l4-hurd
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Reliability of RPC services

From: Marcus Brinkmann
Subject: Re: Reliability of RPC services
Date: Sun, 30 Apr 2006 14:29:58 +0200
User-agent: Wanderlust/2.14.0 (Africa) SEMI/1.14.6 (Maruoka) FLIM/1.14.7 (Sanjō) APEL/10.6 Emacs/21.4 (i486-pc-linux-gnu) MULE/5.0 (SAKAKI) 
At Sat, 29 Apr 2006 21:28:47 -0400,
"Jonathan S. Shapiro" <address@hidden> wrote:
> 
> On Sat, 2006-04-22 at 20:05 +0200, Marcus Brinkmann wrote:
> > At Sat, 22 Apr 2006 13:57:18 -0400,
> > "Jonathan S. Shapiro" <address@hidden> wrote:
> > > If the server is malicious, the presence of a "notify on drop" bit (or
> > > even a "notify on container destroy" bit) is insufficient to achieve the
> > > robustness that you are looking for.
> > 
> > Why do you think so?  As far as I know, I have not yet made my case
> > for why I think that it may be sufficient.
> 
> The problem is that a malicious server may indefinitely hold a reply
> capability without invocation. It will not drop the capability, and it
> will not die.

This is not the problem I have considered.  It is also a problem, but
a slightly different one.
 
> >   There seem to be,
> > admittedly narrow, but still useful (for us), design patterns for
> > which this mechanism is sufficient to successfully argue about
> > invariants of the system.
> 
> The pattern you argue for is sufficient to catch *some* forms of error.
> It is not a sufficient defense against malice.

I am perfectly aware of that.
 
> My observation: any solution that deals with the broader cases of malice
> will subsume the narrower cases of error-catching.

My starting point was not malice, but bugs.

Thanks,
Marcus
reply via email to
[Prev in Thread] Current Thread [Next in Thread]