Skip to Main content Skip to Navigation
New interface
Conference papers

On Access Control, Capabilities, Their Equivalence, and Confused Deputy Attacks

Abstract : —Motivated by the problem of understanding the difference between practical access control and capability systems formally, we distill the essence of both in a language-based setting. We first prove that access control systems and (object) capabilities are fundamentally different. We further study capabilities as an enforcement mechanism for confused deputy attacks (CDAs), since CDAs may have been the primary motivation for the invention of capabilities. To do this, we develop the first formal characterization of CDA-freedom in a language-based setting and describe its relation to standard information flow integrity. We show that, perhaps suprisingly, capabilities cannot prevent all CDAs. Next, we stipulate restrictions on programs under which capabilities ensure CDA-freedom and prove that the restrictions are sufficient. To relax those restrictions, we examine provenance semantics as sound CDA-freedom enforcement mechanisms.
Document type :
Conference papers
Complete list of metadata

Cited literature [28 references]  Display  Hide  Download
Contributor : Tamara Rezk Connect in order to contact the contributor
Submitted on : Tuesday, August 16, 2016 - 2:34:16 PM
Last modification on : Saturday, June 25, 2022 - 11:21:31 PM
Long-term archiving on: : Thursday, November 17, 2016 - 10:27:34 AM


Files produced by the author(s)




Vineet Rajani, Deepak Garg, Tamara Rezk. On Access Control, Capabilities, Their Equivalence, and Confused Deputy Attacks. Computer Security Foundations, Jun 2016, Lisbon, Portugal. ⟨10.1109/CSF.2016.18⟩. ⟨hal-01353963⟩



Record views


Files downloads