Mill Computing, Inc. Forums The Mill Architecture Granting, Revoking, and Collusion

  • Author
  • williammlleslie
    Post count: 2
    #1846 |

    The wiki page at says:

    Granting and revoking rights are hardware operations. They can be
    explicitly done to a specific turf or thread with grant and revoke,
    which puts a new region entry into the PLB or removes it,

    It does not specify how (if it all) it is determined that I have the
    right to communicate with that specific turf or thread, in fact, if
    both of the fields can be wildcarded then I can grant to all of them.
    If that is the case, is it possible to truly isolate two processes and
    prevent collusion?

    Many existing capability operating systems on the x86 such as L4.sec
    provide guarantees regarding this, so it would be nice if that would
    carry over to The Mill, especially for its use by cloud providers
    where isolation is becoming more and more important.

  • Ivan Godard
    Post count: 689

    It is not possible to unilaterally grant a global right; that would permit runaway grants as a DOS attack. Instead the grant is made locally (as a transient grant as part of a portal call), with an attached right that lets the grantee persist the grant for itself.

    This (and much more about granting) will be in one of our next two talks; not sure which one at this point.

    • williammlleslie
      Post count: 2

      That makes sense, thanks for your reply.

      I’m looking forward to hearing more on that subject – for example, as a service implementer, if I am given a grant and a pointer, I’d need to be able to check that the pointer is within the range of that grant rather than into my own data, or that of services I’ll need to use.

      I can’t think of any other obvious questions about this by looking at the security literature I have handy, so I’ll look forward to the next installment (and to The Mill, of course).

You must be logged in to reply to this topic.