[cap-talk] Hybrid ACL/capability systems are vulnerable to confused deputy

David-Sarah Hopwood david.hopwood at industrial-designers.co.uk
Tue Feb 3 04:19:27 EST 2009 

Karp, Alan H wrote:
> MarkM wrote:
>> I will take this opportunity to re-raise the topic of so-called "hybrid
>> capability systems" (HCS) like Gong's ICAP, Karger's SCAP, most of Kain
>> and Landwehr's taxonomy, and the "unauthorized capabilities" of the IBM
>> System/38 aka AS/400 aka iSeries. The basic idea of an HCS is that an
>> access is allowed iff it is allowed by ACL rules *and* it is allowed by
>> cap rules. In an HCS, the principal id of the immediate requestor is
>> still presented to the reference monitor, for checking against an ACL
>> as an additional requirement beyond the normal ocap rules. In one form
>> of HCS, the ACL to be checked is associated with the designated object.
>> In another, the ACL may be associated with the capability on which the
>> request is made.
>
> We have proposed something similar for the Navy to support Risk Adaptive
> Access Control (RADAC) with ZBAC.  The user's identity, or more likely set
> of attributes, is used to make a context dependent decision on whether or
> not to honor the capability.  For example, the capability will be honored
> unless we're at war with Canada and the submitter is a Canadian.  It's
> important that the NBAC check be used only to reduced the rights carried
> in the capability, or you can get a confused deputy.

You can get a confused deputy vulnerability anyway, if you are relying
on the NBAC check. For example a Canadian may submit a request to, say,
a Swiss service with a U.S. Navy object as a parameter, and assuming
that the U.S. is not at war with Switzerland, that service can act as
a confused deputy that resubmits the request to the U.S. Navy object.
The Canadian did need to have the relevant capability in the first place,
but still, the intended policy has not been enforced.

A system using a Horton-type protocol wouldn't have this vulnerability,
since revoking all Canadian rights would revoke the capability that the
Canadian passes to the Swiss service in the attack.

-- 
David-Sarah Hopwood ⚥

More information about the cap-talk mailing list