l4-hurd
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Where should port rights go?

From: Farid Hajji
Subject: Re: Where should port rights go?
Date: Sun, 26 Nov 2000 04:58:33 +0100 
> > > Many ways to implement port rights come to mind. Here are some ideas:
> > <snip>
> > 
> > 9. port-rights entirely managed by concerned parties:
> > 
> >    * every communicating party is uniquely identified by its
> >      sender-id/receiver-id. This information is provided by
> >      the kernel/libmom and is considered trusted.
> >
> > [...]
> >
> >    - slight chance of forgeability by clients that poll every random-id
> >      from a server (guessing id's).
> 
> If you check (and trust) the sender ID of a message, how can an
> untrusted client (whos sender ID doesn't match any trusted ones) to
> find a way in?  Is it possible (in L4) to forge the sender ID in a
> message?
Consider the following scenario:

   1. client C1 requests a port-right from server S
   2. server S generates a random-id r, saves it in
      an internal [multi]map (<C1,r>) and sends this random-id
      to C1.
   3. C1 transmits this port-right to C2
      (e.g.: perhaps C2 is going to become a child of C1?)
   4. C2 sends <C2,r> to S.

      Now you get two alternatives:

   5. S rejects r, because <C2,r> is not in S's map, only <C1,r>
  5'. S accepts r, because <*,r> is in S's map.

+ 5  would be secure and no forgeablility can occur, because Sender-ID
     C1/C2/Unknown would be passed by L4 to S and that is trusted.
- 5  inflexible, because port-rights sent to a client cannot be delegated
     to other clients (but see below)

+ 5' is flexible, because port-rights can be delegated to other clients,
     without involving the originator S of the port-right.
- 5' any other untrusted party, CU could poll S by sending <CU,x> messages
     to S. As soon as <CU,r> is received by S, the port-right would be
     wrongly acknowledged.

5 is of course the only secure (distrbuted) mechanism for managing
port-rights without risks of forgeability. To enable C1 to delegate
a port-right to C2, C1 should send a notification to the originator
of the port-right (S):

  6. C1 wants to _move_ 'r' to C2:
       * C1 sends to S a notification: <C1,move,C2,r>
       * If S allowed the move, it would remove <C1,r> from its map
         and insert <C2,r> instead (effectively transferring the right
         to C2).
  7. C1 wants to _copy_ 'r' to C2:
       * C1 sends to S a notification: <C1,copy,C2,r>
       * If S allowed the move, it would insert <C2,r> in addition to
         <C1,r> to its map.

This mechanism is possible, if S trusts C1 to transfer port-rights
correctly. I see no forgeability issue here.

Using this distributed mechanism would relieve us from the IPC bottleneck
of a central port-rights server, but we need to:
  a. define a protocol for sending,receiving,moving,copying ... port-rights.
  b. consider notification mechanism about recycled sender-id(s):

About b.:
  * Because L4 tasks are only limited in number, they have to be recycled.
    This could affect the L4 sender-id(s), right? A new task could use
    an old sender-id that is still registered in a map of some originator
    of a port-right. [Question: What about version-ids? Are they part of
    sender-id in L4? If yes, are they guaranteed to remain unique?]

  * old port-rights needs to be revoked, if a sender-id is recycled.
    This must be done through some notification message to the originator
    of a port-right. Two problems here:

      x Who would notify the port-right maintainers? Probably 'proc' server
        on exit() of a Hurd process.
        -> This requires that the port-rights maintainers register with
           proc, when they give out a port-right to a client (for the
           first time only). (*)

      x Many port-rights originators would need to be notified separately.
        'proc' could use the information gathered in (*) to notify each
        one of them.
        -> 'proc' could become the IPC bottleneck on process exit.

Implementing this scheme could be done in a library that would need to
be linked against every Hurd binary. This library would dedicate a thread
to handle the port-rights protocol and associated port-rights map of every
client, as well as registering with 'proc' (or whoever). A binary not
linking this library could simply not participate in the port-rights
passing scheme unless it does this stuff manually.

Regards,

-Farid.

-- 
Farid Hajji -- Unix Systems and Network Admin | Phone: +49-2131-67-555
Broicherdorfstr. 83, D-41564 Kaarst, Germany  | address@hidden
- - - - - - - - - - - - - - - - - - - - - - - + - - - - - - - - - - - -
Murphy's Law fails only when you try to demonstrate it, and thus succeeds.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]