Re: Part 2: System Structure

[Pierre THIERRY]

Scribit Bas Wijnen dies 24/05/2006 hora 09:12:
> > In all your scenario, you seem to omit something: without the
> > constructor mechanism, no process can verify anything accurately
> > about any other process, except if all of the parents of it are to
> > be trusted.
> This is not quite correct.  If a process gives me a capability, I can
> check things about it, no matter what the parents of the process are.

But this is not what I'm talking about. I'm talking about the process
itself checking that a capability it holds is really what it seems to
be. That's theoretically impossible to check in a trustworthy way if the
parent of that process has read/write access to the storage of the
process, because that parent could tamper anything.

> For opaqueness, the chain of parents space bank-wise (of the process
> implementing the capability, not of the one providing it) must be
> trusted.

But how could a process check what they are? That it is indeed under a
chain of trusted space banks?

Remember: you have to find a way that is tamperproof from the parent.

> Luckily this chain of parents is usually short.

Whatever be the length, it has to be checked anyway. And I'm not sure
there's anything to back up this assumption. The chain could be
arbitrarily long in some cases.

> In my model, all space banks are either used for creating sub-space
> banks, or for actual data (and code).  The former type are all owned
> by user sessions (and the session manager), the latter by programs.

That's not true anymore in the case of virtualization.

> > That is, except for a process spawned by the TCB, no capability can
> > be trusted not to be faked or sniffed.
> 
> No no, this is not how it works.  It doesn't matter at all who spawned
> the process. It only matters who owns the space bank. In my model,
> almost all space banks are owned by the TCB.

Are you saying you're not refering to the model described by Marcus? If
not, could you please describe very accurately your model, so that we
can see how you want it to work?

> > And AFAIK, there is no mean for a process to check that it has been
> > spawned by the TCB.
> There is.  You can ask the TCB (with a capability that you received
> through independent means, probably your own parent).

If it is from your parent, you cannot trust it.

> > Am I wrong on anything here?
> You seemed to be forgetting that without a constructor, we can still
> have an "identify" operation.

I don't see how your proposal enables a process to check anything
accurately and in a tamperproof way about it's environment. In your
model, it is mandatory for a process to trust all of it's parents.

In the ping or competition case, that's not possible.

Quickly,
Nowhere man
-- 
address@hidden
OpenPGP 0xD9D50D8A

signature.asc
Description: Digital signature