Technical Reports


Click here for full text: PDF

ACLs don't

Close, Tyler
HP Laboratories


Keyword(s): access control, capability-based security, Confused Deputy, CSRF, clickjacking

Abstract: The ACL model is unable to make correct access decisions for interactions involving more than two principals, since required information is not retained across message sends. Though this deficiency has long been documented in the published literature, it is not widely understood. This logic error in the ACL model is exploited by both the clickjacking and Cross-Site Request Forgery attacks that affect many Web applications.

12 Pages

Additional Publication Information: Submitted to IEEE Symposium on Security and Privacy (Oakland, CA)

External Posting Date: February 6, 2009 [Fulltext]. Approved for External Publication
Internal Posting Date: February 6, 2009 [Fulltext]

Back to Index