[cap-talk] Confused Deputies in Capability Systems

David-Sarah Hopwood david.hopwood at industrial-designers.co.uk
Sat Feb 7 17:11:38 EST 2009 

Sandro Magi wrote:
> David-Sarah Hopwood wrote:
>> How does a path string get vetted?
>>
>> If:
>>  - vetted-paths are unforgeable, can be delegated between subjects,
>>    and are only given to subjects that are authorized to access the
>>    file at that path [*];
>>  - such vetted values are the *only* way to access any kind of
>>    access-controlled object;
>>  - there are no other implicit channels by which authority can be
>>    obtained or transmitted;
> 
> I was thinking of a sort of trusted object which performs the check at
> the appropriate time. In C#:
> 
> public sealed class VettedPath
> {
>   string path;
> 
>   // no way to construct an instance
>   VettedPath () {}
> 
>   // implicit coercion of a string to a VettedPath
>   // that performs the access check at time of creation
>   public static implicit operator VettedPath(string path)
>   {
>     // access check, throws UnauthorizedException
>     File.AccessCheck(path);

I'm assuming this check is based on the identity of the direct
caller of 'operator VettedPath(string)'.

(If it is based also on indirect callers, then we have a stack
inspection system: see that section of Tyler's "ACLs Don't" paper
for general problems with such systems, and see the recent
Java Calendar exploit for a concrete example.)

>     return new VettedPath(path);
>   }
> }

The problem is that there is no "appropriate time" to perform an
identity-based access check. We have only succeeded in moving the
point at which the confused deputy vulnerability is present to the
code that triggers the access check. That is, the direct caller
of 'operator VettedPath(string)' is now the confusable deputy.
If it has access to the file at 'path' but can act on behalf
of a client that doesn't, then there will be an exploitable
vulnerability.

Note that although VettedPath can reasonably be trusted (assuming
that File.AccessCheck is also audited), that does not imply that
its caller can be.

-- 
David-Sarah Hopwood ⚥

More information about the cap-talk mailing list