[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: cap exchange race with map/unmap

From: Jonathan S. Shapiro
Subject: Re: cap exchange race with map/unmap
Date: Tue, 18 Oct 2005 08:42:55 -0400

On Tue, 2005-10-18 at 13:04 +0100, Neal H. Walfield wrote:
> At Sun, 09 Oct 2005 14:50:00 -0400,
> Jonathan S. Shapiro wrote:
> > I send you a capability. During the window of time when you are trying
> > to exchange it, I revoke it. If I do this fast enough in the MAP/UNMAP
> > design, your attempt to invoke the CapServer will take a memory fault.
> > Note that this memory fault can occur at any place where your
> > application receives a capability, which includes EVERY RPC!!! Now what?
> Here is the protocol that I envision: when doing a cap exchange, the
> receiver does not invoke the capability that it is trying to exchange
> but a capability to its trusted cap server and passes the capability
> it is trying to exchange as an argument.  If the sender revokes the
> capability before the exchange completes, the cap server will see an
> invalid capability and fail.  Where is the memory fault?

You are correct, and I am mistaken. As long as the cap being transferred
is not actually examined, we have no memory fault.

In order to implement the protocol that you describe, the cap server

  a) sufficient authority to inspect the content of every capability
  b) sufficient authority to fabricate any capability (because it
     must be able to exchange any capability).

The second authority is intrinsically very dangerous. The first is also
dangerous, but less so.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]