The Confused Deputy =================== What security problem prompted this short paper? Fortran compiler wants to keep global statistics in some file Gave compiler (SYSX)FORT "home files license" - what's this? Sounds like all files are named (dir)name Home files license allows (dir)prog to write (dir)xxx for any xxx Vaguely analogous to Unix setuid Attacker overwrote billing file (SYSX)BILL with compiler output [E.g., probably ran something like: (SYSX)FORT -o (SYSX)BILL file.f] Is this a bug in the compiler? Original compiler code to output a file was correct Didn't anticipate running with extra authority What does the title mean: "The Confused Deputy"? Compiler's authority stems from multiple sources--invoker, and home files Can be tricked into using one when it should be using the other Claim: Hard to add permissions w/o creating security holes, or then restrict without breaking legitimate programs SPIN ==== History: Who is Brian Bershad, Mach, etc. What is motivation for this work? Why are MS-DOS and Windows cited in motivation? What are the goals of SPIN? Extensibility Safety Performance Example applications for SPIN? - TCP packet forwarder (e.g., NAT) - Video client/server - Web server with better caching What are the issues here that would require a new OS? Key idea: allow apps to put extensions into kernel address space. Use: Co-location Enforced Modularity Logical protection domains Dynamic call binding How does this compare to the approach microkernels and L3 specifically? They claim: microkernels more complicated for applications Cite paper with scheduler activation implementation on Mach Apparently this was hard to do In theory, extensions work. In practice, not done so often. Wny: High-communication overhead -> coarse-granularity of extension (Remember, Bershad is from Mach Liedtke's whole point was to achieve fast IPC to make this workable) Idea: In safe language pointers are effectively capabilities. How so? Use Modula-3. What are important properties of this language? Interfaces * Type safety * Automated storage management * Objects Generic interfaces Threads Exceptions Why not just implement everything in kernel mode using Modula-3? Can you pass capabilities to user-mode code? Yes, with externalized refereces (like file descriptors) Go over example in Figure 1: (Work through all three examples) What is the point of Console.InterfaceName? Point is you somehow need to get handles for things, so have name server What is a protection domain? Set of accessible names available to an execution context What is a protection domain in Unix? In plan9? What is it in SPIN? What's a safe object file? E.g., signed by compiler What's "safe by assertion", and why would you want to have such code? What are four methods in Domain interface shown in Figure 2? Create (coff) - CreateFromModule () - exports yourself Resolve (source, target) - Combine (d1, d2) - e.g., SpinPublic How does access control work. E.g., can anyone call console methods? Exporter can register authorization procedure with name server Called with identity of importer What might interface to name server look like? What are Events, Handlers, and Guards? Event = procedure; Handler = call dispatcher with function pointer and arg Dispatcher users dynamic code generation to optimize So basically an event is just an indirect procedure call Example? Event might be receiving a UDP packet Guard might be checking that destination port is N Handler is code belonging to server on UDP port N Go over Fig. 3 How would you register a page fault handler What is a strand? Go over interface in Figure 4