[cap-talk] Confused Deputies in Capability Systems
David-Sarah Hopwood
david.hopwood at industrial-designers.co.uk
Sat Feb 7 16:03:51 EST 2009
Sandro Magi wrote:
> On the ACL side, if ACL systems had a way to wrap input
> parameters in a "vetted" type so the server accepts only an authorized
> path string from clients, then the same resistance to confused deputies
> are enjoyed for ACLs (the vetted type performs the access check before
> it is sent to the service).
How does a path string get vetted?
If:
- vetted-paths are unforgeable, can be delegated between subjects,
and are only given to subjects that are authorized to access the
file at that path [*];
- such vetted values are the *only* way to access any kind of
access-controlled object;
- there are no other implicit channels by which authority can be
obtained or transmitted;
then we have a capability system (if ACL access controls are still
supported, it is a hybrid capability system), and the vetted values
are capabilities. If not, then we still have vulnerabilities
(confused deputy or excess authority).
[*] Identifying files in a way that does not depend on paths, i.e.
so that a file's identity is stable over moves, may be preferable.
--
David-Sarah Hopwood ⚥
More information about the cap-talk
mailing list