4

According to Wikipedia (https://en.wikipedia.org/wiki/Confused_deputy_problem):

In information security, the confused deputy problem is often cited as an example of why capability-based security is important, as capability systems protect against this, whereas access control list-based systems do not.

Why is this the case? Surely no matter what security system you are using, an adversary could always potentially trick a privileged program into using its privilege regardless of whether it is coming from a capability or based on ACLs and the ambient authority of the requesting program.

dippynark
  • 143
  • 4

1 Answers1

1

You are correct in a sense. The root of the problem generally speaking is that the abused subject tends to have broad authority, it's not constrained. If the subject was only permitted to act based on their capabilities, the abuse will be constrained also.

Marinus
  • 206
  • 1
  • 4
  • 1
    so perhaps that sentence is just saying that permissions in a capability based system can't be misused since if a capability has been assigned, you know exactly what the assignee can do, whilst with an ACL based system, the permissions you describe on a particular object may have non-obvious consequences? – dippynark Nov 15 '18 at 11:27
  • Yes. ACL's are not well suited to situations where you delegate authority or work. A good modern implementation is constraining the delegation with a scoped OAuth2 access token. – Marinus Nov 15 '18 at 11:54