The Confused Deputy (or why capabilities might have been invented)

Reference

Hardy, Norm. “The Confused Deputy (or why capabilities might have been invented).” ACM SIGOPS Operating Systems Review, 22(4):36-38, October 1988. URL

Summary

Norm Hardy’s three-page note is the single most quoted security story in the capability tradition. It is a “nearly true” anecdote from roughly 1974 at Tymshare. A FORTRAN compiler, stored in directory SYSX, writes statistics to (SYSX)STAT and is therefore granted home files license - the ambient authority to write any file in SYSX. Users invoke the compiler as RUN (SYSX)FORT and may supply the name of a file in their own directory for optional debugging output. One day, a user passes (SYSX)BILL - the system billing file - as the output filename. The compiler, running with its SYSX authority, dutifully opens (SYSX)BILL for write and clobbers it. The billing data is lost.

Hardy walks through the standard reactions (blame the compiler, add a check for sensitive filenames, recategorise files, enumerate forbidden names) and shows that each misses the point. The compiler has been delegated authority it did not ask for and cannot distinguish: it cannot tell whether a request to write (SYSX)BILL comes from its own invariant need to write STAT (authority inherent to the compiler) or from the invoker’s request channel (authority inherent to the invoker). The compiler is acting as deputy for two different principals - itself and its invoker - with two different authorities, but the operating system gives it only one aggregated authority set with no way to trace which request justified which use.

The capability fix, Hardy explains, is to pass each authority as a capability at the point of need rather than to aggregate them ambiently on the compiler process. The invoker passes a capability to the output file; the compiler holds a separate capability to the statistics file; no ASCII pathname walk ever happens against an ambient authority. The Tymshare/KeyKOS team built KeyKOS on precisely this discipline. Hardy’s essay is the canonical demonstration of why ACL-plus-pathname operating systems have a structural bug (the confused deputy) that capability operating systems avoid by construction.

Key Ideas

Confused deputy: an authorised program manipulated by a less-authorised invoker into wielding its own greater authority on the invoker’s behalf.
Ambient authority is the underlying cause: the compiler’s SYSX home-files-license is in effect whenever the compiler runs, independent of which request is in flight.
Two principals, one process: the compiler serves its own goals and the invoker’s, with distinct authorities that the OS conflates.
Designation vs. authority: a filename in ACL systems is a pure designator; authority comes from who-is-running. In capability systems the capability is the designator-with-authority - no conflation possible.
Capabilities as the fix: present-tense authority via capability arguments eliminates the confusion.
KeyKOS is offered as the system built on precisely this discipline, with factories defeating Trojan horses and confined subsystems.

Connections

The Heart of Spritely - Distributed Objects and Capability Security
Confused Deputy - this note is Hardy’s original paper; Confused Deputy is the concept page.
Capability Security - Hardy’s “why capabilities might have been invented” is the operational motivation of the whole tradition.
Object Capability Security - object-capabilities inherit the fix directly.
E Language - E’s reference-passing discipline is an anti-confused-deputy design.
CapTP
Ambient Authority - Hardy is the source of the critique; ambient authority IS the bug.
Principle of Least Authority - the confused deputy appears when a process has more authority than the request demands.
Distributed Security
Security Kernel Lambda Calculus
Capability Bounding

Conceptual Contribution

When an authorised program must act on behalf of a less-authorised invoker, any operating system that binds authority to the running process (rather than to the request) creates a structural confusion: the program cannot distinguish authority it holds for its own purposes from authority it is borrowing on behalf of its caller. Capability systems remove the confusion by making authority travel with the request as an argument, not with the process as an ambient attribute.

Tags

#capability-security #confused-deputy #ambient-authority #origins #keykos #tymshare #1988 #sigops #norm-hardy #foundational #access-control #acl-critique

Summary

Rees describes Scheme 48, a programming environment whose design is guided by operating-system security principles. The security kernel is W7, a call-by-value lambda-calculus with extensions for abstract data types, object mutation, and hardware access. Each user or subsystem runs in a separate evaluation environment holding the objects representing that user’s privileges; because environments determine availability of object references, protection and sharing are controlled by construction.

The paper describes experience with Scheme 48 as the programming environment for Cornell’s mobile robots (no underlying OS) and as a secure multi-user workstation environment, arguing that lexical scope + first-class environments are a natural substrate for capability-style security among cooperating agents.

Key Ideas

Lambda-calculus as minimal security kernel via capability-style environments.

Scheme 48 (W7): modules, macros, dynamic isolation, portable across platforms.

Trust mediated by controlling which names bind to which objects.

Authentication via capsules (tamper-proof labelled objects).

Applied to robots and multi-user Scheme environments.

Conceptual Contribution

Claim: Lexical scope and first-class environments in a lambda-calculus variant (W7) are a sufficient security kernel: protection reduces to controlling which names bind to which object references.

