130:
200:
address this by prompting the user in cases where one program starts another which then accesses the network. However, the user frequently does not have sufficient information to determine whether such an access is legitimate—false positives are common, and there is a substantial risk that even sophisticated users will become habituated to clicking "OK" to these prompts.
110:
user, but does not know whether the user had permission to write the file. When the program opens the file, the system uses the program's permission, not the user's. When the file name was passed from the user to the program, the permission did not go along with it; the permission was increased by the system silently and automatically.
222:
It requires the client to trust the server to not abuse the borrowed permissions. Note that intersecting the server and client's permissions does not solve the problem either, because the server may then have to be given very wide permissions (all of the time, rather than those needed for a given
109:
Whenever a program tries to access a file, the operating system needs to know two things: which file the program is asking for, and whether the program has permission to access the file. In the example, the file is designated by its name, “(SYSX)BILL”. The program receives the file name from the
199:
software. It can restrict
Internet access for specific applications. Some applications circumvent this by starting a browser with instructions to access a specific URL. The browser has authority to open a network connection, even though the application does not. Firewall software can attempt to
203:
Not every program that misuses authority is a confused deputy. Sometimes misuse of authority is simply a result of a program error. The confused deputy problem occurs when the designation of an object is passed from one program to another, and the associated permission changes unintentionally,
238:, rather than the name of the file. Since it lacks a capability to the billing file, it cannot designate that file for output. In the cross-site request forgery example, a URL supplied "cross"-site would include its own authority independent of that of the client of the web browser.
96:
to open (SYSX)BILL. Even though the user did not have access to that file, the compiler did, so the open succeeded. The compiler wrote the compilation output to the file (here "(SYSX)BILL") as normal, overwriting it, and the billing information was destroyed.
167:(XSS) to turn the browser's authenticated MySpace session into a confused deputy. Using XSS the worm forced the browser into posting an executable copy of the worm as a MySpace message which was then viewed and executed by friends of the infected user.
84:
The compiler also collected statistics about language feature usage. Those statistics were stored in a file called "(SYSX)STAT", in the directory "SYSX". To make this possible, the compiler program was given permission to write to files in SYSX.
173:
is an attack where the user acts as the confused deputy. In this attack a user thinks they are harmlessly browsing a website (an attacker-controlled website) but they are in fact tricked into performing sensitive actions on another website.
80:
service. Users could run the compiler and optionally specify a filename where it would write debugging output, and the compiler would be able to write to that file if the user had permission to write there.
88:
But there were other files in SYSX: in particular, the system's billing information was stored in a file "(SYSX)BILL". A user ran the compiler and named "(SYSX)BILL" as the desired debugging output file.
105:
In this example, the compiler program is the deputy because it is acting at the request of the user. The program is seen as 'confused' because it was tricked into overwriting the system's billing file.
148:
to perform sensitive actions against a web application. A common form of this attack occurs when a web application uses a cookie to authenticate all requests transmitted by a browser. Using
275:"PaddyFrog: systematically detecting confused deputy vulnerability in Android applications: PaddyFrog: systematically detecting confused deputy vulnerability in Android applications"
227:
The simplest way to solve the confused deputy problem is to bundle together the designation of an object and the permission to access that object. This is exactly what a
219:
It becomes more difficult to identify the correct permission if the server is in turn the client of another service and wants to pass along access to the file.
448:
212:
In some systems it is possible to ask the operating system to open a file using the permissions of another client. This solution has some drawbacks:
42:
that is tricked by another program (with fewer privileges or less rights) into misusing its authority on the system. It is a specific type of
113:
It is not essential to the attack that the billing file be designated by a name represented as a string. The essential points are that:
441:
400:
322:
234:
Using capability security in the compiler example, the client would pass to the server a capability to the output file, such as a
204:
without any explicit action by either party. It is insidious because neither party did anything explicit to change the authority.
434:
216:
It requires explicit attention to security by the server. A naive or careless server might not take this extra step.
