[E-Lang] ACLs + delegation

Tyler Close tclose@oilspace.com
Thu, 1 Feb 2001 16:41:47 -0000


David wrote:
> I think there's
> also another
> useful response to the Confused Deputy problem: Insist that
> all security
> relevant operations make explicit under what authority the
> action is being
> requested.

This doesn't solve a thing if there is a mismatch between the
operation that the authority can authorize and the actions of a
particular operation. For example, your explicit ability to open files
in a particular directory can still be confused into opening a file
that you did not expect to open if clients can pass you a string file
name.

To defeat the Confused Deputy attack, there must be exact match
between what the authority can do and what the action does do. Any
wiggle room opens the possibility of attack.

Tyler