At Mon, 10 Oct 2005 09:11:37 -0400, Jonathan S. Shapiro wrote: > It is often true that subprograms trust their instantiator, but it is > not always true. In EROS and Coyotos this assumption is not necessary. > We have a number of programs that wield capabilities that their users do > not (and must not ever) possess. The ability to use and guard these > capabilities against a hostile creator is one of the foundations of our > security. > > These "suspicious subsystems" do *not* trust capabilities provided by > their creator. They verify them. In particular, almost *all* of our > programs test their space bank to learn whether it was a valid space > bank.
Are these program instances those started via a meta-constructor? If not, how do they get these other capabilities that the instantiator didn't possess? What if the instantiator deallocates the space bank in the middle of a critical operation (thus rendering the object in a partially updated state)? Thanks, Neal _______________________________________________ L4-hurd mailing list [email protected] http://lists.gnu.org/mailman/listinfo/l4-hurd
