Confused Deputy Problem - Solutions

Solutions

In some systems it is possible to ask the operating system to open a file using the permissions of another client. This solution has some drawbacks:

  • It requires explicit attention to security by the server. A naive or careless server might not take this extra step.
  • It becomes more difficult to identify the correct permission if the server is in turn the client of another service and wants to pass along access to the file.
  • It requires the server to be trusted with the permissions of the client. Note that intersecting the server and client's permissions does not solve the problem either, because the server may then have to be given very wide permissions (all of the time, rather than those needed for a given request) in order to act for arbitrary clients.

The simplest way to solve the confused deputy problem is to bundle together the designation of an object and the permission to access that object. This is exactly what a capability is.

Using capability security in the compiler example, the client would pass to the server a capability to the output file, not the name of the file. Since it lacks a capability to the billing file, it cannot designate that file for output. In the cross-site request forgery example, a URL supplied "cross"-site would include its own authority independent of that of the client of the web browser.

Read more about this topic:  Confused Deputy Problem

Famous quotes containing the word solutions:

    The anorexic prefigures this culture in rather a poetic fashion by trying to keep it at bay. He refuses lack. He says: I lack nothing, therefore I shall not eat. With the overweight person, it is the opposite: he refuses fullness, repletion. He says, I lack everything, so I will eat anything at all. The anorexic staves off lack by emptiness, the overweight person staves off fullness by excess. Both are homeopathic final solutions, solutions by extermination.
    Jean Baudrillard (b. 1929)

    Science fiction writers foresee the inevitable, and although problems and catastrophes may be inevitable, solutions are not.
    Isaac Asimov (1920–1992)

    Football strategy does not originate in a scrimmage: it is useless to expect solutions in a political compaign.
    Walter Lippmann (1889–1974)