<< Previous <<         [Session1 Index]            >> Next >>

With capabilities, we can straightforwardly solve The Confused Deputy problem. The user of the compiler should not be sending the compiler the name of the file to which he wants the debug information sent. Rather, he should be handing the compiler a more limited capability, the least capability that the compiler needs, in this case the write stream on a file the user has already opened using his own capabilities. Since the user does not have write authority on the file (SYSX)BILL (the billing info file), he cannot hand the compiler a write stream on it, and the risk of a security violation is eliminated.

Thus we see a basic principle of security-oriented software development. The essential "Path Of Secure Thinking" is actually easy! For object oriented programming, in general, if you have a problem, make an object for it. For a security issue, if you have a problem, make a separate capability on it.