IPC/Capabilities Overview

Benno benjl at cse.unsw.edu.au
Fri Jan 2 08:51:59 CET 2004

On Wed Dec 31, 2003 at 19:31:01 -0500, Jonathan S. Shapiro wrote:
>You aren't measuring the right times because you fail to consider
>application-level costs that are imposed by deficiencies in the kernel
>layer interface. The end to end time is the important time, and this
>must include mandated application-level costs.

Mungi, a password capability based system is able to provide its
PDX mechanism at a very reasonable overhead, (I think around 70
extra cycles -- this is on IA64) on top of raw IPC costs. (Oh and
those extra cycles are marshalling costs, not security check costs.)

I believe it is definately possible to design a secure system[*] using
the current L4 primitives, with neglible overhead.



[*] I guess this depend of course on the definition of secure. At least
in this case it means that a service can't be DoS-ed and must have a valid
capability to access the service. I'm not sure we currently protect against
covert channels.

More information about the l4-hackers mailing list