The Confused Deputy =================== What security problem prompted this short paper? Fortran compiler wants to keep global statistics in some file Gave compiler (SYSX)FORT "home files license" - what's this? Sounds like all files are named (dir)name Home files license allows (dir)prog to write (dir)xxx for any xxx Vaguely analogous to Unix setuid Attacker overwrote billing file (SYSX)BILL with compiler output [E.g., probably ran something like: (SYSX)FORT -o (SYSX)BILL file.f] Is this a bug in the compiler? Original compiler code to output a file was correct Didn't anticipate running with extra authority What does the title mean: "The Confused Deputy"? Compiler's authority stems from multiple sources--invoker, and home files Can be tricked into using one when it should be using the other Claim: Hard to add permissions w/o creating security holes, or then restrict without breaking legitimate programs Do capabilities solve the problem? How? Paradigm Regained ================= TCB - trusted computing base What is the principle of least authority (POLA)? How closely does MS Windows adhere to POLA? What is a protection graph? subject - finest-grain unit of computation w. distinct access rights object - finest-grain unit to which separate access rights can be granted What is the distinction between _de_jure_ and _de_facto_ access rights? de jure = by law => authorized to do something directly (permission) i.e., if there is a line in the protection graph de facto = in reality => can do something directly or indirectly (authority) i.e., if there is some path in the protection graph What's an example where someone has de facto but not de jure rights? *-property How much authority does "cp" need? cp foo.txt bar.txt vs. cat < foo.txt > bar.txt What would it take for an OS/shell to support cp's syntax? What is the object-capability model? No distinction between subjects Object = instance: code + state (state is a bunch of references) primitive: data, device, loader An object can send a message to any other object it has a reference to Idea: The reference graph is the access graph What's the difference between objects and object capabilities? C++ has objects, but can cast integers to pointers - no good for security What about Java? Closer, but no access control for public static data so can't control all interactions through objects & references Where have we seen this before? Spin Where do you store an object's capabilities? In Modula-3, simply store in variables For user-level code in Spin, use integer to index table This mechanism is known as a capability list or "c-list" What are primitive objects: Data - immutable re-only data Since immutable, distinction between reference/value doesn't matter Devices - Only way for computational system to interact w. outside world Thus, can't communicate w. outside world w/o access to some device Loader - makes an instance from code + capabilities E.Loader (code, [ index => reference, i2 => r2, ...]) returns instance obj Paper uses the E language to express systems with capabilities Look at sec 4.2, p. 9. What's going on w. pointMaker? What is a closure? What is revocation problem? After calling an object B and giving it a capability C, want to prevent it from making further use of C Why is revocation impossible in a capability system? B has permission to access C (i.e., C is in its reference table) A can't remove C from B's reference table Allowing random processes to nuke each other's references is a bad idea Why does this paper claim that does not really matter? The point is we care about *authority*, not *permissions* So can give B the authority to do things w. C w/o giving it C Look at caretakerMaker example, sec 4.3 on p. 10 What is var? Like def, but value can be changed after closure created What is match? Can have procedures with named calls and arguments Match provides default, for calls to procedures not otherwise defined Is caretakerMaker good practice or bad? What this mean in sec 4.4, p. 11: "To render a permission-only analysis useless, a threat model need not include either malice or accident; it need only include subjects following security best practices." Security officer might want to know: "Who has permission to access C?" Does B have permission to access C in caretakerMaker example? No. Has *authority* to access C, but only permission on caretaker obj What to conclude? Basically, should take mechanisms like caretaker into account in analysis caretaker not part of TCB, but used for POLA because of security properties What is confinement, and why might one care about this? [go over calculator example] What is a "data diode"? How does this work on p. 15? What is going on with factory Maker on p. 13? Paper vaguely mentions that E works across machines, using cryptography How might you design a system like this (say, using inspiration from V)?