[cap-talk] Confused Deputy terminology (was: Re: Confused Deputies in Capability Systems)
toby.murray at comlab.ox.ac.uk
Sun Feb 8 11:45:40 EST 2009
On Sat, 2009-02-07 at 19:08 -0800, Jed Donnelley wrote:
> At 06:06 AM 2/7/2009, Toby Murray wrote:
> > I want to know whether there is anything that formally distinguishes
> > them from confused deputy vulnerabilities or whether this just a
> > fuzzy concept that has only subjective meaning.
> I believe this:
> "Not every program that misuses authority is a confused deputy.
> Sometimes misuse of authority is simply a result of a program error.
> The confused deputy problem occurs when the designation of an object
> is passed from one program to another, and the associated permission
> changes unintentionally, without any explicit action by either party.
> It is insidious because neither party did anything explicit to change
> the authority."
Ah got it. I like this. It rules out rights amplification then, since
this is always an explicit action. It also rules out the examples I was
trying to construct earlier in this thread. Finally, also rules out all
invocations in which no designation is passed.
It also makes clear that IBAC is a necessary condition for confused
deputies. This would then imply that one can build confused deputies in
a cap system atop my NDA pattern, which is something I've always
expected but now more reason to believe in.
Thanks for the clarification, this was the piece I'd been missing.
More information about the cap-talk