[cap-talk] Confused Deputies in Capability Systems
David-Sarah Hopwood
david.hopwood at industrial-designers.co.uk
Sat Feb 7 16:52:15 EST 2009
Toby Murray wrote:
> On Fri, 2009-02-06 at 21:38 +0000, Karp, Alan H wrote:
>> Toby Murray wrote:
>>> Consider the final example from
>>> http://www.comlab.ox.ac.uk/people/toby.murray/papers/NDA.pdf in which
>>> users use non-delegatable authority provided by a "credential"
>>> capability to access classified networks via routers who are supposed
>>> to check the authenticity of such credentials before relying on them.
>>> Suppose a router fails to authenticate a credential. Then in a very
>>> strict sense, it could be considered a confused deputy.
>>>
>> Allowing access with a potentially forged credential is a bug, not
>> a confused deputy.
>
> Why?
Because the router had sufficient information and ability to prevent
the attack. It just failed to perform an access check that was part of
the design of the higher-level credential mechanism that it was supposed
to be implementing.
One of the defining characteristics of confused deputy vulnerabilities
is that the deputy is not able to use available operations in the access
control system, with the information that it can reasonably be expected
to have, to prevent the attack. Note that we do not consider the deputy
to be trusted to duplicate checks that are part of the underlying
system's access control model, since it is outside that system's TCB.
(In the router example, the router is in the TCB of the credential
mechanism implementation.)
--
David-Sarah Hopwood ⚥
More information about the cap-talk
mailing list