[cap-talk] object-capability languages (or asynchronous message passing in general) and flooding by messages

Sandro Magi naasking at higherlogics.com
Sat Aug 23 10:32:46 CDT 2008 

See the thread "Memory Accounting without Partitions" for one paper that 
describes a solution implemented for PLT Scheme:

http://www.eros-os.org/pipermail/cap-talk/2007-June/007940.html

Sandro

Matej Kosik wrote:
> Hello everyone,
> 
> Previously in a connection with the Backwater experiment
> 
> http://altair.sk/mediawiki/index.php/Backwater
> 
> I noticed and recorded an obvious problem with this particular method of
> building robust systems. Any untrusted subsystem could cause denial of
> service simply by consuming up the whole available free memory. It will
> not able to cause harm beyond that the whole system stops in a
> controlled way but that is still somewhat unacceptable. I mean, there
> are situations when I would like to prevent that kind of attack from the
> side of untrusted modules. It is especially desirable to prevent that
> kind of attack in (a foolish ?) attempt to use object-capability
> language to build robust kernel. But I think if ambitions are raised
> then the same problem should be consider also if we try to build robust
> user-space systems. An example of a complicated system that could
> benefit from object-capability model is for example any
> instant-messanger. There are usually lot of more or less important
> plugins and it is undesirable to give each (however marginal) plugin the
> authority to halt the whole instant-messanger. The attack vector is
> really trivial.
> 
> 
> I tried to propose minimal, but for all the cases I can at the moment
> foresee, sufficient additional concepts/mechanisms that could be added
> to the Pict programming language to enable me to prevent that kind of
> attack. The unfinished worshop article draft is here:
> 
> http://altair.sk/mediawiki/upload/4/48/Memics2008.pdf
> (there is quite some time until deadline so I will try to improve it)
> 
> I do not know whether the described mechanisms are comprehensible to
> others but the paper at least states the problem (which should be
> comprehensible). I would like to ask how others solve it in other
> systems. I assume that systems whose subsystems cooperate via
> asynchronous message passing are inherently vulnerable to related problems.
> 
> How is the same problem solved in other object-capability languages or
> (from a different barrel) in Coyotos?
> 
> Best regards,
_______________________________________________
cap-talk mailing list
cap-talk at mail.eros-os.org
http://www.eros-os.org/mailman/listinfo/cap-talk

More information about the cap-talk mailing list