World Library  
Flag as Inappropriate
Email this Article

Confused deputy problem

Article Id: WHEBN0000207076
Reproduction Date:

Title: Confused deputy problem  
Author: World Heritage Encyclopedia
Language: English
Subject: Capability-based security, Computer security, Principle of least privilege, Ambient authority, GNOSIS
Collection: Computer Security
Publisher: World Heritage Encyclopedia

Confused deputy problem

A confused deputy is a computer program that is innocently fooled by some other party into misusing its authority. It is a specific type of privilege escalation. In information security, the confused deputy problem is often cited as an example of why capability-based security is important, as capability systems protect against this whereas access control list-based systems do not.[1]


  • Example 1
    • The confused deputy 1.1
  • Physical world examples 2
  • Other examples 3
  • Solutions 4
  • See also 5
  • References 6
  • External links 7


Prototypical confused deputy Barney Fife

In the original example of a confused deputy,[2] there is a program that provides compilation services to other programs. Normally, the client program specifies the name of the input and output files, and the server is given the same access to those files that the client has.

The compiler service is pay-per-use, and the compiler service stores its billing information in a file (dubbed BILL) that only it has access to.

Now suppose a client calls the service and names its output file BILL. The service opens the output file. Even though the client did not have access to that file, the service does, so the open succeeds, and the server writes the compilation output to the file, overwriting it, and thus destroying the billing information.

The confused deputy

In this example, the compilation service is the deputy because it is acting at the request of the client. It is confused because it was tricked into overwriting its billing file.

Whenever a program tries to access a file, the operating system needs to know two things: which file the program is asking for, and whether the program has permission to access the file. In the example, the file is designated by its name, “BILL”. The server receives the file name from the client, but does not know whether the client had permission to write the file. When the server opens the file, the system uses the server’s permission, not the client’s. When the file name was passed from the client to the server, the permission did not go along with it; the permission was increased by the system silently and automatically.

It is not essential to the attack that the billing file is designated by a name represented as a string. The essential points are that:

  • the designator for the file does not carry the full authority needed to access the file;
  • the server's own permission to the file is used implicitly.

Physical world examples

Confidence trick based scams are based on gaining the trust of a victim in order for an attacker to use them as a confused deputy. For example, in Salting, an attacker presents a victim with what appears to be a mineral-rich mine. In this case an attacker is using a victim's greed to persuade them to perform an action that the victim would not normally do.

When checking out at a grocery store, the cashier will scan the barcode of each item to determine the total cost. A thief could replace barcodes on his items with those of cheaper items. In this attack the cashier is a confused deputy that is using seemingly valid barcodes to determine the total cost.

Other examples

A web browser to perform sensitive actions against a web application. A common form of this attack occurs when a web application uses a cookie to authenticate all requests transmitted by a browser. Using JavaScript an attacker can force a browser into transmitting authenticated HTTP requests.

The Samy computer worm used Cross-Site Scripting (XSS) to turn the browser's authenticated MySpace session into a confused deputy. Using XSS the worm forced the browser into posting an executable copy of the worm as a MySpace message which was then viewed and executed by friends of the infected user.

Clickjacking is an attack where the user acts as the confused deputy. In this attack a user thinks they are harmlessly browsing a website (an attacker-controlled website) but they are in fact tricked into performing sensitive actions on another website.[3]

An FTP bounce attack can allow an attacker to indirectly connect to TCP ports that the attacker's machine has no access to, using a remote FTP server as the confused deputy.

Another example relates to personal firewall software. It can restrict internet access for specific applications. Some applications circumvent this by starting a browser with instructions to access a specific URL. The browser has authority to open a network connection, even though the application does not. Firewall software can attempt to address this by prompting the user in cases where one program starts another which then accesses the network. However, the user frequently does not have sufficient information to determine whether such an access is legitimate—false positives are common, and there is a substantial risk that even sophisticated users will become habituated to clicking 'OK' to these prompts.[4]

Not every program that misuses authority is a confused deputy. Sometimes misuse of authority is simply a result of a program error. The confused deputy problem occurs when the designation of an object is passed from one program to another, and the associated permission changes unintentionally, without any explicit action by either party. It is insidious because neither party did anything explicit to change the authority.


In some systems it is possible to ask the operating system to open a file using the permissions of another client. This solution has some drawbacks:

  • It requires explicit attention to security by the server. A naive or careless server might not take this extra step.
  • It becomes more difficult to identify the correct permission if the server is in turn the client of another service and wants to pass along access to the file.
  • It requires the client to trust the server to not abuse the borrowed permissions. Note that intersecting the server and client's permissions does not solve the problem either, because the server may then have to be given very wide permissions (all of the time, rather than those needed for a given request) in order to act for arbitrary clients.

The simplest way to solve the confused deputy problem is to bundle together the designation of an object and the permission to access that object. This is exactly what a capability is.

Using capability security in the compiler example, the client would pass to the server a capability to the output file, not the name of the file. Since it lacks a capability to the billing file, it cannot designate that file for output. In the

See also


  1. ^ ACLs don't
  2. ^
  3. ^ The Confused Deputy rides again!
  4. ^ Alfred Spiessens: Patterns of Safe Collaboration, PhD thesis. Section 8.1.5

External links

  • Norman Hardy, The Confused Deputy: (or why capabilities might have been invented), ACM SIGOPS Operating Systems Review, Volume 22, Issue 4 (October 1988).
    • ACM published document.
    • Document text on Norm Hardy's website.
    • Document text on University of Pennsylvania's website.
    • Citeseer cross reference.
  • Capability Theory Notes from several sources (collated by Norm Hardy).
  • Everything2: Confused Deputy (some introductory level text).
This article was sourced from Creative Commons Attribution-ShareAlike License; additional terms may apply. World Heritage Encyclopedia content is assembled from numerous content providers, Open Access Publishing, and in compliance with The Fair Access to Science and Technology Research Act (FASTR), Wikimedia Foundation, Inc., Public Library of Science, The Encyclopedia of Life, Open Book Publishers (OBP), PubMed, U.S. National Library of Medicine, National Center for Biotechnology Information, U.S. National Library of Medicine, National Institutes of Health (NIH), U.S. Department of Health & Human Services, and, which sources content from all federal, state, local, tribal, and territorial government publication portals (.gov, .mil, .edu). Funding for and content contributors is made possible from the U.S. Congress, E-Government Act of 2002.
Crowd sourced content that is contributed to World Heritage Encyclopedia is peer reviewed and edited by our editorial staff to ensure quality scholarly research articles.
By using this site, you agree to the Terms of Use and Privacy Policy. World Heritage Encyclopedia™ is a registered trademark of the World Public Library Association, a non-profit organization.

Copyright © World Library Foundation. All rights reserved. eBooks from Project Gutenberg are sponsored by the World Library Foundation,
a 501c(4) Member's Support Non-Profit Organization, and is NOT affiliated with any governmental agency or department.