Tagged: security collusion isolation
- williammlleslieParticipantJune 17, 2015 at 12:37 amPost count: 2
The wiki page at
Granting and revoking rights are hardware operations. They can be
explicitly done to a specific turf or thread with grant and revoke,
which puts a new region entry into the PLB or removes it,
It does not specify how (if it all) it is determined that I have the
right to communicate with that specific turf or thread, in fact, if
both of the fields can be wildcarded then I can grant to all of them.
If that is the case, is it possible to truly isolate two processes and
Many existing capability operating systems on the x86 such as L4.sec
provide guarantees regarding this, so it would be nice if that would
carry over to The Mill, especially for its use by cloud providers
where isolation is becoming more and more important.
- Ivan GodardKeymasterJune 17, 2015 at 1:01 amPost count: 689
It is not possible to unilaterally grant a global right; that would permit runaway grants as a DOS attack. Instead the grant is made locally (as a transient grant as part of a portal call), with an attached right that lets the grantee persist the grant for itself.
This (and much more about granting) will be in one of our next two talks; not sure which one at this point.
- williammlleslieParticipantJune 18, 2015 at 4:08 amPost count: 2
That makes sense, thanks for your reply.
I’m looking forward to hearing more on that subject – for example, as a service implementer, if I am given a grant and a pointer, I’d need to be able to check that the pointer is within the range of that grant rather than into my own data, or that of services I’ll need to use.
I can’t think of any other obvious questions about this by looking at the security literature I have handy, so I’ll look forward to the next installment (and to The Mill, of course).
You must be logged in to reply to this topic.