[cap-talk] Confused Deputies in Capability Systems - not

Sam Mason sam at samason.me.uk
Wed Feb 25 12:38:40 EST 2009 

On Tue, Feb 24, 2009 at 12:12:35AM -0800, Jed Donnelley wrote:
> At 04:15 AM 2/23/2009, Sam Mason wrote:
> >In the compiler example this bug can be fixed a couple of ways:
> >
> >  1) the compiler shares responsibility with the operating system for
> >  checking security properties, namely that it ensures the output file
> >  isn't the same as the bill or any other state the compiler (but not the
> >  client) has access to
> 
> I don't think so.  It may well be that the requester and the compiler
> (server) share access to a file that might be a legitimate sink for
> the requested output.  The key aspect is that the communicated parameter
> indicates an object that the sender had access to when sending.  This
> is exactly what a capability communication system guarantees, but which
> no mechanism that uses names for designation can supply.

I was mainly including this example because Marcus was asking why this
wasn't just a "programming error"[1] that could be fixed in the compiler
and why capabilities were considered to be such an improvement.  Before
Jed's message I was beginning to convince myself that Marcus was correct
and it was "easy" to fix the bug above by just having it check that the
output file isn't the bill.  I've since realized that it's far more
complicated than this and it should be checking that the source file was
readable by the submitting user and the output is going somewhere that's
writable to the submitting user.  There are other exploitable bugs
remaining I've not enumerated and probably others I've not considered;
but if capabilities were used the problems above would disappear (and
a few others) simplifying things and strengthening the security of the
system.

In effect, everything can just be reduced down to programming errors
but this doesn't seem to help much.  One large part of designing secure
systems seems to be ensuring that errors cause no useful result being
returned (from the process that fails) rather than a compromise of the
larger system, capability systems seem to go a long way in ensuring
this.

-- 
  Sam  http://samason.me.uk/
 
 [1] http://www.eros-os.org/pipermail/cap-talk/2009-February/012239.html

More information about the cap-talk mailing list