[cap-talk] Domain change (IPC?) overhead

Jed Donnelley capability at webstart.com
Tue Mar 25 12:31:50 EDT 2008 

At 06:30 AM 3/25/2008, Jonathan S. Shapiro wrote:
>On Mon, 2008-03-24 at 15:00 -0700, Jed Donnelley wrote:
>
> > ...My concern about language systems <enforcing domain separation>
> > are not so much that they might be malicious, but rather
> > that there can be subtle issues in the domain protection mechanisms
> > (e.g. stack manipulation issues, etc.) that the language system
> > may miss that can be exploited by code intending to exploit such
> > flaws, code that is itself malicious.
>
>How is that any different from what happens in domain crossings anywhere
>else?

An interesting question to focus on for a bit I think.

In an IPC system when a call happens (much like any system call in
any traditional user/kernel system) the system hardware has the
initial burden of separating the user domain from the system domain.
This is mostly why this is often so expensive.  Typically all relevant
registers are switched out as is the virtual memory space.

Once the kernel code starts to run it has all the relevant state
there laid out in front of it.  "All" it need do is 'only' copy
information from domain to domain based the requests from the
respective domains.

For example, in the NLTSS system there was only one system call:

http://en.wikipedia.org/wiki/NLTSS

As implemented on the Cray computers domain separation was
particularly simple as these were base and bounds systems
with no virtual memory.  The one system call allowed a process
to make requests to send or receive data (any number simultaneously
as "buffer tables").  Domain separation in the NLTSS system
was achieved by 'simply' insuring that data only flowed between
domains (processes) when a send from one process matched up with
a receive from another.

Similarly in traditional descriptor based capability systems
the IPC mechanism can be rather simple (e.g. just the "invoke"
system call) and focus on managing data and capabilities
communicated between domains (processes).  There may be somewhat
more complexity with some number of different system supported
capabilities, but still it seems to me that the job of the IPC
mechanism consists largely of carrying out domain crossing
transfers as requested from both sides of a domain boundary
while doing no harm.


For me the case of a language systems seems quite different.
This may be because I'm largely ignorant of how domain separation
is actually handled in language systems.  Since I am ignorant of
the details of how such separation is supported, perhaps it would
be better if somebody with more knowledge in that area could describe
how such separation is supported - perhaps comparing and contrasting
it to how such separation is supported in an IPC system?

>I think you are tacitly assuming that domain calls will be normal
>procedure calls.

If I understand what you are suggesting I think not.  For example,
I certainly understand that when a method is called (invoked) that
the language needs to assure that only the code of such a call can
access the private data that should be available within the method.
Also only explicitly passed data/object references should be made
available from the calling "domain".  The call/invoke mechanism for
the language system must also insure that mutual suspicion can
be supported.  In this case it must do so without the hardware
support of an "exchange"/state change mechanism as is typically
supported by hardware.  However, I guess that somewhere within
the code supporting method invocation there is indeed something
like a "procedure call" with at least parameter passing in any
case.  I don't really know what else is involved and how the
language system goes about its job of enforcing domain separation
adequate for mutual suspicion.

I hope there is a description of comparable simplicity to
my description for the IPC mechanism above.  To me it seems
that the simplest mechanisms are the most likely to be able
to be implemented safely and correctly.

>No sensible design would do this. IDC (inter-domain
>call) replaces IPC. What is eliminated is the address space crossing
>issue.

I can understand how at the hardware level the "address space
crossing" is eliminated, but there is still a separation that
needs to be enforced.  I would be interested to hear more about
how that is done - sufficient for me to have confidence in the
separation for security purposes.

Regarding the exchange between Jonathan and MarkM about the above,
I think an explanation of how language systems support domain
separation would go a long way toward clarifying any differences.

--Jed  http://www.webstart.com/jed-signature.html

More information about the cap-talk mailing list