[cap-talk] "ambient authority" on wiki.erights.org

Karp, Alan H alan.karp at hp.com
Thu Jun 18 17:41:54 EDT 2009 

Sam Mason wrote:
> 
> My understanding of ambient authority seem to be predicated on the
> following:
> 
>   1) a minimum of three subjects; Ana, Bob and Charlie in this example
> 
>   2) Ana has a designator D that references an object known to Charlie.
>      D does not carry authorizing information
> 
>   2) Ana shares D with Bob
> 
>   4) Bob asks Charlie to perform some work on the object designated by D
>
You have correctly specified the conditions necessary for a confused deputy, but that's not the same as defining ambient authorities.  Confused deputy is a consequence of using ambient authorities, but it is not a definition of them.
> 
>   A system, containing at least three subjects, is said to contain
>   /Ambient Authority/ when a designator (D) naming an object known to
>   one subject (C) is shared between two other subjects (A and B) without
>   accompanying authorizations.
>
Here's a counter example to your definition.  Alice runs the following program (in no particular language):

    main(String a, String b){
       copy(a,b);
	 return;
    function copy(String outName, String inName){
       File in = new File(inName,'r');
       File out = new File(outName,'w');
       out.write(in.read());}
    }

Alice has r/w authority to files a.txt and b.txt.  If Alice invokes this program as mycopy("a.txt","b.txt") intending to copy the contents of a.txt to b.txt, she's in for a surprise.  Alice does not specify which of her authorities are to be used because they are ambient.  I would say that Alice is the only party involved, but I won't squawk if you insist on counting the OS.  However, there is no way of counting that gets to three parties.

________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
http://www.hpl.hp.com/personal/Alan_Karp


> -----Original Message-----
> From: cap-talk-bounces at mail.eros-os.org [mailto:cap-talk-
> bounces at mail.eros-os.org] On Behalf Of Sam Mason
> Sent: Thursday, June 18, 2009 12:31 PM
> To: cap-talk at mail.eros-os.org
> Subject: Re: [cap-talk] "ambient authority" on wiki.erights.org
> 
> On Wed, Jun 17, 2009 at 01:14:01PM -0400, Sandro Magi wrote:
> > I agree with David-Sarah here: this distinction is not convincing,
> and
> > global variables are also ambient authorities, though not necessarily
> > harmful ones, ie. the number 5, the immutable string "foo", etc.
> 
> Yes, it also seems instructive to note that otherwise mundane immutable
> strings can convey authority when they happen to contain things like
> password capabilities.
> 
> My understanding of ambient authority seem to be predicated on the
> following:
> 
>   1) a minimum of three subjects; Ana, Bob and Charlie in this example
> 
>   2) Ana has a designator D that references an object known to Charlie.
>      D does not carry authorizing information
> 
>   2) Ana shares D with Bob
> 
>   4) Bob asks Charlie to perform some work on the object designated by
> D
> 
> Once we have these preconditions then for Charlie to do any work the
> appropriate authorizations must be inferred and these inferences can
> be exploited resulting in symptoms such as our infamous confused
> deputy.  Three subjects appear to be the minimum needed and is what I
> think Rob is referring to when he says that permissions are "shared
> implicitly"---if there are only two subjects then there is no ambiguity
> in who to apply the permissions to.
> 
> The canonical filesystem example therefore has as subjects programs P1
> and P2, and the OS.  P1 passes a filename to P2 and P2 asks the OS to
> "open" the file designated by the filename, the OS gets the authorizing
> information by looking at the owner of P2 and not from the filename.
> We
> therefore say that ambient authority exists and that this is a case of
> a
> confused deputy.
> 
> The recent global variable/compiler example seems to consist of two
> pieces of source code (say methods), the compiler and an object in
> memory (at run time).  The designator is a global variable that names
> the object and the compiler assumes that both pieces of code should
> access the object with identical authority.  This ambiguity can be
> fixed in various ways; most programs fix it by having the code assume a
> single subject and hence avoid the problem completely.  Languages like
> E fix it by allowing programs to ensure that global variables confer no
> authority.
> 
> My definition would hence be:
> 
>   A system, containing at least three subjects, is said to contain
>   /Ambient Authority/ when a designator (D) naming an object known to
>   one subject (C) is shared between two other subjects (A and B)
> without
>   accompanying authorizations.
> 
> --
>   Sam  http://samason.me.uk/
> _______________________________________________
> cap-talk mailing list
> cap-talk at mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/cap-talk

More information about the cap-talk mailing list