IPC Timeouts
Jonathan S. Shapiro
shap at eros-os.org
Wed Feb 23 20:15:41 CET 2005
On Wed, 2005-02-23 at 19:49 +0100, Ronald Aigner wrote:
> It was brought to my attention that pagefault timeouts _are_ important as
> to enforce trust relation with your communication partner.
Unfortunately, this is true. Even more unfortunately, there is
absolutely no way to set a robust timeout for this case. In consequence,
the need for this timeout must be seen as a fundamental architectural
deficiency.
To resolve this problem even in part, the architecture must distinguish
between (a) addresses that are logically undefined, and (b) addresses
that are currently unmapped because of being paged out. The former case
is *always* an error in the logic of the recipient. The latter case is a
situation where either the sender trusts the paging agent completely or
no safe foundation for *any* communication of data can exist in the
architecture.
For some of the details, you might want to review "Vulnerabilities in
Synchronous IPC Designs" from IEEE Security and Privacy a few years ago:
http://www.eros-os.org/papers/IPC-Assurance.ps
shap
More information about the l4-hackers
mailing list