point is that when people start talking about Confused Deputies, they
> also implicitly assume object-capability rules for capability passing.
As far as I know, (non-object) capability systems resist Confused Deputy
attacks as well as object-capability systems. It's quite possible that
other forms of protection system with reified permissions can also
resist them.
>> CapMyths did argue that ACLs and capabilities are not equivalent, but
>> it did not do this by pointing out that the outputs are different.
>
> Note that the different "outputs" here are authority not permission.
No. As the paper says for the example of section 2.3,
# In capability transfer, the User's attempt to construct a compile message
# specifying write permission to log.txt is rejected by the reference
# monitor [...]
Sending the compile message is an individual operation that the ACL system
allows (because "log.txt" is just a string in that case), and the capability
system does not (because log.txt has to be specified by a write capability),
in the same access matrix state.
That is, the capability system is performing an access check, based on the
direct permissions of the User at the time of the message send, that is not
performed for the equivalent operation in the ACL system. There is no sense
in which they can be construed as equivalent.
--
David-Sarah Hopwood ⚥
More information about the cap-talk
mailing list