l4-hurd
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Reliability of RPC services

From: Jonathan S. Shapiro
Subject: Re: Reliability of RPC services
Date: Sat, 29 Apr 2006 21:28:47 -0400 
On Sat, 2006-04-22 at 20:05 +0200, Marcus Brinkmann wrote:
> At Sat, 22 Apr 2006 13:57:18 -0400,
> "Jonathan S. Shapiro" <address@hidden> wrote:
> > If the server is malicious, the presence of a "notify on drop" bit (or
> > even a "notify on container destroy" bit) is insufficient to achieve the
> > robustness that you are looking for.
> 
> Why do you think so?  As far as I know, I have not yet made my case
> for why I think that it may be sufficient.

The problem is that a malicious server may indefinitely hold a reply
capability without invocation. It will not drop the capability, and it
will not die.

>   There seem to be,
> admittedly narrow, but still useful (for us), design patterns for
> which this mechanism is sufficient to successfully argue about
> invariants of the system.

The pattern you argue for is sufficient to catch *some* forms of error.
It is not a sufficient defense against malice.

My observation: any solution that deals with the broader cases of malice
will subsume the narrower cases of error-catching.

shap
reply via email to
[Prev in Thread] Current Thread [Next in Thread]