Jump to content

Confused deputy problem

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by Dmeranda (talk | contribs) at 21:58, 2 April 2007 (External links: clean up reference links to Hardy publication). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

You must add a |reason= parameter to this Cleanup template – replace it with {{Cleanup|December 2006|reason=<Fill reason here>}}, or remove the Cleanup template.

A confused deputy is a program that obtains authority from one party, then is fooled by some other party into misusing that authority. In information security, the confused deputy problem is often cited as a canonical example of why capability-based security is important.

The Deputy

The deputy is a program that is called upon (deputized) by a client to perform some action and at the same time granted by the client temporary authority to take that action. The client provides a name of a resource upon which to take the action. The deputy has additional built-in authority to take other actions that are a necessary part of its job.

A classic example is the UNIX passwd command, which is used to change a user's password. In UNIX, the passwords for all users are kept in a single file. To do its job, the passwd program has access to modify the entire password file, even though the user invoking it should not. A cross-site request forgery (CSRF) is an example of a confused deputy attack against a Web browser.

The Confused Deputy

Suppose the client names a resource to which it lacks authority. The deputy attempts its normal act on the resource named by its client. The deputy's act is permitted by security mechanisms because the deputy's built-in authority is sufficient for this act. The deputy has unwittingly abetted an indirect action by its client that the security rules were designed to prevent. The deputy has unwittingly abused its own built-in authority. The deputy is blameless if the semantics of the system did not allow it to say that the act was to be subject to its client's authority.

In the passwd example, the passwd command has an option to change another user's password, and indeed it has the authority to alter another user's password on its client's behalf. This functionality is intended to be used for example by the superuser but not a regular user. Only careful checking by passwd itself prevents this security exploit by a regular user. In the cross-site request forgery example a client's Web browser has no means to distinguish the authority of the client from any authority of a "cross" site that the client is accessing.

Capability style solution

Capabilities solve the Confused Deputy problem implicitly in that the name supplied by the client to the deputy is a capability which naturally includes the necessary authority. The deputy's action is via that capability. The client is unable to provide a capability that by hypothesis it lacks.

In the example of the passwd command this would amount to a user only being able to modify their own entry in the password file, as well as any program they might run such as passwd having the same restriction. In the cross-site request forgery it would mean that a URL supplied "cross"-site would include its own authority independent of that of the client of the Web browser (for example, by using a YURL).

  • Norman Hardy, The Confused Deputy: (or why capabilities might have been invented), ACM SIGOPS Operating Systems Review, Volume 22, Issue 4 (October 1988).
    • [1] official link to ACM puiblished document.
    • [2] link to document text on University of Pennsylvania's website.
    • [3] citeseer cross reference.
  • Everything2: Confused Deputy (some introductory level text).

See also

Retrieved from "https://en.wikipedia.org/w/index.php?title=Confused_deputy_problem&oldid=119821697"