[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: L4-Hurd; denial of service in the memory architecture

From: Marcus Brinkmann
Subject: Re: L4-Hurd; denial of service in the memory architecture
Date: Mon, 19 Jan 2004 23:56:49 +0100
User-agent: Mutt/1.5.4i

On Mon, Jan 19, 2004 at 03:24:55PM -0700, Christopher Nelson wrote:
> Yes, but if you are sharing a capability with an untrusted task, and
> that task suddenly has the ability to impersonate you to someone else in
> that it can allocate frames that count against your quota, then you have
> permission leakage.

Then don't share the capability.  It's that simple.

> Certainly you would want that task to access THAT
> memory, but you certainly would not want that task to be able to
> allocate more memory against your quota.

We will have a way to share memory securely with another task.  I am not
sure how exactly it is done at a syntactical level (ie, which kind of cap is
passed with which operations).  Surely the semantics have (and largely are)
defined in the Right Way.

> Why does the capability to
> read or write a container also permit expansion of the container?

I am not even sure the details are set in stone at that level.  Take this
stuff with a grain of salt.  The design, in particular the design of the VM
subsystem, is not exactly finished.


`Rhubarb is no Egyptian god.' GNU      http://www.gnu.org    address@hidden
Marcus Brinkmann              The Hurd http://www.gnu.org/software/hurd/

reply via email to

[Prev in Thread] Current Thread [Next in Thread]