On Fri, 2 Jan 2004 06:51 pm, Benno wrote:
Mungi, a password capability based system is able to provide its PDX mechanism at a very reasonable overhead, (I think around 70 extra cycles -- this is on IA64) on top of raw IPC costs. (Oh and those extra cycles are marshalling costs, not security check costs.)
I believe it is definately possible to design a secure system[*] using the current L4 primitives, with neglible overhead.
[*] I guess this depend of course on the definition of secure. At least in this case it means that a service can't be DoS-ed and must have a valid capability to access the service. I'm not sure we currently protect against covert channels.
Just to clarify this for the non-Mungi people on the list: at the moment it's a somewhat loose definition of secure. We do the security checks on the initial call (which is much more expensive), and then repeated calls to the same service use a cached L4 client thread, so that 70 cycles isn't a true measure of the overhead.
And no, since L4 doesn't currently restrict IPC to arbitrary threads, we can't protect against covert channels etc.
Andrew