Re: ipc security

l4-hurd

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipc security

From:	Bas Wijnen
Subject:	Re: ipc security
Date:	Thu, 14 Oct 2004 16:13:10 +0200
User-agent:	Mozilla Thunderbird 0.8 (X11/20040926)

Volkmar Uhlig wrote:

-----Original Message-----
From: Bas Wijnen
Sent: Friday, October 08, 2004 7:41 PM

>>

My problem is on page 63 of the reference manual, where Xferpagefaults are described. It is specifically stated thateither side can be starved by a malicious pager from theother side. The solution to this is not to use string items.You seem to think that specifying a 0 timeout will alsosolve the problem (by aborting at the firstpagefault.) I don't see anything about 0 timeouts in themanual, but the presented solution (don't use strings)suggests to me that it doesn't help.
Xfer timeouts are checked when a pagefault occurs, assuming that the
copy operation is relatively short running and thus more fine-grain
timing only incurs overhead.  The pagefault IPC is sent with a timeout
which reflects the remaining Xfer time.  If the malicious pager doesn't
respond in time the IPC gets aborted.  (The current implementation of
Pistachio may slightly vary, though.)  Overall, string IPC can be bound
and is specifically there to have a trusted memory transfer.

That sounds useful (although I agree with Marcus that a local/remotedistinction seems more logical than send/receive.) However, I don'tunderstand the paragraph in the reference manual at all anymore. I'llquote it:


<quote>

Xfer pagefaults happen while the message is being transferred and bothsender and receiver are involved. Therefore, xfer pagefaults arecritical from a security perspective: If such a pagefault occurs in thereceiver's space, the sender may be starved by a malicious pager. Anxfer pagefault in the sender's space and a malicious sender pager maystarve the receiver. As such, xfer pagefaults are controlled by theminimum of sender's and receiver's xfer timeouts.

However, xfer pagefaults can only happen when transferring strings.Send messages without strings or receive buffers without receive stringbuffers are guaranteed not to raise xfer pagefaults.

</quote>

So, I now think that the "starving" part can only happen when usinginfinite xfer timeouts, is that correct?

Assuming I have now understood how it works, some more thoughts on theHurd servers:

Even if xfer timeouts could be set for local and remote, that stilldoesn't really solve the problem. As the server will never use a remotetimeout other than 0, the client must always have the memory to receivethe string in available. This means it somehow has to make sure itcannot be swapped out. Touching it just before the IPC does notguarantee that it isn't swapped out before the string is transferred(especially if pagefaults may happen in the server's space, because itmay need to swap some pages in, which of course means others are swappedout.)

So either every server which allows string transfers must always allow"could you repeat that?"-requests, or there must be a way to tellphysmem certain pages should not be swapped out. While having such anoption may be useful, extensively using it doesn't sound like a goodidea to me (if only because we may want to make it a restricted request.)

I think the best solution is still to use a container from a containermanager. I'll explain again how that would work, because I have thefeeling I wasn't clear the previous time.

A container manager is started for every user, and in general, tasks ofthat user will trust it (those which don't can start their own containermanager if they want.) More importantly, the container manager trustsall tasks of the user (perhaps it wants to use a capability for this, sothe user can throw it away before running untrusted tasks.) This makesstring transfers with infinite xfer timeouts possible. When a taskwants to transfer a string, it asks its container manager to make acontainer with the server if it doesn't have one yet, and tells theserver to put the item in the container. This is of course slow for afirst time, but for all further transfers of strings from/to that serverby that user, the container will simply be reused. This means thatduring normal operation, it's only a simple IPC (with just a few MR's,to specify the task ID of the container) and a memcpy. After that, thecontainer manager can do a string IPC to the task (or before, if thestring has to be sent to the server.)

So the idea of a container manager is to remove the costs of setting upa container, while still having the benefits of it. At this moment Ithink this would be the best way to transfer strings.

If you still don't think so, please let me know why not, and what wouldbe better.


Thanks,
Bas

signature.asc
Description: OpenPGP digital signature

[Prev in Thread]

Current Thread

[Next in Thread]

RE: ipc security, Volkmar Uhlig, 2004/10/08
- Re: ipc security, Bas Wijnen <=
  - Re: ipc security, Marcus Brinkmann, 2004/10/19
    - Re: ipc security, Ludovic Courtès, 2004/10/20
    - Re: ipc security, Ludovic Courtès, 2004/10/20
    - Re: ipc security, Johan Rydberg, 2004/10/20
    - Re: ipc security, Marcus Brinkmann, 2004/10/21
    - Re: ipc security, Bas Wijnen, 2004/10/21
    - Re: ipc security, Marcus Brinkmann, 2004/10/21
    - Re: ipc security, Bas Wijnen, 2004/10/22
    - Re: ipc security, Marcus Brinkmann, 2004/10/22
    - Re: ipc security, Bas Wijnen, 2004/10/22

Prev by Date: Re [3]:
Next by Date: Ayo mudik Lebaran Bersama TRC
Previous by thread: RE: ipc security
Next by thread: Re: ipc security
Index(es):
- Date
- Thread