[cap-talk] Confused Deputies in Capability Systems
Karp, Alan H
alan.karp at hp.com
Fri Feb 6 17:08:00 EST 2009
Toby Murray wrote:
>
> The last discussion raised point (1) -- that confused deputies
> necessarily can perform actions that their clients cannot. I'm adding
> point (2) -- that these actions are performed "incorrectly" only (in
> fact, I'd say *by definition*) because either the service has failed to
> perform input validation or because it shouldn't be responding to a
> particular client -- the client shouldn't have gotten access to the
> service.
>
It's a bug if the service honors a request made with a forged authorization. It's a bug if the service uses its own rights incorrectly on behalf of a legitimate request, such as writing the wrong file. Neither of these is a confused deputy.
Using a capability that has more authority in the hands of the service than in the hands of the invoker is a confused deputy, so don't do that. The example from the earlier discussion was a URL pointing to a page inside the firewall. If that URL is passed outside the firewall, it can't be used. If it is passed back in, it can, and you have a confused deputy, so don't do that. Is not accepting such a URL an example of what you mean by input validation?
________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
http://www.hpl.hp.com/personal/Alan_Karp
More information about the cap-talk
mailing list