[cap-talk] Confused Deputies in Capability Systems

Toby Murray toby.murray at comlab.ox.ac.uk
Thu Feb 12 04:24:59 EST 2009


On Thu, 2009-02-12 at 02:04 +0100, Matej Kosik wrote:
> Toby Murray wrote:
> > On Wed, 2009-02-11 at 14:43 +0100, Matej Kosik wrote:
> >> Toby Murray wrote:
> >>> On Tue, 2009-02-10 at 21:31 -0800, Bill Frantz wrote:
> >>>> marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) on Tuesday, February 10, 2009 wrote:
> >>>>
> >>>>> It's even simpler.  A confused deputy can also arise in capability systems
> >>>>> if a capability is designated by a symbolic name rather than a capability.
> >>>>> Any service that translates names to capabilities can potentially have a
> >>>>> confused deputy problem.
> >>>> I am truly confused. How does translating a name, such as clist item[5],
> >>>> into a capability introduce the problem of using the wrong subject to check
> >>>> the authority, which is the essence of confused deputy?
> >>> Suppose one process has a really powerful capability in clist slot N.
> >>> Suppose it is implemented like this:
> >>>
> >>> char msg[] = ... 
> >>> char rmsg[] = ...
> >>> unsigned int len;
> >>> while (true) {
> >>>     uint index, replyCap;
> >>>     recvFromAnyone(msg,sizeof(msg),&len,&replyCap);
> >>>     index = atoi(msg);
> >>>     sendAndReceive(index,msg
> >>> +sizeof(uint),len-sizeof(uint),rmsg,sizeof(rmsg),&len);
> >>>     sendMessage(replyCap,rmsg,len)
> >>> }
> >> If I ignore the (probable) misuse of `sizeof' operator for determining
> >> the size of the message (as opposed to the size of the pointer to the
> >> message), 
> > 
> > Which you should -- It's been a little while since I've written C
> > (Should have written the example in BitC instead ;)
> > 
> >> I would like to ask:
> >>
> >> Is the first parameter of `sendAndReceive' function interpreted (by
> >> kernel) as capability? (i.e. an index to a c-list of the process that
> >> executes this code) ?
> > 
> > Yes.
> 
> I agree with you that the fragment of code above is buggy. I agree with
> you that we can write buggy subsystems (that use capabilities). Was this
> the point?

No. The bug was, like most of them, unintentional. The point was to
answer Bill's original question: "How can translating a name, such as
clist item into a capability" result in a confused deputy, or something
that resembles one.

Cheers

Toby



More information about the cap-talk mailing list