[e-lang] POLA Considerations in Control Flow (was: ControllingExtent)

Jonathan S. Shapiro shap at eros-os.org
Wed Dec 29 12:08:25 EST 2004

I am not sure if this response is germane to the discussion at hand. I
haven't had time to follow this thread, so I'm responding entirely on
the basis of the subject line.

In 2003, I wrote a paper for IEEE Security and Privacy entitled
"Vulnerabilities in Synchronous IPC Designs." An online copy of the
paper can be found on the EROS papers page a


One of the considerations of this paper is problems that arise when
control flow crosses a trust boundary. It is usual in many system
designs for the "caller" to be blocked waiting for a reply, but this
doesn't work well if the called service cannot be trusted to respond.
When exception handling gets into the picture, matters quickly become
complicated in subtly interacting ways (the paper focuses on page
faults, but similar issues can occur with other kinds of exceptions).

I'm not entirely clear if there are parallel issues in language-based
systems, but I think that it might be good for somebody to look at the
paper and think about it if the discussion at hand might relate to theft
of control flow across a trust boundary.

Jonathan S. Shapiro <shap at eros-os.org>

More information about the e-lang mailing list