L4.sec status ping

Wei Shen cquark at gmail.com
Tue Aug 7 16:56:08 CEST 2007


Thanks for your reply.

On 8/7/07, Bjoern Doebel <doebel at os.inf.tu-dresden.de> wrote:
> > What does "security monitor style IPC permissions" mean? Can it be found
> in
> > current Fiasco release?
> Yes, it can be found in Fiasco. Tasks can be started in "monitored" mode
> which means that they only possess rights to communicate with themselves,
> their creators and the NIL thread. Every other IPC will raise a capability
> fault which is sent to a user-defined capability fault handler. The
> handler
> may then act upon this fault by mapping an IPC right to the faulting task,
> if it possesses this right itself. Whenever this right has been mapped, no
> more capabilty faults will occur until the right is revoked at a later
> point in time.

Interesting, especially that I think IPC control is an obvious weakness of
current L4 kernels. Is there any new l4 API specification release includes
this feature?

Where do IPC capabilties originally come from? Maybe there is a privileged
task (roottask?) that has all capabilites? How about the performance of this
mechanism - searching the communication peer from the cap list in every IPC

Is this model only used in IPC contol or also to control other kernel
resources, like memory pages, interrupts, task no ... Is task / thread
creation controlled now in Fiasco?

Why can I find news about changes to Fiasco?


Wei Shen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://os.inf.tu-dresden.de/pipermail/l4-hackers/attachments/20070807/6392afb0/attachment.htm>

More information about the l4-hackers mailing list