Rights Amplification

Bernhard Kauer kauer at os.inf.tu-dresden.de
Mon Jun 13 18:50:49 CEST 2005


we had here a long discussion about a "real capability" or "user capability"
system on top of L4.sec and found that we had some proplems with the initial

> The assumption has been that capabilities will be built on top of end points.
> So, I think we agree: there is no fundamental equivalence between end points 
> and capabilities and the question at hand is: how do we represent capabilities? 

Using an endpoint for every "user capability" is quite inefficient. This
one-to-one mapping prevents to use the advantages of L4.sec and lead to
additional kernel operations like cmp()...

> > The server could somehow identify the sender of a message.
> Are you suggesting that we use the task id of the sender as the key?

No. L4.sec has no global task id's anymore. Instead identification can be
done through a mechanism which is called "badge" or "sender ID".
It is similar to what you call "secure payload" with the small, but nice
exception that it could be set by everyone, but only once [1].
The "sender ID" or the "badge" of the sender is transfered to the receiver
as part of an IPC.

The "badge" has therefore the following properties:

    1. the creator of the endpoint or a server which is trusted by the creator
       could freely set the badge
    2. the badge is a local name; a server could refer to the same endpoint
       with different badges
    3. the kernel protects the integrity of the badge

>>> (Note that if you do not use communication end points as object
>>> identifiers via a 1:1 relationship, determining to which object a
>>> message should go is an open question whose answer depends on how
>>> objects identifiers are represented in the first place.)

A "user capability" could be something like (badge, object nr).

If a server receives such a capability it verifies whether this badge could use
this object or it could ask a trusted policy server (which distributes the badges
for his _single_ endpoint), whether this operation is allowed or not.

The scenarios we look at could be solved either with badges or need, like
the reference counter example, cooperation between already cooperating clients.


[1] In fact it is a bitstring which could be extended while mapping
an endpoint to another space.

More information about the l4-hackers mailing list