[cap-talk] kernel object knowledge
Bill Frantz
frantz at pwpconsult.com
Wed May 30 01:57:22 EDT 2007
david.hopwood at industrial-designers.co.uk (David Hopwood) on Tuesday, May 29, 2007 wrote:
>The driver that may need to be globally trusted is the port driver
>(USB, parallel, etc.) Given an IOMMU or use of language-based
>security, even that may not be necessary: the least privilege
>for a port driver only allows it to interfere with use of that
>type of port.
Take the USB port as an example. While the driver for the port needs to
be trusted by any code that depends on a device on that USB bus, it may
be possible to have separate drivers for each device on the bus, all of
which communicate through the port driver. The port driver is
responsible for ensuring that these device drivers speak only to their
assigned device, while the device drivers deal with the peculiarities of
the individual devices. If the device drivers access the port driver
with separate capabilities for each device, they can be protected from
each other.
KeyKOS had a similar facility for the IBM/370 channel. The kernel ran
the channels, and assured that an individual device could only be
accesses by domains that had a capability for that device.
Cheers - Bill
-----------------------------------------------------------------------
Bill Frantz | gets() remains as a monument | Periwinkle
(408)356-8506 | to C's continuing support of | 16345 Englewood Ave
www.pwpconsult.com | buffer overruns. | Los Gatos, CA 95032
More information about the cap-talk
mailing list