[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: cap exchange race with map/unmap
From: |
Neal H. Walfield |
Subject: |
Re: cap exchange race with map/unmap |
Date: |
Wed, 19 Oct 2005 15:57:43 +0100 |
User-agent: |
Wanderlust/2.14.0 (Africa) SEMI/1.14.6 (Maruoka) FLIM/1.14.6 (Marutamachi) APEL/10.6 Emacs/21.4 (i386-pc-linux-gnu) MULE/5.0 (SAKAKI) |
At Wed, 19 Oct 2005 15:37:17 +0200,
Marcus Brinkmann wrote:
>
> At Wed, 19 Oct 2005 14:21:23 +0200,
> Bas Wijnen <address@hidden> wrote:
> > I note that the capability server as a library approach isn't being
> > discussed
> > at the moment. Is there something wrong with it?
>
> Yes. First of all, it fundamentally requires that the individual
> clients and copy operations are disclosed to the server. This may be
> a violation of your security policy.
>
> It can require too much trust when receiving a copy of a capability:
> The receiver must trust the server (by making a blocking RPC to it)
> even for just accepting the copy. This may be a problem in your
> system architecture design. (I am not sure it is a problem in our
> hurd-on-l4 design. It depends on if a server actually makes a call on
> an auth, container, etc capability, or if those are only used as
> authentication tokens).
I think this is the killer argument for the cap server as library
design: in order for a client, A, to pass a capability to a second
client B, B must make a blocking call to the server implementing the
object named by the capability. This is not a problem if B will
invoke the capability eventually anyways as is the general case,
e.g. when using a file object. However, capabilities are not always
used like this: sometimes they are only passed as arguments.
Imagine that a task (A) uses the system auth server (AUTH), that a
second task (B) uses a proxy auth server (PROX) which in turn
interfaces with AUTH and that A wants to authenticate itself to B.
According to the current protocols (i.e. as inherited from the Hurd on
Mach), A invokes auth_user_authenticate on a capability naming AUTH.
AUTH returns a capability to A which it needs to pass to B. According
to the protocol, B would then invoke auth_server_authenticate on a
capability naming its auth server passing the capability as an
argument (as well as the permitted users). The problem is that in
order for B to accept the capability from A, it must make a blocking
call to AUTH, however, B knows nothing directly about AUTH: it only
knows about it via PROX. Since we know the context, B could ask its
auth server, i.e. PROX, if AUTH is trusted, before accepting the
capability. As you can see, the protocol gets increasingly complex
and performance is problematic.
Thanks,
Neal
- Re: cap exchange race with map/unmap, (continued)
- Re: cap exchange race with map/unmap, Neal H. Walfield, 2005/10/19
- Re: cap exchange race with map/unmap, Marcus Brinkmann, 2005/10/18
- Re: cap exchange race with map/unmap, Jonathan S. Shapiro, 2005/10/18
- Re: cap exchange race with map/unmap, Ludovic Courtès, 2005/10/19
- Re: cap exchange race with map/unmap, Bas Wijnen, 2005/10/19
- Re: cap exchange race with map/unmap, Jonathan S. Shapiro, 2005/10/19
- Re: cap exchange race with map/unmap, Bas Wijnen, 2005/10/19
- Re: cap exchange race with map/unmap, Marcus Brinkmann, 2005/10/19
- Re: cap exchange race with map/unmap, Marcus Brinkmann, 2005/10/19
- Re: cap exchange race with map/unmap, Jonathan S. Shapiro, 2005/10/19
- Re: cap exchange race with map/unmap,
Neal H. Walfield <=
- Re: cap exchange race with map/unmap, Marcus Brinkmann, 2005/10/19
- Re: cap exchange race with map/unmap, Neal H. Walfield, 2005/10/19
- Re: cap exchange race with map/unmap, Marcus Brinkmann, 2005/10/19
- Re: cap exchange race with map/unmap, Jonathan S. Shapiro, 2005/10/19
- Re: cap exchange race with map/unmap, Marcus Brinkmann, 2005/10/19
- Re: cap exchange race with map/unmap, Jonathan S. Shapiro, 2005/10/19
- Re: cap exchange race with map/unmap, Neal H. Walfield, 2005/10/19
- Re: cap exchange race with map/unmap, Jonathan S. Shapiro, 2005/10/19
- Why COPY != SIMULATED COPY, Jonathan S. Shapiro, 2005/10/19
- Re: Why COPY != SIMULATED COPY, Jonathan S. Shapiro, 2005/10/19