[cap-talk] Confused Deputy terminology
david.hopwood at industrial-designers.co.uk
Sun Feb 8 14:49:36 EST 2009
Toby Murray wrote:
> On Sat, 2009-02-07 at 19:08 -0800, Jed Donnelley wrote:
>> At 06:06 AM 2/7/2009, Toby Murray wrote:
>>> I want to know whether there is anything that formally distinguishes
>>> them from confused deputy vulnerabilities or whether this just a
>>> fuzzy concept that has only subjective meaning.
>> I believe this:
>> "Not every program that misuses authority is a confused deputy.
>> Sometimes misuse of authority is simply a result of a program error.
>> The confused deputy problem occurs when the designation of an object
>> is passed from one program to another, and the associated permission
>> changes unintentionally, without any explicit action by either party.
>> It is insidious because neither party did anything explicit to change
>> the authority."
> Ah got it. I like this. It rules out rights amplification then, since
> this is always an explicit action. It also rules out the examples I was
> trying to construct earlier in this thread. Finally, also rules out all
> invocations in which no designation is passed.
> It also makes clear that IBAC is a necessary condition for confused
I don't think that is the case. Consider a "split capability" system [*],
in which for each message send, designators are sent separately from
permissions. The permissions are collected into a set without being
individually associated with any particular designator, and so it is
possible to have a confused deputy vulnerability in which an unintended
permission is used. But the system does not use IBAC.
(I seem to remember an implemented system like this, but can't remember
[*] This would not be considered a capability system by some definitions.
David-Sarah Hopwood ⚥
More information about the cap-talk