[cap-talk] Confused Deputies in Capability Systems - not
Bill Frantz
frantz at pwpconsult.com
Fri Feb 27 19:22:03 EST 2009
marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) on Friday, February 27, 2009 wrote:
>Bill Frantz wrote:
>> marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) on Thursday, February 26, 2009 wrote:
>>
>>> Instead, in a Unix implementation the compile should use suid/sgid mechanism
>>> and access() to check user-supplied filenames. That is a robust mechanism to
>>> solve this problem that is provided by the operating system exactly for this
>>> use case.
>>
>> Does this technique work in David-Sarah's example, where the client is
>> itself a deputy? Quoting:
>>
>>> - what if the client is itself a deputy? In that case the compiler's
>>> check that the client has the necessary permission would succeed,
>>> even though the access should be denied unless the client's client
>>> also had that permission. Even if (unrealistically) we assume that
>>> the compiler were trusted to perform system-level access checks,
>>> its client certainly will not be.
>
>No, but that has nothing to do with the compiler billing example as stated.
They both smell like Confused Deputy to me, but I'll the security bug
taxonomists decide whether it is or not.
What is important is that this situation with 3 (or more) parties is a
real-world situation. The US Navy is implementing a system with this
requirement using SAML certificates. They need to get the authorization
right when a sailor accesses some resource on a NATO partner's system. The
current approach is to use SAML certificates as capabilities (they call it
ZBAC for authoriZation Based Access Control). Alan Karp, who is currently
buried in writing two papers and ignoring non-essential email, is the list
expert on this system.
Cheers - Bill
---------------------------------------------------------------------------
Bill Frantz |"After all, if the conventional wisdom was working, the
408-356-8506 | rate of systems being compromised would be going down,
www.periwinkle.com | wouldn't it?" -- Marcus Ranum
More information about the cap-talk
mailing list