[cap-talk] Confused Deputies in Capability Systems
David-Sarah Hopwood
david.hopwood at industrial-designers.co.uk
Sat Feb 7 16:03:23 EST 2009
Toby Murray wrote:
> On Fri, 2009-02-06 at 10:49 -0500, Sandro Magi wrote:
>> An object-capability program that uses no rights amplification is not
>> subject to confused deputies.
>
> That's a strong claim. Along with the claim that rights amplification
> can lead to confused deputies, it equates the possibility of confused
> deputies with rights amplification.
No it doesn't. The claim was restricted to object-capability programs.
It's still a strong claim, but it does not equate confused deputies with
rights amplification in the case of non-object-capability programs.
I have only seen purported counterexamples to this claim that depend on
either:
a) constructing other access control mechanisms on top of a capability
system, and exploiting vulnerabilities in those mechanisms.
b) a deputy that acts as an interpreter.
> I'm not sure it's correct -- I think we could construct a confused
> deputy without rights amplification (of any kind).
I would be interested in seeing an example that does not fall into a)
or b) above.
> Here's another strong claim that could be just as incorrect: any
> exploitable failure to vet a capability can result in a confused deputy
> and vice-versa.
This is either vacuous (because of the restriction to "exploitable"
failures), or incorrect. In the compiler example, for instance,
no vetting of capabilities is needed to avoid the vulnerability.
> A first attempt to build a confused deputy that does not use rights
> amplification:
>
> Consider the final example from
> http://www.comlab.ox.ac.uk/people/toby.murray/papers/NDA.pdf in which
> users use non-delegatable authority provided by a "credential"
> capability to access classified networks via routers who are supposed to
> check the authenticity of such credentials before relying on them.
> Suppose a router fails to authenticate a credential. Then in a very
> strict sense, it could be considered a confused deputy.
This seems to be an instance of a). The requirement to check the
authenticity of credentials implies that you're constructing a
higher-level access control mechanism, and if a router fails to
perform that check, the problem is simply that that mechanism has
been implemented incorrectly.
--
David-Sarah Hopwood ⚥
More information about the cap-talk
mailing list