[cap-talk] Confused Deputies in Capability Systems
Marcus Brinkmann
marcus.brinkmann at ruhr-uni-bochum.de
Thu Feb 12 19:29:28 EST 2009
Mark Miller wrote:
> On Tue, Feb 10, 2009 at 10:08 AM, Rob Meijer <capibara at xs4all.nl> wrote:
>
>> On Tue, February 10, 2009 14:26, Marcus Brinkmann wrote:
>>> Toby Murray wrote:
>>>> My argument is that confused deputies can arise whenever a service in an
>>>> object-capability system similarly fails to perform input validation on
>>>> the capabilities it is passed (rather than arbitrary strings), in the
>>>> case that those capabilities are more powerful in its hands than in
>>>> those of its clients (e.g. via rights-amplification).
>>> It's even simpler. A confused deputy can also arise in capability
>> systems
>>> if a capability is designated by a symbolic name rather than a
>> capability.
>>
>> So what you are saying that petnames give rise to confused deputies?
>> Could you sketch a scenario where petnames usage could result in a
>> confused deputy? Or have I misunderstood the above statement?
>>
>
> Or similarly a lambda-name, aka, a c-list index. *All* object-capability
> systems use such indexes to indicate which of their capabilities are to be
> used. If these introduce confused deputies, then we're sunk. Fortunately, I
> don't think they do.
>
> I think we're missing some crucial distinctions. I don't yet know what those
> are, but I think the questions being raised in this thread are the right
> ones for uncovering these.
It is possible that I have never understood what a confused deputy problem is.
Apparently, the examples I (and Toby) are thinking of are just programming
errors in capability systems. But apparently at the same time, the "billing
compiler" example from the 1960s or so is not just a programming error. As my
experience with Unix only dates back to the early 90s, when SUID and access()
were already established programming paradigms (along with others such as
input validation in scripting), I can not associate with the billing compiler
example. It seems to me as much a programming error to me as the other
non-confused-deputy examples.
In my day to day practice as a programmer, I sometimes use capabilities (file
descriptors, HANDLEs), and sometimes I use files or named pipes, or even
network sockets for communication. I choose whatever is most appropriate for
any given situation, based on a series of concerns, but _none of these
concerns is security_, because they all can be made sufficiently secure, and
there is no magic to any of it.
Thanks,
Marcus
More information about the cap-talk
mailing list