592:
17:
182:
640:
472:
508:
720:
545:
493:
141:
129:
582:
532:
503:
57:
51:
630:
572:
498:
457:
228:
617:
164:
160:
43:
31:
8:
513:
61:
117:
the designator for the file does not carry the full authority needed to access the file;
699:
563:
326:
274:
483:
253:
196:
178:
394:
528:
406:
286:
93:
39:
540:
488:
273:
Wu, Jianliang; Cui, Tingting; Ban, Tao; Guo, Shanqing; Cui, Lizhen (2015-09-10).
235:
420:
347:
694:
601:
388:
714:
689:
426:
304:
92:
This produced a confused deputy problem. The compiler made a request to the
684:
679:
625:
170:
77:
385:, ACM SIGOPS Operating Systems Review, Volume 22, Issue 4 (October 1988).
650:
365:
145:
134:
658:
607:
149:
597:
415:
Capability Theory Notes from several sources (collated by Norm Hardy)
290:
185:
323:"The Confused Deputy (or why capabilities might have been invented)"
577:
383:
The
Confused Deputy: (or why capabilities might have been invented)
120:
the program's own permission to access the file is used implicitly.
73:
152:, an attacker can force a browser into transmitting authenticated
518:
414:
567:
559:
555:
550:
247:
144:(CSRF) is an example of a confused deputy attack that uses the
364:
Alfred
Spiessens: Patterns of Safe Collaboration, PhD thesis.
188:
to which the attacker's machine has no access, using a remote
635:
587:
674:
153:
72:
In the original example of a confused deputy, there was a
189:
401:
Document text on
University of Pennsylvania's website
60:
protect against the confused deputy problem, whereas
712:
348:"clickjacking: The Confused Deputy rides again!"
223:request) in order to act for arbitrary clients.
181:can allow an attacker to connect indirectly to
456:
442:
272:
449:
435:
128:
14:
713:
366:http://www.evoluware.eu/fsp_thesis.pdf
100:
430:
395:Document text on Norm Hardy's website
50:is often cited as an example of why
279:Security and Communication Networks
24:
25:
732:
375:
124:
76:program provided on a commercial
423:(some introductory level text).
192:server as the confused deputy.
27:Computer security vulnerability
358:
340:
315:
297:
266:
13:
1:
259:
133:Prototypical confused deputy
473:Principle of least privilege
421:Everything2: Confused Deputy
207:
7:
509:Capability-based addressing
241:
195:Another example relates to
10:
737:
142:cross-site request forgery
67:
667:
649:
616:
527:
504:Capability-based security
465:
52:capability-based security
407:Citeseer cross reference
499:Object-capability model
479:Confused deputy problem
64:–based systems do not.
48:confused deputy problem
389:ACM published document
137:
618:Programming languages
132:
668:Specialised hardware
165:cross-site scripting
44:privilege escalation
32:information security
250:executables in Unix
101:The confused deputy
62:access-control list
700:Plessey System 250
161:Samy computer worm
138:
58:Capability systems
721:Computer security
708:
707:
529:Operating systems
484:Ambient authority
458:Object-capability
285:(13): 2338–2349.
254:Ambient authority
197:personal firewall
179:FTP bounce attack
16:(Redirected from
728:
514:Zooko's triangle
451:
444:
437:
428:
427:
369:
362:
356:
355:
344:
338:
337:
335:
334:
325:. Archived from
319:
313:
312:
301:
295:
294:
291:10.1002/sec.1179
270:
94:operating system
40:computer program
21:
736:
735:
731:
730:
729:
727:
726:
725:
711:
710:
709:
704:
663:
645:
612:
523:
489:File descriptor
461:
455:
378:
373:
372:
363:
359:
352:sourceforge.net
346:
345:
341:
332:
330:
321:
320:
316:
309:sourceforge.net
303:
302:
298:
271:
267:
262:
244:
236:file descriptor
210:
127:
103:
70:
36:confused deputy
28:
23:
22:
18:Confused Deputy
15:
12:
11:
5:
734:
724:
723:
706:
705:
703:
702:
697:
695:Intel iAPX 432
692:
687:
682:
677:
671:
669:
665:
664:
662:
661:
655:
653:
647:
646:
644:
643:
638:
633:
628:
622:
620:
614:
613:
611:
610:
605:
602:HarmonyOS NEXT
595:
590:
585:
580:
575:
570:
553:
548:
543:
537:
535:
525:
524:
522:
521:
516:
511:
506:
501:
496:
491:
486:
481:
476:
469:
467:
463:
462:
454:
453:
446:
439:
431:
425:
424:
418:
412:
411:
410:
404:
398:
392:
381:Norman Hardy,
377:
376:External links
374:
371:
370:
357:
339:
314:
296:
264:
263:
261:
258:
257:
256:
251:
243:
240:
225:
224:
220:
217:
209:
206:
126:
125:Other examples
123:
122:
121:
118:
102:
99:
69:
66:
54:is important.
