[cap-talk] Domain change (IPC?) overhead

Mark Miller erights at gmail.com
Tue Mar 25 12:53:08 EDT 2008 

On Tue, Mar 25, 2008 at 8:53 AM, Jonathan S. Shapiro <shap at eros-os.com> wrote:
>  Hmm. I didn't intend to preclude the possibility of domain boundaries
>  that might exist at multiple granularities. A single domain boundary
>  need not provide all forms of isolation. For example, it may be
>  acceptable for one domain boundary crossing to share a space accounting
>  realm, but not for another. Similarly, it may be acceptable for two
>  protection domains to share a GC domain with each other while a third
>  does not.
>
>  The domain scale that I am discussing is the one that conceptually
>  replaces processes. At that boundary crossing, sharing and storage
>  isolation become important issues. None of the systems that you identify
>  above address this issue. IIRC, E chose not to address storage isolation
>  explicitly.

Good, we're in agreement, with just our traditional difference in
emphasis. Actual E implementations, of course, run some number of vats
in an OS process. The OS often provides some space accounting, though
E provides no abstraction layer for making this accounting visible in
a platform-independent manner. Perhaps we should.

More to the point, in the E model, vats are explicit units of
preemptive deallocation and therefore of separate failure. An object
wielding an intra-vat near reference need not worry about the
reference spontaneously severing. An object wielding an inter-vat
remote should be prepared for this possibility.

Space accounting is needed for availability, and therefore E can only
help defend availability between mutually suspicious vats.

Normal object-granularity object-capability security is perfectly able
to defend integrity between mutually suspicious objects, as all the
above languages do. This is why I draw attention to the difference
between defensive consistency and defensive correctness.

Confidentiality is hard and cuts both ways. Resource accounting helps
silence outward covert leakage, but only imperfectly, and only at
large granularity. Determinism can perfectly deafen inward covert
leakage, but is feasible only at fine granularities.

-- 
Text by me above is hereby placed in the public domain

 Cheers,
 --MarkM

More information about the cap-talk mailing list