On Wed, 2005-02-23 at 19:49 +0100, Ronald Aigner wrote:
It was brought to my attention that pagefault timeouts _are_ important as to enforce trust relation with your communication partner.
Unfortunately, this is true. Even more unfortunately, there is absolutely no way to set a robust timeout for this case. In consequence, the need for this timeout must be seen as a fundamental architectural deficiency.
To resolve this problem even in part, the architecture must distinguish between (a) addresses that are logically undefined, and (b) addresses that are currently unmapped because of being paged out. The former case is *always* an error in the logic of the recipient. The latter case is a situation where either the sender trusts the paging agent completely or no safe foundation for *any* communication of data can exist in the architecture.
For some of the details, you might want to review "Vulnerabilities in Synchronous IPC Designs" from IEEE Security and Privacy a few years ago:
http://www.eros-os.org/papers/IPC-Assurance.ps
shap