The Confused Deputy: (or why capabilities might have been invented)
暂无分享,去创建一个
This is a nearly true story (inessential details have been changed). The events happened about eleven years ago at Tymshare, a company which provided commercial timesharing services. Before this happened I had heard of capabilities and thought that they Were neat and tidy, but was not yet convinced that they were necessary. This occasion convinced me that they were necessary. Our operating system was much like Unix (aM of AT&T) in its protection structures. A compiler was installed in a directory called SYSX. A user would use the compiler by saying "RUN (SYSX)FORT", and could provide the name of a file to receive some optional debugging output. We had instrumented the compiler to collect statistics about language feature usage. The statistics file was called (SYSX)STAT, a name which was assembled into the compiler. To enable the compiler to write the (SYSX)STAT file, we marked the file holding the compiler { (9YSX)FORT} with homefiles license. The operating system allowed a program with such license to write files in its home directory, SYSX in our case. The billing information file (SYSX)BILL was also stored in SYSX. Some user came to know the name (9YSX)BILL and supplied it to the compiler as the name of the file to receive the debugging information. The compiler passed the name to the operating system in a request to open that file for output. The operating system, observing that the compiler had home files license, let the compiler write debugging information over (SYSX)BILL. The billing information was lost. Who is to blame? What can we change to rectify the problem? Will that cause other problems? How can we foresee such problems? The code to deposit the debugging output in the file named by the user cannot be blamed. Must the compiler check to see if the output file name is in another directory by scanning the file name? No-it is useful to specify the name of a file in another directory to receive output. Should the compiler check for directory name SYSX? No-the name "SYSX" had not been invented when this code was written. Indeed there might be a legitimate request for the compiler to deposit its output in some file in SYSX made by someone with legitimate access to that directory. Should the compiler check for the name (SYSX)BILL? That is not the only sensitive file in SYSX. Must the compiler be modified whenever new files …
[1] Norman Hardy,et al. KeyKOS architecture , 1985, OPSR.
[2] Norman Hardy,et al. Security In Keykos™ , 1986, 1986 IEEE Symposium on Security and Privacy.