[prev in list] [next in list] [prev in thread] [next in thread] 

List:       cap-talk
Subject:    [cap-talk] Confused Deputy and Ambient Authority
From:       "Jonathan S. Shapiro" <shap () eros-os ! org>
Date:       2005-05-20 11:59:29
Message-ID: 1116590369.3236.5.camel () mikado ! cs ! jhu ! edu
[Download RAW message or body]

I want to explain my confusion, MarkM's debunking, and try to recover
what the point was.

First, let me describe MarkM's compelling example for why separating
authority and designation is problematic in any deputy.

Suppose that we revise Norm's "Confused Deputy" example as follows:

  Imagine that designation and authority are separated. If a process
  P invokes an operation designating an object O for which the
  process holds authority, it is as though the process P held
  some set of capabilities to O, and acts with the *union* of the
  authority provided by these capabilities. [Note that not even
  UNIX makes this mistake.]

Now for the revision:

  Imagine that the client of the compiler has a READ capability
  to the logging file, and presents this capability to the compiler
  in the argument position of the *output* descriptor.

  The compiler internally has WRITE authority to the logging file.

  Under the union authority assumption, it happily overwrites the log.

So we can establish pretty clearly that keeping authority and
designation unified is important.

So why was I focused on "open"?  I will attempt to describe this in my
next note.

shap

_______________________________________________
cap-talk mailing list
cap-talk@mail.eros-os.org
http://www.eros-os.org/mailman/listinfo/cap-talk
[prev in list] [next in list] [prev in thread] [next in thread]