instance and instantiator

l4-hurd

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

instance and instantiator

From:	Neal H. Walfield
Subject:	instance and instantiator
Date:	Thu, 13 Oct 2005 21:52:55 +0100
User-agent:	Wanderlust/2.14.0 (Africa) SEMI/1.14.6 (Maruoka) FLIM/1.14.6 (Marutamachi) APEL/10.6 Emacs/21.4 (i386-pc-linux-gnu) MULE/5.0 (SAKAKI)

At Mon, 10 Oct 2005 09:11:37 -0400,
Jonathan S. Shapiro wrote:
> It is often true that subprograms trust their instantiator, but it is
> not always true. In EROS and Coyotos this assumption is not necessary.
> We have a number of programs that wield capabilities that their users do
> not (and must not ever) possess. The ability to use and guard these
> capabilities against a hostile creator is one of the foundations of our
> security.
> 
> These "suspicious subsystems" do *not* trust capabilities provided by
> their creator. They verify them. In particular, almost *all* of our
> programs test their space bank to learn whether it was a valid space
> bank.

Are these program instances those started via a meta-constructor?  If
not, how do they get these other capabilities that the instantiator
didn't possess?

What if the instantiator deallocates the space bank in the middle of a
critical operation (thus rendering the object in a partially updated
state)?

Thanks,
Neal

[Prev in Thread]

Current Thread

[Next in Thread]

Re: Capability authentication, ness, 2005/10/09
- The Perils of Pluggability (was: capability authentication), Jonathan S. Shapiro, 2005/10/09
  - Re: The Perils of Pluggability (was: capability authentication), Bas Wijnen, 2005/10/10
    - Re: The Perils of Pluggability (was: capability authentication), Jonathan S. Shapiro, 2005/10/10
    - Re: The Perils of Pluggability (was: capability authentication), Bas Wijnen, 2005/10/11
    - Re: The Perils of Pluggability (was: capability authentication), Jonathan S. Shapiro, 2005/10/11
    - Re: The Perils of Pluggability (was: capability authentication), Bas Wijnen, 2005/10/11
    - Re: The Perils of Pluggability (was: capability authentication), Jun Inoue, 2005/10/12
    - Re: The Perils of Pluggability (was: capability authentication), Bas Wijnen, 2005/10/12
    - Re: The Perils of Pluggability (was: capability authentication), Jonathan S. Shapiro, 2005/10/12
    - instance and instantiator, Neal H. Walfield <=
    - Re: instance and instantiator, Jonathan S. Shapiro, 2005/10/13
    - Re: instance and instantiator, Marcus Brinkmann, 2005/10/13
    - Re: instance and instantiator, Jonathan S. Shapiro, 2005/10/13
  - Re: The Perils of Pluggability, Ludovic Courtès, 2005/10/10
    - Re: The Perils of Pluggability, Jonathan S. Shapiro, 2005/10/10
    - Re: The Perils of Pluggability, Ludovic Courtès, 2005/10/10
    - Re: The Perils of Pluggability, Jonathan S. Shapiro, 2005/10/10
    - Re: The Perils of Pluggability, Alfred M. Szmidt, 2005/10/11
    - Re: The Perils of Pluggability, Alfred M. Szmidt, 2005/10/10
    - Re: The Perils of Pluggability, Jonathan S. Shapiro, 2005/10/10

Prev by Date: Re: Chroot and ".."
Next by Date: Re: instance and instantiator
Previous by thread: Re: The Perils of Pluggability (was: capability authentication)
Next by thread: Re: instance and instantiator
Index(es):
- Date
- Thread