[cap-talk] Confused Deputies in Capability Systems
Karp, Alan H
alan.karp at hp.com
Mon Feb 9 17:51:10 EST 2009
David-Sarah Hopwood wrote:
>
> > Validating capabilities does make sense in other environments. Tyler
> > pointed out a vulnerability in our Zebra Copy implementation. In that
> > work, capabilities are SAML authorization assertions. Each service
> > reference passed as an argument is represented by a SAML authorization
> > assertion delegating to the service being invoked the right in the
> > assertion. We neglected to verify that the invoker had the right being
> > delegated, which allowed a confused deputy attack.
>
> This is not a confused deputy attack. It's a mistake in the implementation
> of the capability system TCB. (It's also not a particularly subtle mistake,
> since it directly violates a assertion of the system design.)
>
The attack is possible even with a correctly implemented TCB. SAML certificates are assumed to be public documents. Alice can include a copy of a delegation from Carol to Bob in a request Alice makes of Bob, and Bob may use Carol's permission on behalf of Alice. If Carol is the powerbox for the person running Bob, then we have a classic confused deputy. If not, it's a different form of confused deputy, but the result is that the attacker gains an authority. Bob can protect himself by making sure the submitter of the request has the rights being delegated.
________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
http://www.hpl.hp.com/personal/Alan_Karp
More information about the cap-talk
mailing list