[cap-talk] Confused Deputy terminology
Toby Murray
toby.murray at comlab.ox.ac.uk
Sun Feb 8 15:02:00 EST 2009
On Sun, 2009-02-08 at 19:49 +0000, David-Sarah Hopwood wrote:
> Toby Murray wrote:
> > On Sat, 2009-02-07 at 19:08 -0800, Jed Donnelley wrote:
> >> At 06:06 AM 2/7/2009, Toby Murray wrote:
> >> http://www.eros-os.org/pipermail/cap-talk/2009-February/012166.html
> >>
> >>> I want to know whether there is anything that formally distinguishes
> >>> them from confused deputy vulnerabilities or whether this just a
> >>> fuzzy concept that has only subjective meaning.
> >> I believe this:
> >>
> >> "Not every program that misuses authority is a confused deputy.
> >> Sometimes misuse of authority is simply a result of a program error.
> >> The confused deputy problem occurs when the designation of an object
> >> is passed from one program to another, and the associated permission
> >> changes unintentionally, without any explicit action by either party.
> >> It is insidious because neither party did anything explicit to change
> >> the authority."
> >
> > Ah got it. I like this. It rules out rights amplification then, since
> > this is always an explicit action. It also rules out the examples I was
> > trying to construct earlier in this thread. Finally, also rules out all
> > invocations in which no designation is passed.
> >
> > It also makes clear that IBAC is a necessary condition for confused
> > deputies.
>
> I don't think that is the case. Consider a "split capability" system [*],
> in which for each message send, designators are sent separately from
> permissions.
Good point. I think I meant sufficient rather than necessary. Actually,
I'm not sure what I meant but I know that you're right...
> (I seem to remember an implemented system like this, but can't remember
> which one.)
I think it was one of Alan's systems, see
http://www2.computer.org/portal/web/csdl/doi/10.1109/MS.2003.1159028 .
Cheers
Toby
More information about the cap-talk
mailing list