Re: auth handshake and rendevouz objects

[Marcus Brinkmann]

On Tue, Nov 05, 2002 at 09:01:37PM +0100, Niels Möller wrote:
> * Unpredictable behaviour if a malicious task floods other threads
>   with messages. I'm afraid that is a problem that's hard to solve,
>   and which we should perhaps ignore for now. I think it's basically a
>   resource limits and resource allocation problem. Sending a message
>   should cost you some cpu-time in the scheduling algorithm, to
>   compensate for the cputime it costs the receiver to check if you're
>   authorized to talk to it.

You might want to check out EROS (extremely reliable operating system) that
is so paranoid that it doesn't do anything for you:  If you want the kernel
to perform a job for you, you have to donate the CPU time for this.[1][2]

Thanks,
Marcus

[1] An interesting anecdote is that some time ago a bug was fixed:  When you
did create a new thread without giving it some of your cpu time to run on,
the kernel would send an error message.  Because generating an error message
consumes CPU time, this was a resource leak, a malicious user could generate
many threads without CPU time and thus waste CPU time of the system it didn't
provide itself.  The bug was fixed: Now a thread that is created without CPU
time will not do anything, and nothing will happen (ie, no error message,
nothing).  It just sits there.
[2] EROS is worth a look for other reasons, too, for example, it is
persistent.

Thanks,
Marcus

-- 
`Rhubarb is no Egyptian god.' GNU      http://www.gnu.org    address@hidden
Marcus Brinkmann              The Hurd http://www.gnu.org/software/hurd/
address@hidden
http://www.marcus-brinkmann.de/