<< Previous <<
With capabilities, we can straightforwardly solve The
Confused Deputy problem. The user of the compiler should not be sending
the compiler the name of the file to which he wants the debug information
sent. Rather, he should be handing the compiler a more limited capability,
the least capability that the compiler needs, in this case the write stream
on a file the user has already opened using his own capabilities. Since the
user does not have write authority on the file (SYSX)BILL (the billing info
file), he cannot hand the compiler a write stream on it, and the risk of
a security violation is eliminated.
Thus we see a basic principle of security-oriented software development.
The essential "Path Of Secure Thinking" is actually easy! For object oriented
programming, in general, if you have a problem, make an object for it. For
a security issue, if you have a problem, make a separate capability on it.