RE: Vulnerabilities in Synchronous IPC Designs

[Volkmar Uhlig]

> -----Original Message-----
> From: Marcus Brinkmann [mailto:address@hidden 
> Sent: Monday, June 02, 2003 7:21 PM
> 
> The above strategy is roughly equivalent to the truncation 
> option in EROS.
> If more advanced strategies are required, we might not be 
> totally out of luck.  Although the TBO model does not 
> directly transfer to the Hurd, there are other possibilities 
> like having the trusted physical memory server allocate
> memory on the clients behalf for the server's use.  Maybe 
> Neal's container model can have a wired down option and 
> extended to cover this case.  Such options have yet to be 
> explored.

As mentioned before by Espen, Jonathan refers to the old V2 API. X2/V4
supports message aborts and restarts for strings. So one possible way to
avoid the DoS is the following:

- Set receive transfer timeout to zero -- means that the first pagefault
will abort the IPC
- Clients have to touch (i.e. read) their message memory before sending
to make sure/likely it is paged in
- On pagefault the IPC is aborted immediately. Client and server get the
total amount of transferred bytes stored in the Error TCR
- now it is up to a to-be-defined protocol to either restart the message
or continue at the point of the pagefault

Alternatively, you can have one dedicated thread per client which
performs a closed IPC receive and further sandbox malicious clients.

- Volkmar