[cap-talk] "ambient authority" on wiki.erights.org

Sam Mason sam at samason.me.uk
Thu Jun 18 15:31:25 EDT 2009 

On Wed, Jun 17, 2009 at 01:14:01PM -0400, Sandro Magi wrote:
> I agree with David-Sarah here: this distinction is not convincing, and
> global variables are also ambient authorities, though not necessarily
> harmful ones, ie. the number 5, the immutable string "foo", etc.

Yes, it also seems instructive to note that otherwise mundane immutable
strings can convey authority when they happen to contain things like
password capabilities.

My understanding of ambient authority seem to be predicated on the
following:

  1) a minimum of three subjects; Ana, Bob and Charlie in this example

  2) Ana has a designator D that references an object known to Charlie.
     D does not carry authorizing information

  2) Ana shares D with Bob

  4) Bob asks Charlie to perform some work on the object designated by D

Once we have these preconditions then for Charlie to do any work the
appropriate authorizations must be inferred and these inferences can
be exploited resulting in symptoms such as our infamous confused
deputy.  Three subjects appear to be the minimum needed and is what I
think Rob is referring to when he says that permissions are "shared
implicitly"---if there are only two subjects then there is no ambiguity
in who to apply the permissions to.

The canonical filesystem example therefore has as subjects programs P1
and P2, and the OS.  P1 passes a filename to P2 and P2 asks the OS to
"open" the file designated by the filename, the OS gets the authorizing
information by looking at the owner of P2 and not from the filename.  We
therefore say that ambient authority exists and that this is a case of a
confused deputy.

The recent global variable/compiler example seems to consist of two
pieces of source code (say methods), the compiler and an object in
memory (at run time).  The designator is a global variable that names
the object and the compiler assumes that both pieces of code should
access the object with identical authority.  This ambiguity can be
fixed in various ways; most programs fix it by having the code assume a
single subject and hence avoid the problem completely.  Languages like
E fix it by allowing programs to ensure that global variables confer no
authority.

My definition would hence be:

  A system, containing at least three subjects, is said to contain
  /Ambient Authority/ when a designator (D) naming an object known to
  one subject (C) is shared between two other subjects (A and B) without
  accompanying authorizations.

-- 
  Sam  http://samason.me.uk/

More information about the cap-talk mailing list