Confused deputy problem
Encyclopedia
A confused deputy is a computer program
that is innocently fooled by some other party into misusing its authority. It is a specific type of privilege escalation
. In information security
, the confused deputy problem is often cited as an example of why capability-based security
is important.
services to other programs. Normally, the client program specifies the name of the input and output files, and the server is given the same access to those files that the client has.
The compiler service is pay-per-use, and the compiler program has access to a file (dubbed BILL) where it stores billing information. Clients obviously cannot write into the billing file.
Now suppose a client calls the service and specifies BILL as the name of the output file. The service opens the output file. Even though the client did not have access to that file, the service does, so the open succeeds, and the server writes the compilation output to the file, overwriting it, and thus destroying the billing information.
Whenever a program tries to access a file, the operating system needs to know two things: which file the program is asking for, and whether the program has permission to access the file. In the example, the file is designated by its name, “BILL”. The server receives the file name from the client, but does not know whether the client had permission to write the file. When the server opens the file, the system uses the server’s permission, not the client’s. When the file name was passed from the client to the server, the permission did not go along with it; the permission was increased by the system silently and automatically.
It is not essential to the attack that the billing file is designated by a name represented as a string. The essential points are that:
(CSRF) is an example of a confused deputy attack against a web browser
. In this case a client's web browser has no means to distinguish the authority of the client from any authority of a "cross" site that the client is accessing.
Clickjacking
is another category of web attacks that can be analysed as confused deputy attacks, where the user acts as the confused deputy, tricked into activating a control that does something dangerous.
An FTP bounce attack
can allow an attacker to indirectly connect to TCP ports that the attacker's machine has no access to, using a remote FTP server as the confused deputy.
Another example relates to personal firewall
software. It can restrict internet access for specific applications. Some applications circumvent this by starting a browser with a specific URL. The browser has authority to open a network connection, even though the application does not. Firewall software can attempt to address this by prompting the user in cases where one program starts another which then accesses the network. However, the user frequently does not have sufficient information to determine whether such an access is legitimate—false positives are common, and there is a substantial risk that even sophisticated users will become habituated to clicking 'OK' to these prompts.
Not every program that misuses authority is a confused deputy. Sometimes misuse of authority is simply a result of a program error. The confused deputy problem occurs when the designation of an object is passed from one program to another, and the associated permission changes unintentionally, without any explicit action by either party. It is insidious because neither party did anything explicit to change the authority.
The simplest way to solve the confused deputy problem is to bundle together the designation of an object and the permission to access that object. This is exactly what a capability
is.
Using capability security in the compiler example, the client would pass to the server a capability to the output file, not the name of the file. Since it lacks a capability to the billing file, it cannot designate that file for output. In the cross-site request forgery
example, a URL supplied "cross"-site would include its own authority independent of that of the client of the web browser.
Computer program
A computer program is a sequence of instructions written to perform a specified task with a computer. A computer requires programs to function, typically executing the program's instructions in a central processor. The program has an executable form that the computer can use directly to execute...
that is innocently fooled by some other party into misusing its authority. It is a specific type of privilege escalation
Privilege escalation
Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user...
. In information security
Information security
Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....
, the confused deputy problem is often cited as an example of why capability-based security
Capability-based security
Capability-based security is a concept in the design of secure computing systems, one of the existing security models. A capability is a communicable, unforgeable token of authority. It refers to a value that references an object along with an associated set of access rights...
is important.
Example
In the original example of a confused deputy, there is a program that provides compilationCompiler
A compiler is a computer program that transforms source code written in a programming language into another computer language...
services to other programs. Normally, the client program specifies the name of the input and output files, and the server is given the same access to those files that the client has.
The compiler service is pay-per-use, and the compiler program has access to a file (dubbed BILL) where it stores billing information. Clients obviously cannot write into the billing file.
Now suppose a client calls the service and specifies BILL as the name of the output file. The service opens the output file. Even though the client did not have access to that file, the service does, so the open succeeds, and the server writes the compilation output to the file, overwriting it, and thus destroying the billing information.
