[cap-talk] Confused Deputies in Capability Systems
Toby Murray
toby.murray at comlab.ox.ac.uk
Sat Feb 7 09:06:01 EST 2009
On Fri, 2009-02-06 at 15:02 -0800, Bill Frantz wrote:
> alan.karp at hp.com (Karp, Alan H) on Friday, February 6, 2009 wrote:
>
> >Toby Murray wrote:
> >>
> >> The last discussion raised point (1) -- that confused deputies
> >> necessarily can perform actions that their clients cannot. I'm adding
> >> point (2) -- that these actions are performed "incorrectly" only (in
> >> fact, I'd say *by definition*) because either the service has failed to
> >> perform input validation or because it shouldn't be responding to a
> >> particular client -- the client shouldn't have gotten access to the
> >> service.
> >>
> >It's a bug if the service honors a request made with a forged authorization. It's a bug if the
> >service uses its own rights incorrectly on behalf of a legitimate request, such as writing the wrong
> >file. Neither of these is a confused deputy.
>
> More precisely, both of these errors are bugs in the implementation of the
> capability system itself. Failure to check that the capability is valid
> (correctly signed for certificate based capabilities) is a failure in the
> implementation of the capability mechanism. Using a capability that
> designates file A to write file B is also a failure to maintain the
> unseparatebility of designation and authorization.
>
No, that's not what I had in mind.
Credentials are issued by specific Security Authorities. You ask your
Security Authiryty "is this credential valid?", so the SA acts like an
auditor.
I agree that these are bugs in the implementation of the service. I want
to know whether there is anything that formally distinguishes them from
confused deputy vulnerabilities or whether this just a fuzzy concept
that has only subjective meaning.
Cheers
Toby
More information about the cap-talk
mailing list