|
From: | Michal Suchanek |
Subject: | Re: Part 2: System Structure |
Date: | Thu, 25 May 2006 11:02:07 +0200 |
On 5/25/06, Bas Wijnen <address@hidden> wrote:
On Wed, May 24, 2006 at 11:55:40AM +0200, Pierre THIERRY wrote:
> > > Am I wrong on anything here? > > You seemed to be forgetting that without a constructor, we can still > > have an "identify" operation. > > I don't see how your proposal enables a process to check anything > accurately and in a tamperproof way about it's environment. In your > model, it is mandatory for a process to trust all of it's parents. > > In the ping or competition case, that's not possible. It is. The parent space bank is the user session, which is not under user control.
In your proposal the user can choose to run the program in opaque storage. But the administrator cannot choose to set up a program that can be run only in opaque storage to ensure its integrity (much like suid programs on unix). Thanks Michal
[Prev in Thread] | Current Thread | [Next in Thread] |