Re: A Question to throw at you guys

[Pierre THIERRY]

Scribit Tom Bachmann dies 13/11/2006 hora 22:08:
> > I don't say drivers must be in kernel space. I only state they
> > should be part of the TCB, to some extent
> Yep, this is also my pov (well, it'd be great to have drivers that are
> not part of the tcb, but I cannot imagine a feasible way of achieving
> this).

Well, as I had understood the previous discussion about user-provided
drivers, I thought it could be possible to use untrusted drivers if they
are not given capabilities to "unsafe" hardware or upper driver.

That is, if we have a trusted and safe USB bus driver, a user could plug
in an USB gadget and provide a driver for it, which would only be given
a capability to the USB bus driver. The data received and sent to the
gadget would be formatted and/or filtered, so that only this gadget
could communicate with the provided driver.

I think it should just work as a TCP/IP stack with firewalling does: a
program can listen to a port, but not an already taken or priviledged
port. With capabilities, it could only listen to a free port it has a
capability for. And once it listens, it could not receive datagrams sent
to another port, nor send datagrams as if they were coming from another
port. And the program could not send datagram to arbitrary remote ports
or adresses if the firewall doesn't let it do so.

Without unsafeties as the memory access of DMA chips, some hardware
could be dealt this way, and the size of the TCB lowered, couldn't they?

Previously,
Nowhere man
-- 
address@hidden
OpenPGP 0xD9D50D8A

signature.asc
Description: Digital signature