Security Like It's 1977: Capabilities for the Modern Agentic Web

The concept of the Confused Deputy problem, first identified by Norm Hardy in 1977, highlights a security flaw where a system component inadvertently misuses its authority due to ambiguous permissions, a situation still prevalent in modern computing. This issue arises when systems grant broad access based solely on identity rather than specific tasks, leading to potential misuse, as seen in examples like the Windows Print Spooler. Access Control Lists (ACLs), widely used in operating systems, exacerbate this problem by allowing applications to perform any action the user can, without assessing the appropriateness of the action. To address this challenge, the text proposes a shift towards capability-based security, where unforgeable tokens, known as capabilities, designate and authorize access to resources, ensuring operations are task-specific and adhere to the principle of least privilege. This approach seeks to mitigate risks such as prompt injections in agentic systems by allowing agents to request only the necessary capabilities for a given task, thereby limiting potential damage from unauthorized actions. The text emphasizes the importance of transitioning to capability-based models, advocating for enhanced security in systems interacting with large language models (LLMs) and other agentic architectures to prevent security vulnerabilities like the Confused Deputy problem.