Re: Constructor v. Trivial Confinment

l4-hurd

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Constructor v. Trivial Confinment

From:	Jonathan S. Shapiro
Subject:	Re: Constructor v. Trivial Confinment
Date:	Mon, 01 May 2006 13:57:20 -0400

Marcus:

This mechanism that you are describing is extremely important, and I am
not able to understand it clearly from your description below. Could you
please expand?

>From your description, it sounds as if S is a universal identification
service. This worries me greatly.

I think my confusion is in your last two sentences. You wrote:

> It can invoke an operation on S to check if T is a capability
> implemented by S.  This identifies the server implementing T as
> the server Z.

If T is a capability implemented by S, how can the server implementing T
be Z? Can you clarify this? Is the identity server separate from the
server that implements the object? If so, this seems unnecessary and
also prone to denial of resource attacks.

In any case, it *sounds* like the operation that this implements is the
following:

    Answer true (false) if capability A denotes an object X, and
    capability B denotes an object Y, such that Y is a server and
    X is (is not) an object implemented by Y.

If this is the effect then I definitely agree that it is an identify
operation, but it is  a very different operation than the one that I
described. No reliable identity server is required to implement it; all
that is required is for a server to be able to recognize it's own
objects.

shap

On Mon, 2006-05-01 at 19:10 +0200, Marcus Brinkmann wrote:
> Hi,
> 
> thanks for the summary.  I only have one point to add right now.
> 
> At Mon, 01 May 2006 12:42:10 -0400,
> "Jonathan S. Shapiro" <address@hidden> wrote:
> > The trivial confinement mechanism does not provide the identification
> > function at all.
> 
> It does not provide the identification function as you describe it.
> However, it does allow for a different method of identification that
> has been sufficient in the Hurd so far (and which is used in the Hurd
> on Mach).
> 
> This method works, technically, exactly like the identification of the
> constructor.  The same branding feature can be used.  However, instead
> of identifying the constructor, ie the template of a program, it
> identifies a single instance of a program.
> 
> For this, a program B receives, by parenthood, a capability S to a
> service that it can rely on.  If it then receives any random
> capabiilty T from any peer process, it can invoke an operation on S to
> check if T is a capability implemented by S.  This identifies the
> server implementing T as the server Z.
> 
> This method has quite different properties thatn what you are looking
> for, but it does provide a means of identification, for what it's worth.

[Prev in Thread]

Current Thread

[Next in Thread]

Constructor v. Trivial Confinment, Jonathan S. Shapiro, 2006/05/01
- Re: Constructor v. Trivial Confinment, Marcus Brinkmann, 2006/05/01
  - Re: Constructor v. Trivial Confinment, Jonathan S. Shapiro <=
    - Re: Constructor v. Trivial Confinment, Marcus Brinkmann, 2006/05/01
    - Re: Constructor v. Trivial Confinment, Jonathan S. Shapiro, 2006/05/01

Prev by Date: login (was: Re: Design principles and ethics)
Next by Date: Re: bit-split, or: the schizophrenia of trusted computing
Previous by thread: Re: Constructor v. Trivial Confinment
Next by thread: Re: Constructor v. Trivial Confinment
Index(es):
- Date
- Thread