[cap-talk] Confused Deputies in Capability Systems - not

David-Sarah Hopwood david.hopwood at industrial-designers.co.uk
Thu Feb 26 05:28:46 EST 2009

Sam Mason wrote:
> On Tue, Feb 24, 2009 at 12:12:35AM -0800, Jed Donnelley wrote:
>> At 04:15 AM 2/23/2009, Sam Mason wrote:
>>> In the compiler example this bug can be fixed a couple of ways:
>>>  1) the compiler shares responsibility with the operating system for
>>>  checking security properties, namely that it ensures the output file
>>>  isn't the same as the bill or any other state the compiler (but not the
>>>  client) has access to
>> I don't think so.  It may well be that the requester and the compiler
>> (server) share access to a file that might be a legitimate sink for
>> the requested output.  The key aspect is that the communicated parameter
>> indicates an object that the sender had access to when sending.  This
>> is exactly what a capability communication system guarantees, but which
>> no mechanism that uses names for designation can supply.
> I was mainly including this example because Marcus was asking why this
> wasn't just a "programming error"[1] that could be fixed in the compiler
> and why capabilities were considered to be such an improvement.  Before
> Jed's message I was beginning to convince myself that Marcus was correct
> and it was "easy" to fix the bug above by just having it check that the
> output file isn't the bill.  I've since realized that it's far more
> complicated than this and it should be checking that the source file was
> readable by the submitting user and the output is going somewhere that's
> writable to the submitting user.

Even that wouldn't be sufficient:

 - the compiler may not be authorized to know the information that
   would allow it to perform a correct access check.

 - performing access checks at user level introduces race conditions.

 - what if the client is itself a deputy? In that case the compiler's
   check that the client has the necessary permission would succeed,
   even though the access should be denied unless the client's client
   also had that permission. Even if (unrealistically) we assume that
   the compiler were trusted to perform system-level access checks,
   its client certainly will not be.

David-Sarah Hopwood ⚥

More information about the cap-talk mailing list