[E-Lang] ACLs + delegation

Tyler Close tclose@oilspace.com
Sat, 3 Feb 2001 12:26:39 -0000

David Wagner wrote:
> Tyler Close wrote:
> >This doesn't solve a thing if there is a mismatch between the
> >operation that the authority can authorize and the actions of a
> >particular operation. For example, your explicit ability
> to open files
> >in a particular directory can still be confused into opening a file
> >that you did not expect to open if clients can pass you a
> string file
> >name.
> How can it be confused?  Remember, it is querying the SubjectID
> of the client and using that (rather than its own SubjectID) in
> the open() call.  How can the server get confused?

I don't know what you mean here by "querying the SubjectID of the
client". You'll have to be a lot more explicit here.

I am skeptical of this whole approach though, because it seems to miss
the point of the Confused Deputy attack.

On Thursday, February 01, 2001 5:52 AM, David Wagner wrote:
> In general, the "Confused Deputy" problem arises because accesses to
> the ACL-guarded object implicitly uses the Subject ID to
> decide whether
> the access should be granted.  Thus, one potential solution
> is to insist
> that all operations to an ACL-guarded object make explicit
> the Subject ID
> they are using to authorize the operation.  This can either lead to
> beneficial explicitness (probably a good thing, if you're trying to
> build secure systems) or unwanted clutter (a bad thing, if
> it just gets
> in the way).  This is a tradeoff, and the right answer
> seems to depend
> on the application.

According to my understanding of the problem, the Confused Deputy
attack doesn't have anything to do with explicitness, but with their
being a mismatch between the expressiveness of the authority and the
expressiveness of the designator. If a Subject has been placed on
several ACLs (or an ACL that grants several authorities/privileges),
then it is sometimes impossible to express which particular ACL entry
(or part of an ACL entry) is meant to authorize the invocation. This
is the heart of the Confused Deputy problem. Get the Deputy to use an
entry that they were trying to protect.

So the problem is that Subjects act as an umbrella for lots of
authority. You can be as explicit as you want when specifying the
Subject, the problem is that the Subject is not a precise instrument.