Re: Restricted storage

l4-hurd

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Restricted storage

From:	Jonathan S. Shapiro
Subject:	Re: Restricted storage
Date:	Tue, 30 May 2006 11:21:19 -0400

On Tue, 2006-05-30 at 16:37 +0200, Pierre THIERRY wrote:
> Scribit Jonathan S. Shapiro dies 30/05/2006 hora 10:04:
> > Read permission on capabilities implies transitive write permission.
> 
> OK. Would it be possible then to have to sets of permissions:
> read/write, read-only and nothing for data pages, and read and nothing
> for capability pages?

I do not believe so. I believe that the minium practical set is the one
used in EROS and Coyotos:

   subsets of {R, W, X} for data, where W implies R, giving:
       R X RW RX RWX

   subsets of (R, W, Wk) for capabilities, where W implies R. In
       practice, it also appears that WK implies {!W, !R}, so this
       gives:

       R RW Wk

The Wk right is "merely" an optimization, but it is pragmatically a very
important optimization.

> > Also, it requires dynamic monitoring that is generally agreed to be
> > too expensive in practice. A comparable technique has sometimes been
> > used to handle dynamic security level tainting in MLS systems.
> 
> For he sake of my curiosity, would the removable proxy idea I sketched
> before be possible in Coyotos? Would it still be too expensive that way?

Can you provide the URL of a concise description? I'm up against a
deadline, and I don't have time to search for it, but I will be happy to
look at it quickly.

I *can* say that KeyKOS used proxies for many purposes in many
situations, but in general it is very difficult to proxy memory objects,
because the latency costs of doing this are very high. The problem is
similar to watchpoints in a debugger: if you can handle the proxy with
copy on write and page permissions, you can do okay. If you actually
have to monitor every word, it's going to be slow.

One of the major improvements in SVR4 /proc was when Roger Faulkner and
I added watchpoint support. We were careful to specify it in a way that
could be implemented with page protections, and it was the first time
that an arbitrary number of watchpoints could be efficiently supported
by a debugger (in that case, the debugger was the SGI VIEW product).

shap

[Prev in Thread]

Current Thread

[Next in Thread]

Re: Restricted storage, (continued)
- Re: Restricted storage, Marcus Brinkmann, 2006/05/29
  - Re: Restricted storage, Pierre THIERRY, 2006/05/29
- Re: Restricted storage, Pierre THIERRY, 2006/05/29
  - Re: Restricted storage, Bas Wijnen, 2006/05/29
    - Re: Restricted storage, Pierre THIERRY, 2006/05/29
    - Re: Restricted storage, Bas Wijnen, 2006/05/29
    - Re: Restricted storage, Lluis, 2006/05/29
    - Re: Restricted storage, Pierre THIERRY, 2006/05/30
  - Re: Restricted storage, Jonathan S. Shapiro, 2006/05/30
    - Re: Restricted storage, Pierre THIERRY, 2006/05/30
    - Re: Restricted storage, Jonathan S. Shapiro <=
    - Re: Restricted storage, Marcus Brinkmann, 2006/05/30
- Re: Restricted storage, Jonathan S. Shapiro, 2006/05/29
- Re: Restricted storage, Jonathan S. Shapiro, 2006/05/30
  - Re: Restricted storage, Bas Wijnen, 2006/05/30

Prev by Date: Re: Restricted storage
Next by Date: Re: Restricted storage
Previous by thread: Re: Restricted storage
Next by thread: Re: Restricted storage
Index(es):
- Date
- Thread