IPC/Capabilities Overview

Andrew Baumann andrewb at cse.unsw.edu.au
Sun Jan 4 02:43:22 CET 2004

On Fri, 2 Jan 2004 06:51 pm, Benno wrote:
> Mungi, a password capability based system is able to provide its
> PDX mechanism at a very reasonable overhead, (I think around 70
> extra cycles -- this is on IA64) on top of raw IPC costs. (Oh and
> those extra cycles are marshalling costs, not security check costs.)
> I believe it is definately possible to design a secure system[*] using
> the current L4 primitives, with neglible overhead.
> [*] I guess this depend of course on the definition of secure. At least
> in this case it means that a service can't be DoS-ed and must have a valid
> capability to access the service. I'm not sure we currently protect against
> covert channels.

Just to clarify this for the non-Mungi people on the list: at the moment it's 
a somewhat loose definition of secure. We do the security checks on the 
initial call (which is much more expensive), and then repeated calls to the 
same service use a cached L4 client thread, so that 70 cycles isn't a true 
measure of the overhead.

And no, since L4 doesn't currently restrict IPC to arbitrary threads, we can't 
protect against covert channels etc.


More information about the l4-hackers mailing list