Confused Deputy Problem - Solutions

Solutions

In some systems it is possible to ask the operating system to open a file using the permissions of another client. This solution has some drawbacks:

• It requires explicit attention to security by the server. A naive or careless server might not take this extra step.
• It becomes more difficult to identify the correct permission if the server is in turn the client of another service and wants to pass along access to the file.
• It requires the server to be trusted with the permissions of the client. Note that intersecting the server and client's permissions does not solve the problem either, because the server may then have to be given very wide permissions (all of the time, rather than those needed for a given request) in order to act for arbitrary clients.

The simplest way to solve the confused deputy problem is to bundle together the designation of an object and the permission to access that object. This is exactly what a capability is.

Using capability security in the compiler example, the client would pass to the server a capability to the output file, not the name of the file. Since it lacks a capability to the billing file, it cannot designate that file for output. In the cross-site request forgery example, a URL supplied "cross"-site would include its own authority independent of that of the client of the web browser.