[cap-talk] Confused Deputies in Capability Systems

Bill Frantz frantz at pwpconsult.com
Sat Feb 7 19:28:01 EST 2009 

toby.murray at comlab.ox.ac.uk (Toby Murray) on Saturday, February 7, 2009 wrote:

>Credentials are issued by specific Security Authorities. You ask your
>Security Authiryty "is this credential valid?", so the SA acts like an
>auditor.

I'm trying to map this description onto the capability systems I know well.
Let's consider Joe-E and CapROS. In Joe-E, a capability (object reference)
is created by "new" and consists of a protected pointer. In CapROS, a
capability is created by the space bank or by the (process) builder and
consists of a protected data structure which designates the object and
describes the basic access rights to that object.

I don't quite see how to map the auditor, or the question, "Is this
credential valid?"

 
>I agree that these are bugs in the implementation of the service. I want
>to know whether there is anything that formally distinguishes them from
>confused deputy vulnerabilities or whether this just a fuzzy concept
>that has only subjective meaning.

This is an interesting question. Let's consider the network interface for
CapROS. The network driver produces a capability for each TCP connection.
With most reasonable implementations, there is a place where a bug could
cause a capability for circuit A to actually access circuit B. If that
happens, there is certainly a bug, but it seems to me it is different from
a confused deputy.

A confused deputy occurs when the access check is performed for the wrong
subject. In the network interface case, the access check was for the
correct subject, the interface had access to all the TCP connections, and
was trying (and failing) to narrow that access down to one particular
connection. In the classic compiler case, the access check should have been
performed with the user as subject, but because the open was performed by
the compiler, the check used the compiler as subject instead.

Cheers - Bill

-----------------------------------------------------------------------
Bill Frantz        | There are also no libertar-  | Periwinkle
(408)356-8506      | ians in financial crises.    | 16345 Englewood Ave
www.pwpconsult.com |               - Jeff Frankel | Los Gatos, CA 95032

More information about the cap-talk mailing list