[cap-talk] Resource exhaustion - a language level issue?
devbox at selnet.org
Tue Oct 9 20:43:08 EDT 2007
On 09/10/2007, at 16.51, Jed Donnelley wrote:
>On 10/9/2007 11:39 AM, Sandro Magi wrote:
>> Jed Donnelley wrote:
>>>> I'm not sure. A system vulnerable to denial of service (DoS) attacks
>>>> violates isolation guarantees;
>>> Why do you believe so? A system that has been impacted by a
>>> denial of service attack is not available (by definition),
>>> so the isolation is perfect - isn't it?
>> I'm talking about isolation between two entities on the *same* system,
>> not different systems. If subsystem A is perfectly isolated from
>> subsystem B (no capability path between them except via the kernel),
>> then an attack in B should have no visible effect in A. With a DoS,
>> is not the case.
>Hmmm. I took "isolation" to mean none other than authorized
>communication. When I consider such communication I include
>only direct data channels and do not include typical "covert
>channels" such as wall banging. I understand the definitions
>of others may be different.
I think those are two levels of isolation: Overt channel isolation, and
Covert channel isolation.
>Doesn't the violation that you refer to above regarding
>the visible effect of a DoS attack fall into the
>covert channel category?
If you have an FTP service that is overloaded, isn't it an overt channel ?
>>> "Operating systems account for memory consumption and
>>> allow for termination at the level of individual processes.
>>> As a result, if one process consumes too much memory, it
>>> can be terminated without damaging the rest of the system.
>>> This same capability can be useful within a single application
>>> that encompasses subtasks."
Hmm. The consumption of too much memory isn't necessarily an attack, it
could be an inefficiency of the process. If the program is inefficient, it
is sure that we want the inefficiency to be corrected, but, there is a
question here: can we afford to terminate the process, causing a delay
(the delay that is needed to restart the process) ?
I think in most cases it is acceptable, but not always.
More information about the cap-talk