26:
9:
6:
4:
3:
2:
733:
722:
719:
718:
716:
701:
698:
696:
693:
691:
690:IBM System/38
688:
686:
683:
681:
680:Cambridge CAP
678:
676:
673:
672:
670:
666:
660:
657:
656:
654:
652:
648:
642:
639:
637:
634:
632:
629:
627:
624:
623:
621:
619:
615:
609:
606:
603:
599:
596:
594:
591:
589:
586:
584:
581:
579:
576:
574:
571:
569:
565:
561:
557:
554:
552:
549:
547:
544:
542:
539:
538:
536:
534:
530:
526:
520:
517:
515:
512:
510:
507:
505:
502:
500:
497:
495:
492:
490:
487:
485:
482:
480:
477:
474:
471:
470:
468:
464:
459:
452:
447:
445:
440:
438:
433:
432:
429:
422:
419:
416:
413:
408:
405:
402:
399:
396:
393:
390:
387:
386:
384:
380:
379:
368:Section 8.1.5
367:
361:
353:
349:
343:
329:on 2003-12-05
328:
324:
318:
310:
306:
300:
292:
288:
284:
280:
276:
269:
265:
255:
252:
249:
246:
245:
239:
237:
232:
230:
221:
218:
215:
214:
213:
205:
201:
198:
193:
191:
187:
184:
180:
175:
172:
168:
166:
162:
157:
155:
151:
147:
143:
136:
131:
119:
116:
115:
114:
111:
107:
98:
95:
90:
86:
82:
79:
75:
65:
63:
59:
55:
53:
49:
45:
41:
37:
33:
19:
651:File systems
478:
382:
360:
351:
342:
331:. Retrieved
327:the original
317:
308:
305:"ACLs don't"
299:
282:
278:
268:
233:
226:
211:
202:
194:
176:
171:Clickjacking
169:
158:
139:
112:
108:
104:
91:
87:
83:
71:
56:
47:
35:
29:
146:web browser
135:Barney Fife
78:timesharing
659:Tahoe-LAFS
608:Phantom OS
333:2003-12-31
260:References
229:capability
156:requests.
150:JavaScript
598:HarmonyOS
208:Solutions
715:Category
578:iMAX 432
541:Capsicum
519:Petnames
466:Concepts
460:security
242:See also
74:compiler
546:Fuchsia
533:kernels
68:Example
626:Cajita
583:Midori
568:CapROS
560:KeyKOS
556:GNOSIS
551:Genode
494:C-list
475:(PoLP)
248:Setuid
46:. The
641:Joule
636:Joe-E
588:NLTSS
573:Hydra
186:ports
163:used
38:is a
685:Flex
675:BiiN
593:seL4
564:EROS
231:is.
159:The
154:HTTP
34:, a
287:doi
190:FTP
183:TCP
177:An
30:In
717::
566:→
562:→
558:→
531:,
350:.
307:.
281:.
277:.
140:A
631:E
604:)
600:(
450:e
443:t
436:v
417:.
409:.
403:.
397:.
391:.
354:.
336:.
311:.
293:.
289::
283:8
20:)
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.