l4-hurd
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Reliability of RPC services

From: Marcus Brinkmann
Subject: Re: Reliability of RPC services
Date: Sat, 22 Apr 2006 19:00:54 +0200
User-agent: Wanderlust/2.14.0 (Africa) SEMI/1.14.6 (Maruoka) FLIM/1.14.7 (Sanjō) APEL/10.6 Emacs/21.4 (i486-pc-linux-gnu) MULE/5.0 (SAKAKI) 
At Sat, 22 Apr 2006 10:22:25 -0400,
"Jonathan S. Shapiro" <address@hidden> wrote:
> > Moreover, your semantics
> > (issueing notifications on destruction only, not on overwrite), break
> > down completely if the callee is malicious (for example because it has
> > been compromised).
>
> Marcus: have some more beer. You are not thinking clearly.
> 
> ANY time that a client sends to a hostile recipient, the client cannot
> rely on ANYTHING. It cannot rely on getting a correct answer. It cannot
> rely on getting a well-formed answer. In fact, it cannot rely on getting
> an answer at all!
> 
> The only solution to this is that clients must not rely on unreliable
> code for anything at all. This is axiomatic.

Neal can confirm that I predicted a couple of days ago that you will
give this answer.

But it is you who is not thinking clearly: I have not said that the
client should rely on unreliable code for anything.  I have said that
the client should rely on the kernel to send a notification when the
reply capability is dropped.  I also claim that such a guarantee
allows me to state invariants of the system that allow me to reason
about the ability to recover from bugs or hostile behaviour in some
use cases.

I don't have time to continue this discussion formally.

Thanks,
Marcus
reply via email to
[Prev in Thread] Current Thread [Next in Thread]