[cap-talk] Confused Deputy terminology

David-Sarah Hopwood david.hopwood at industrial-designers.co.uk
Sun Feb 8 14:49:36 EST 2009

Toby Murray wrote:
> On Sat, 2009-02-07 at 19:08 -0800, Jed Donnelley wrote:
>> At 06:06 AM 2/7/2009, Toby Murray wrote:
>> http://www.eros-os.org/pipermail/cap-talk/2009-February/012166.html 
>>> I want to know whether there is anything that formally distinguishes
>>> them from confused deputy vulnerabilities or whether this just a
>>> fuzzy concept that has only subjective meaning.
>> I believe this:
>> "Not every program that misuses authority is a confused deputy.
>> Sometimes misuse of authority is simply a result of a program error.
>> The confused deputy problem occurs when the designation of an object
>> is passed from one program to another, and the associated permission
>> changes unintentionally, without any explicit action by either party.
>> It is insidious because neither party did anything explicit to change
>> the authority."
> Ah got it. I like this. It rules out rights amplification then, since
> this is always an explicit action. It also rules out the examples I was
> trying to construct earlier in this thread. Finally, also rules out all
> invocations in which no designation is passed.
> It also makes clear that IBAC is a necessary condition for confused
> deputies.

I don't think that is the case. Consider a "split capability" system [*],
in which for each message send, designators are sent separately from
permissions. The permissions are collected into a set without being
individually associated with any particular designator, and so it is
possible to have a confused deputy vulnerability in which an unintended
permission is used. But the system does not use IBAC.

(I seem to remember an implemented system like this, but can't remember
which one.)

[*] This would not be considered a capability system by some definitions.

David-Sarah Hopwood ⚥

More information about the cap-talk mailing list