Arm trustzone docs about confused deputy
6 views
Skip to first unread message
Matt Rice
Feb 24, 2022, 5:11:21 PM2/24/22
to cap-talk
Noticed the following documentation,
Figured I would mention it, the solution they reach for does not seem
to be the one capability discipline would espouse (make insecure usage
unrepresentable).
https://developer.arm.com/documentation/102805/1-0/Confused-deputy-scenario
In theory (you could) by pushing the check_range checks outside to the
caller, introducing a type for a checked range location. In this case
that might introduce a TOCTOU, (if the range check is somewhat
dynamic), but that might already be the case if the operation affects
range check.
But certainly moving the checks out increases the amount of
opportunities for TOCTOU beyond that of operation. Given the lack of
revocation for raw pointers to invalidate a previously checked
location, this is all a lot easier if the range check is static
though.
I suppose that I should stop here before I get too far off the path...
Figured I would mention it, the solution they reach for does not seem
to be the one capability discipline would espouse (make insecure usage
unrepresentable).
https://developer.arm.com/documentation/102805/1-0/Confused-deputy-scenario
In theory (you could) by pushing the check_range checks outside to the
caller, introducing a type for a checked range location. In this case
that might introduce a TOCTOU, (if the range check is somewhat
dynamic), but that might already be the case if the operation affects
range check.
But certainly moving the checks out increases the amount of
opportunities for TOCTOU beyond that of operation. Given the lack of
revocation for raw pointers to invalidate a previously checked
location, this is all a lot easier if the range check is static
though.
I suppose that I should stop here before I get too far off the path...
Alan Karp
Feb 24, 2022, 9:26:05 PM2/24/22
to cap-...@googlegroups.com
It sounds like a one-level version of the Java Security Manager. In particular, it doesn't appear to protect against a privileged application having a confused deputy vulnerability since the check is only against the direct caller.
(Aside: My gmail client autocompletes "confused deputy" with "vulnerability." Norm would be pleased.)
--------------
Alan Karp
--------------
Alan Karp
--
You received this message because you are subscribed to the Google Groups "cap-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CACTLOFqMigRvUQPSkNZ_GeQXiZz_69Vp_Us5k5ytkZSLfrXXjg%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages