[cap-talk] Confused Deputies in Capability Systems

Mark Miller erights at gmail.com
Tue Feb 10 13:34:27 EST 2009

On Tue, Feb 10, 2009 at 10:08 AM, Rob Meijer <capibara at xs4all.nl> wrote:

> On Tue, February 10, 2009 14:26, Marcus Brinkmann wrote:
> > Toby Murray wrote:
> >> My argument is that confused deputies can arise whenever a service in an
> >> object-capability system similarly fails to perform input validation on
> >> the capabilities it is passed (rather than arbitrary strings), in the
> >> case that those capabilities are more powerful in its hands than in
> >> those of its clients (e.g. via rights-amplification).
> >
> > It's even simpler.  A confused deputy can also arise in capability
> systems
> > if a capability is designated by a symbolic name rather than a
> capability.
> So what you are saying that petnames give rise to confused deputies?
> Could you sketch a scenario where petnames usage could result in a
> confused deputy? Or have I misunderstood the above statement?

Or similarly a lambda-name, aka, a c-list index. *All* object-capability
systems use such indexes to indicate which of their capabilities are to be
used. If these introduce confused deputies, then we're sunk. Fortunately, I
don't think they do.

I think we're missing some crucial distinctions. I don't yet know what those
are, but I think the questions being raised in this thread are the right
ones for uncovering these.

Text by me above is hereby placed in the public domain

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.eros-os.org/pipermail/cap-talk/attachments/20090210/fbd96ee7/attachment.html 

More information about the cap-talk mailing list