l4-hurd
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Alternative network stack design (was: Re: Potential use case for op

From: Pierre THIERRY
Subject: Re: Alternative network stack design (was: Re: Potential use case for opaque space bank: domain factored network stack
Date: Mon, 8 Jan 2007 10:03:41 +0100
User-agent: Mutt/1.5.13 (2006-08-11) 
Scribit Marcus Brinkmann dies 08/01/2007 hora 09:31:
> > So it all boils down to avoid givind to a process you can inspect a
> > capability to a process you can't inspect.
> Uhm, but then it can't use any service requiring opaque allocation of
> user-provided memory resources.  Wasn't that the whole point of the
> exercise?

Well, obviously you will give such a capability if you trust the
service. But at no point you have to give authority you'd like to
prevent the use, and that's the point of a capability-based system.

As I trust the Ethernet driver, I will happily give to my TCP/IP stack a
capability to it, but not to any other process. Same goes for some
custom FS I use in my home directory, which could access the USB driver
to store data in an USB disk. And if the USB driver happens to need some
client-provided memory that the client can't even read, so be it, but I
wouldn't give a capability to any other process to it.

Capabilities to processes able to opacify memory are no different than
capabilities to any other process able to to do anything that could be
turned against me. While adhering to POLA, I protect myself from any
such threat...

Simply,
Pierre
-- 
address@hidden
OpenPGP 0xD9D50D8A

Attachment: signature.asc
Description: Digital signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]