[cap-talk] Hybrid ACL/capability systems are vulnerable to confused deputy
Karp, Alan H
alan.karp at hp.com
Tue Feb 3 10:07:28 EST 2009
David-Sarah Hopwood wrote:
>
> You can get a confused deputy vulnerability anyway, if you are relying
> on the NBAC check. For example a Canadian may submit a request to, say,
> a Swiss service with a U.S. Navy object as a parameter, and assuming
> that the U.S. is not at war with Switzerland, that service can act as
> a confused deputy that resubmits the request to the U.S. Navy object.
> The Canadian did need to have the relevant capability in the first
> place,
> but still, the intended policy has not been enforced.
>
Parameters are delegated to the invoked service, and we track the full delegation chain. If the attribute "Canadian" appears anywhere in the delegation chain, the request will fail.
________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
http://www.hpl.hp.com/personal/Alan_Karp
More information about the cap-talk
mailing list