Mechanism: Implements Scheme 48 as a capability-style environment where each user/subsystem runs in its own environment; authentication via capsules (tamper-proof labelled objects); deployed on Cornell mobile robots (no OS) and as multi-user workstation environment.

Concepts introduced/used: Capability Security, Lambda Calculus, Lexical Scope, Scheme 48, Capsules, Distributed Security, Multi-Agent Systems

Stance: foundational / engineering

Relates to: Provides a principled, capability-based alternative to the input-validation discipline of Seven Turrets Of Babel and the static DDoS analysis of A Language-Based Approach To Prevent DDoS; relevant to sandboxing malicious tools described in MalTool Malicious Tool Attacks.

Summary

The second paper in Spritely’s three-part design series, this whitepaper lays out the technical core of Goblins — a distributed, transactional, object-programming environment built around object capability security (OCap). The thesis: secure peer-to-peer applications should feel like ordinary programming, not like a separate security discipline, and capability security makes that achievable. The operative slogan is “If you don’t have it, you can’t use it” — authority is conveyed only by holding a reference, never ambient.

The paper works through (1) capability security as ordinary reference-passing, motivated against Access Control Lists and the confused-deputy problem; (2) Goblins itself — a distributed object programming model with promise pipelining, vats as containers of synchronous turns, turns as cheap local transactions, and time-travel debugging; (3) OCapN — a new cross-implementation protocol for secure distributed object communication; (4) portable encrypted storage for capabilities; (5) library/application safety implications. Implementations exist for Guile and Racket Schemes, with a roadmap toward language-heterogeneous object invocation.

Goblins is the modern distillation of a three-decade lineage running through Mark Miller’s E language, the CapTP protocol, Jonathan Rees’s capability-kernel argument, and Carl Hewitt’s actor formalism. It reframes agent communication as object-reference passing over the network, offering an alternative substrate to the ACL/RPC-stack approach that dominates modern LLM-agent protocols.

Key Ideas

Principle of Least Authority (POLA): grant each piece of code only the authority it needs, no more

Object capability security: authority = unforgeable object reference. Lexical scoping + no ambient authority + no global mutable state

Confused-deputy problem: why ACLs fail when a privileged program is tricked into acting for an attacker

Vat: an isolated synchronous execution context; objects live inside vats; vats communicate asynchronously

Turn: an atomic event loop iteration inside a vat; turns are transactional — errors roll back the turn’s local state

Promise pipelining (from CapTP): chain calls on a reference before the prior call resolves, reducing round trips

Time-travel distributed debugging: replay turns deterministically across the network

OCapN (Object Capability Network): protocol for secure, cross-language distributed object invocation

Revocation and accountability as programmable patterns over references

“If you don’t have it, you can’t use it” — the design-level simplification capability security provides

Conceptual Contribution

Claim: Secure peer-to-peer applications become routine when authority is conveyed only by holding an unforgeable object reference — no ambient authority, no global mutable state, lexical scope as the capability kernel — and when the network distribution of such references is itself designed as an ordinary message-passing object system.

Mechanism: Goblins realises the E-language tradition in Scheme (Guile, Racket): objects live in vats; each vat runs atomic turns that serve as cheap local transactions; asynchronous inter-vat invocation uses promise pipelining to collapse round-trips; persistence, upgrade, and cross-language interop are handled by OCapN — a capability-preserving transport protocol. Time-travel debugging exploits the turn-level determinism.

Concepts introduced/used: Object Capability Security, Principle of Least Authority, Ambient Authority, Confused Deputy, Vat Model, Turn (Goblins), Promise Pipelining, OCapN, CapTP, E Language, Time-Travel Debugging, Capability Revocation

Stance: engineering / foundational design doc

Relates to: A modern engineering culmination of the capability-security thread rooted in Security Kernel Lambda Calculus (Rees 1995, explicitly cited) — lexical scope as a capability kernel, extended into a full distributed system. The vat model is a direct descendant of A Universal Modular Actor Formalism for Artificial Intelligence (Hewitt 1973) and sibling to Programming Erlang Second Edition but with security-by-reference as a first-class concern. Frames a structural alternative to the modern LLM-agent protocol stack: where Agent-to-Agent Protocol / Model Context Protocol / Agent Network Protocol layer trust on top of ACL/RPC primitives, OCapN encodes trust in the reference graph itself. The flat context trust model that ClawWorm Self-Propagating Attacks Across LLM Agent Ecosystems exploits and that MalTool Malicious Tool Attacks, AI Agents Under Threat catalogue is precisely the ambient-authority failure capability security is designed to prevent — making Goblins / OCapN a serious candidate substrate for Inter-Agent Trust Models - A Comparative Study’s Constraint trust dimension.

The Confused Deputy (or why capabilities might have been invented)

Reference

Summary

Key Ideas

Connections

Conceptual Contribution

Tags

Backlinks