Re: Reliability of RPC services

[Michal Suchanek]

On 4/25/06, Jonathan S. Shapiro <address@hidden> wrote:
> On Tue, 2006-04-25 at 00:46 +0200, Bas Wijnen wrote:
> > > > The case when many capabilities are overwriten with a single IPC is
> > > > most likely a bug in the server.
> > >
> > > Actually, it is the near-universal practice for a single-threaded
> > > server. Arguments are commonly accepted in a way that overwrites the
> > > arguments from the last invocation.
> >
> > This is not a problem.  The invocation only happens when valid send-once
> > capabilities get overwritten.  Each and every valid send-once capability is
> > directly related to a client waiting for a response.  If you overwrite it, 
> > it
> > will never get that response, because you are guaranteed to be the only 
> > party
> > who is capable of responding.
>
> Yes, so now you have a situation where client A is notified of the
> server's mishandling of client B. This is a security error. Coyotos will
> not expose this fact.

How is client A notified of mishandling of client B? It is only
notified when its own capability is dropped for whatever reason. Be it
server is killed, just drops it, forwards it to another server that
fails to handle it, or overwites it with a capability received from B.
But A cannot tell that.

Thanks

Michal