[cap-talk] object-capability languages (or asynchronous message passing in general) and flooding by messages

Matej Kosik kosik at fiit.stuba.sk
Sat Aug 23 02:05:00 CDT 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello everyone,

Previously in a connection with the Backwater experiment

http://altair.sk/mediawiki/index.php/Backwater

I noticed and recorded an obvious problem with this particular method of
building robust systems. Any untrusted subsystem could cause denial of
service simply by consuming up the whole available free memory. It will
not able to cause harm beyond that the whole system stops in a
controlled way but that is still somewhat unacceptable. I mean, there
are situations when I would like to prevent that kind of attack from the
side of untrusted modules. It is especially desirable to prevent that
kind of attack in (a foolish ?) attempt to use object-capability
language to build robust kernel. But I think if ambitions are raised
then the same problem should be consider also if we try to build robust
user-space systems. An example of a complicated system that could
benefit from object-capability model is for example any
instant-messanger. There are usually lot of more or less important
plugins and it is undesirable to give each (however marginal) plugin the
authority to halt the whole instant-messanger. The attack vector is
really trivial.


I tried to propose minimal, but for all the cases I can at the moment
foresee, sufficient additional concepts/mechanisms that could be added
to the Pict programming language to enable me to prevent that kind of
attack. The unfinished worshop article draft is here:

http://altair.sk/mediawiki/upload/4/48/Memics2008.pdf
(there is quite some time until deadline so I will try to improve it)

I do not know whether the described mechanisms are comprehensible to
others but the paper at least states the problem (which should be
comprehensible). I would like to ask how others solve it in other
systems. I assume that systems whose subsystems cooperate via
asynchronous message passing are inherently vulnerable to related problems.

How is the same problem solved in other object-capability languages or
(from a different barrel) in Coyotos?

Best regards,
- --
mk
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkivtpwACgkQL+CaXfJI/hgFeQCguXRIkXi2hHNUVeRnQNy0A2sy
A8cAoMS81MGfQjxI4qGCQ0pvPbyHzdyE
=Yqh9
-----END PGP SIGNATURE-----

More information about the cap-talk mailing list