RE: ipc security

[Volkmar Uhlig]

> -----Original Message-----
> From: Bas Wijnen
> Sent: Friday, October 08, 2004 7:41 PM
> 
> > I don't understand your question.  String items are copied from the 
> > address space of the sender to the address space of the receiver at 
> > IPC time.  You specify the source of the string item in the 
> sender via 
> > StringItems and the destination buffers in the receiver via 
> > BufferRegisters.
> 
> My problem is on page 63 of the reference manual, where Xfer 
> pagefaults are described.  It is specifically stated that 
> either side can be starved by a malicious pager from the 
> other side.  The solution to this is not to use string items. 
>  You seem to think that specifying a 0 timeout will also 
> solve the problem (by aborting at the first
> pagefault.)  I don't see anything about 0 timeouts in the 
> manual, but the presented solution (don't use strings) 
> suggests to me that it doesn't help.
> 
> > In fact, I might have make a mistake in the above paragraph you 
> > replied to.  It may be indeed the case that you can not 
> differentiate 
> > between "local pagefaults" and "remote pagefaults" when 
> specifying the 
> > xfer timeout.
> 
> You can, there is a send and a receive Xfer timeout.  
> However, the timeouts are only checked at pagefault, which 
> means that a pager not responding to the page fault will hang the IPC.

Xfer timeouts are checked when a pagefault occurs, assuming that the
copy operation is relatively short running and thus more fine-grain
timing only incurs overhead.  The pagefault IPC is sent with a timeout
which reflects the remaining Xfer time.  If the malicious pager doesn't
respond in time the IPC gets aborted.  (The current implementation of
Pistachio may slightly vary, though.)  Overall, string IPC can be bound
and is specifically there to have a trusted memory transfer.

- Volkmar