[cap-talk] Confused Deputies in Capability Systems
Bill Frantz
frantz at pwpconsult.com
Fri Feb 6 18:02:45 EST 2009
alan.karp at hp.com (Karp, Alan H) on Friday, February 6, 2009 wrote:
>Toby Murray wrote:
>>
>> The last discussion raised point (1) -- that confused deputies
>> necessarily can perform actions that their clients cannot. I'm adding
>> point (2) -- that these actions are performed "incorrectly" only (in
>> fact, I'd say *by definition*) because either the service has failed to
>> perform input validation or because it shouldn't be responding to a
>> particular client -- the client shouldn't have gotten access to the
>> service.
>>
>It's a bug if the service honors a request made with a forged authorization. It's a bug if the
>service uses its own rights incorrectly on behalf of a legitimate request, such as writing the wrong
>file. Neither of these is a confused deputy.
More precisely, both of these errors are bugs in the implementation of the
capability system itself. Failure to check that the capability is valid
(correctly signed for certificate based capabilities) is a failure in the
implementation of the capability mechanism. Using a capability that
designates file A to write file B is also a failure to maintain the
unseparatebility of designation and authorization.
Cheers - Bill
-----------------------------------------------------------------------
Bill Frantz | I like the farmers' market | Periwinkle
(408)356-8506 | because I can get fruits and | 16345 Englewood Ave
www.pwpconsult.com | vegetables without stickers. | Los Gatos, CA 95032
More information about the cap-talk
mailing list