[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: L4-Hurd; denial of service in the memory architecture
|
From: |
Marcus Brinkmann |
|
Subject: |
Re: L4-Hurd; denial of service in the memory architecture |
|
Date: |
Mon, 19 Jan 2004 23:56:49 +0100 |
|
User-agent: |
Mutt/1.5.4i |
On Mon, Jan 19, 2004 at 03:24:55PM -0700, Christopher Nelson wrote:
> Yes, but if you are sharing a capability with an untrusted task, and
> that task suddenly has the ability to impersonate you to someone else in
> that it can allocate frames that count against your quota, then you have
> permission leakage.
Then don't share the capability. It's that simple.
> Certainly you would want that task to access THAT
> memory, but you certainly would not want that task to be able to
> allocate more memory against your quota.
We will have a way to share memory securely with another task. I am not
sure how exactly it is done at a syntactical level (ie, which kind of cap is
passed with which operations). Surely the semantics have (and largely are)
defined in the Right Way.
> Why does the capability to
> read or write a container also permit expansion of the container?
I am not even sure the details are set in stone at that level. Take this
stuff with a grain of salt. The design, in particular the design of the VM
subsystem, is not exactly finished.
Thanks,
Marcus
--
`Rhubarb is no Egyptian god.' GNU http://www.gnu.org address@hidden
Marcus Brinkmann The Hurd http://www.gnu.org/software/hurd/
address@hidden
http://www.marcus-brinkmann.de/