Hi,
On 12/10/2014 03:23 PM, teclis High Elf wrote:> These researchers from TU Berlin claim to be able to undermine memory
isolation in Fiasco OC through the use of covert channels. I'd be very interested to hear the opinion of the Fiasco experts.
the Fiasco OC interface (and probably most L4 versions) have not been designed for freedom of covert channels, nor has L4Re. In my thesis in 2011, I already identified several timing channels in the mapping-tree interface and in act Michael Peter should know this work:
http://os.inf.tu-dresden.de/papers_ps/voelp_phd.pdf
(Could a system built on Fiasco be hardened against such an attack
Nevertheless, it should be possible to construct compartments in such a way that they do not allocate from the same quotas or share resources by mapping from within the compartments. The setup would be to partition the system directly on top of Sigma0 and to bootstrap one L4Re instance per compartment, not allowing for shared channels over which objects could be mapped. Fiasco OC offers the means to establish such channels and to confine the compartments, but it has no support (and never claimed to have) for covert-channel free cross compartment mappings. Anyway, why would you want that for high security applications? If you plan to go for such a system, please have a look at the work around EROS by Jonathan Shapiro.
be adding access control for UDP ports)??
I don't see how access control for UDP Ports helps? Currently, we don't have funding for high security work, but please feel free to discuss your requirements and ideas on this list or more privately.
Best regards
Marcus Völp