Rights Amplification
Bernhard Kauer
kauer at os.inf.tu-dresden.de
Sat Jun 11 12:15:03 CEST 2005
> > > Within this framework, the only directly supported operations on such
> > > capabilities are map, grant, unmap and IPC. The map operation can be
> > > used to delegate the capability, grant can be used to move the
> > > capability and unmap to revoke it. The IPC operation allows clients
> > > to send messages to an object, for example, to invoke operations on
> > > the object.
> >
> > I think here is a difference to our view on capabilities: The IPC operation
> > allows to send a message through an endpoint to a server. The server could
> > somehow identify the sender of a message.
>
> The question here is really if the L4 IPC "capabilities", ie
> communication end points, can be used to implement "capabilities" of a
> capability system. The answer of course differs, depending on which
> requirements you choose for the capability system. We are looking
> here specifically at a requirement for a certain form of rights
> amplification, or synergy in general.
Oh, now I understand what you want to do: Implementing a "real capability"
system on top of L4 with the ability to amplify rights.
> You seem to say that this should not even be attempted.
I beliefed that you can build a system without kernel support for rights
amplification.
> I think that there is an excellent chance that the upcoming security
> features can be used to build a fast and secure object/capability
> system. Solving the problem of multiple object references in messages
> is essential for that. However, I am even more sure that without any
> kernel support, implementing a competitive and secure capability
> system on top of L4 is nigh impossible.
Ok, you need kernel support for that. The remaining open question is:
What is the right operation for that?
The map_lookup() has the disadvantage that it is time bound by the depth
of the mapping tree. And it only works within the mapping hierarchy. This
is a problem for example with external object caches or different proxies
which try to map_lookup() siblings of the mapping tree.
So why not use a more general and faster operation like cmp()?
bool cmp(Address first, Address second)
Are there any arguments against this stronger operation?
Thanks,
Bernhard
More information about the l4-hackers
mailing list