Confused Deputy

References:

Overview

A story in a system much like Unix (of AT&T):

RUN (SYSX)FORT, to invoke a compiler FORT.

(SYSX)A_FILE, customized file from the invoker to write debug information to A_FILE.

(SYSX)STAT, to write statistics as output, filename hardcoded in the compiler. In order to access STAT file, we give compiler home files license –> to write files in the home directory (SYSX), then write (SYSX)STAT

(SYSX)BILL, which contains billing information, should not be overwritten by a compiler.

But when (SYSX)BILL is passed to the compiler (SYS)FORT, the billing info will be overwritten.

==> The compiler is a confused deputy. It runs with authority stemming from two sources.

  • The invoker yields his authority to the compiler when he says “RUN(SYSX)FORT”;
  • The compiler has another authority stems from the home files license.

==> When the compiler produces statistics it intends to use the authority granted by its home files license;

When it produces its debugging output it intends to use authority from its invoker;

But the compiler had no way of expressing these intents!

More

Created Dec 6, 2021 // Last Updated Dec 6, 2021

If you could revise
the fundmental principles of
computer system design
to improve security...

... what would you change?