l4-hurd
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Part 2: System Structure


From: Jonathan S. Shapiro
Subject: Re: Part 2: System Structure
Date: Tue, 23 May 2006 16:32:01 -0400

On Tue, 2006-05-23 at 22:15 +0200, Pierre THIERRY wrote:
> Scribit Bas Wijnen dies 23/05/2006 hora 20:53:
> > This capability also allows checking that these banks are opaque.
> 
> In all your scenario, you seem to omit something: without the
> constructor mechanism, no process can verify anything accurately about
> any other process, except if all of the parents of it are to be trusted.

Yes, in two senses:

1. Parents must not be able tamper with the constructor, therefore it
must not be writable even if executing on parent storage.

2. The constructor authentication mechanism relies on the existence of
an exclusively held and unrevealed capability (the brand). This
capability must not even be *read* by parents.

I think Marcus has stated that he has an alternative way to do this. I
do not understand how his method works.

> That is, except for a process spawned by the TCB, no capability can be
> trusted not to be faked or sniffed. And AFAIK, there is no mean for a
> process to check that it has been spawned by the TCB.
> 
> But when a process is spawned by a constructor and given some
> capabilities to the TCB that the requestor cannot spy or alter, it is be
> given the ability to check properties of it's environment accurately.

Yes. The constructor can be substituted, but only if the metaconstructor
and the prime space bank and the installer are also substituted.


shap





reply via email to

[Prev in Thread] Current Thread [Next in Thread]