Mill Computing, Inc. › Forums › The Mill › Architecture › Granting, Revoking, and Collusion
Tagged: security collusion isolation
- AuthorPosts
- #1846 |
The wiki page at
http://millcomputing.com/wiki/Protection#Granting_and_Revoking says:Granting and revoking rights are hardware operations. They can be
explicitly done to a specific turf or thread with grant and revoke,
which puts a new region entry into the PLB or removes it,
respectively.It does not specify how (if it all) it is determined that I have the
right to communicate with that specific turf or thread, in fact, if
both of the fields can be wildcarded then I can grant to all of them.
If that is the case, is it possible to truly isolate two processes and
prevent collusion?Many existing capability operating systems on the x86 such as L4.sec
provide guarantees regarding this, so it would be nice if that would
carry over to The Mill, especially for its use by cloud providers
where isolation is becoming more and more important. It is not possible to unilaterally grant a global right; that would permit runaway grants as a DOS attack. Instead the grant is made locally (as a transient grant as part of a portal call), with an attached right that lets the grantee persist the grant for itself.
This (and much more about granting) will be in one of our next two talks; not sure which one at this point.
That makes sense, thanks for your reply.
I’m looking forward to hearing more on that subject – for example, as a service implementer, if I am given a grant and a pointer, I’d need to be able to check that the pointer is within the range of that grant rather than into my own data, or that of services I’ll need to use.
I can’t think of any other obvious questions about this by looking at the security literature I have handy, so I’ll look forward to the next installment (and to The Mill, of course).
- AuthorPosts