[cap-talk] [CapROS-devel] Rescind vs. sever

Bill Frantz frantz at pwpconsult.com
Wed Nov 21 19:16:39 EST 2007 

david.hopwood at industrial-designers.co.uk (David Hopwood) on Wednesday, November 21, 2007 wrote:

>I'm also dubious as to whether we want 'Sever' to work on all objects,
>rather than only objects that agree to it. Performing a 'Sever' on
>an object that is relying on receiving callbacks, would result in
>an object that is broken in ways that might easily be overlooked in
>a security review.

It should be noted that the "sever" operation in KeyKOS is only defined
for two objects, nodes and pages.  While these objects are the fabric
from which all other objects are constructed, it does not follow that
the "sever" operation is available on them.  To sever a domain, one
would need either a "sever" operation on a domain key or the domain
creator key, which do not exist; or a way to get node keys to the nodes
that make up that domain, which also does not exist.

Note that at a higher level, a domain could create a "sever" operation
on itself.  It "severs" any components for which the operation is
semantically required (depending on exactly what "sever" means in this
case), makes a new domain and populates it with all the necessary keys,
including the resume key to the caller of "sever", and start it running
to destroy the old domain, and return to the caller.

Similarly, a segment keeper can provide a "sever" operation, using the
sever operation on nodes, and perhaps pages as a tool.  Since it can
build segments that depend on a single slot in a node to define the
whole segment, it can use Node__Swap to atomically remove access from
users of the old segment.

The "sever" operation provides a way to make an atomic snapshot of a
page or node, with the assurances that the snapshot represents a single
instance of time, and that the snapshot will not change without use of
the new page or node key.  Cloning a page or node followed by deleting
the old version does not provide these assurances.

Since the "sever" operation can be built for higher-level objects
without having a page or node level "sever", there doesn't seem to be
much downside to removing it.

Cheers - Bill

-----------------------------------------------------------------------
Bill Frantz        | gets() remains as a monument | Periwinkle
(408)356-8506      | to C's continuing support of | 16345 Englewood Ave
www.pwpconsult.com | buffer overruns.             | Los Gatos, CA 95032

More information about the cap-talk mailing list