The confused deputy
In this example, the compilation service is the deputy because it is acting at the request of the client. It is confused because it was tricked into overwriting its billing file.Whenever a program tries to access a file, the operating system needs to know two things: which file the program is asking for, and whether the program has permission to access the file. In the example, the file is designated by its name, “BILL”. The server receives the file name from the client, but does not know whether the client had permission to write the file. When the server opens the file, the system uses the server’s permission, not the client’s. When the file name was passed from the client to the server, the permission did not go along with it; the permission was increased by the system silently and automatically.
It is not essential to the attack that the billing file is designated by a name represented as a string. The essential points are that:
- the designator for the file does not carry the full authority needed to access the file;
- the server's own permission to the file is used implicitly.
Other examples
A cross-site request forgeryCross-site request forgery
Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts...
(CSRF) is an example of a confused deputy attack against a web browser
Web browser
A web browser is a software application for retrieving, presenting, and traversing information resources on the World Wide Web. An information resource is identified by a Uniform Resource Identifier and may be a web page, image, video, or other piece of content...
. In this case a client's web browser has no means to distinguish the authority of the client from any authority of a "cross" site that the client is accessing.
Clickjacking
Clickjacking
Clickjacking is a malicious technique of tricking Web users into revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages...
is another category of web attacks that can be analysed as confused deputy attacks, where the user acts as the confused deputy, tricked into activating a control that does something dangerous.
An FTP bounce attack
FTP bounce attack
FTP bounce attack is an exploit of the FTP protocol whereby an attacker is able to use the PORT command to request access to ports indirectly through the use of the victim machine as a middle man for the request....
can allow an attacker to indirectly connect to TCP ports that the attacker's machine has no access to, using a remote FTP server as the confused deputy.
Another example relates to personal firewall
Personal firewall
A personal firewall is an application which controls network traffic to and from a computer, permitting or denying communications based on a security policy. Typically it works as an application layer firewall....
software. It can restrict internet access for specific applications. Some applications circumvent this by starting a browser with a specific URL. The browser has authority to open a network connection, even though the application does not. Firewall software can attempt to address this by prompting the user in cases where one program starts another which then accesses the network. However, the user frequently does not have sufficient information to determine whether such an access is legitimate—false positives are common, and there is a substantial risk that even sophisticated users will become habituated to clicking 'OK' to these prompts.
Not every program that misuses authority is a confused deputy. Sometimes misuse of authority is simply a result of a program error. The confused deputy problem occurs when the designation of an object is passed from one program to another, and the associated permission changes unintentionally, without any explicit action by either party. It is insidious because neither party did anything explicit to change the authority.
Solutions
In some systems, it is possible to ask the operating system to open a file using the permissions of another client. This solution has some drawbacks:- It requires explicit attention to security by the server. A naive or careless server might not take this extra step.
- It becomes more difficult to identify the correct permission if the server is in turn the client of another service and wants to pass along access to the file.
- It requires the server to be trusted with the permissions of the client. Note that intersecting the server and client's permissions does not solve the problem either, because the server may then have to be given very wide permissions (all of the time, rather than those needed for a given request) in order to act for arbitrary clients.
The simplest way to solve the confused deputy problem is to bundle together the designation of an object and the permission to access that object. This is exactly what a capability
Object-capability model
The object-capability model is a computer security model based on the Actor model of computation. The name "object-capability model" is due to the idea that the capability to perform an operation can be obtained by the following combination:...
is.
Using capability security in the compiler example, the client would pass to the server a capability to the output file, not the name of the file. Since it lacks a capability to the billing file, it cannot designate that file for output. In the cross-site request forgery
Cross-site request forgery
Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts...
example, a URL supplied "cross"-site would include its own authority independent of that of the client of the web browser.
External links
- Norman Hardy, The Confused Deputy: (or why capabilities might have been invented), ACM SIGOPS Operating Systems Review, Volume 22, Issue 4 (October 1988).
- Capability Theory Notes from several sources (collated by Norm Hardy).
- Everything2: Confused Deputy (some introductory level text).
See also
- SetuidSetuidsetuid and setgid are Unix access rights flags that allow users to run an executable with the permissions of the executable's owner or group...
executables in Unix - Ambient authorityAmbient authorityAmbient authority is a term used in the study of access control systems.A subject, such as a computer program, is said to be usingambient authority, if making a request that only specifies the names...