Push/Pull

[Jonathan Shapiro]

   OK, I see.  However, note that in the presence of external pagers,
   there is really no need for a "segment" or "composed memory object"
   to be a basic system abstraction at all - it can be implemented as
   an arbitrary layer between the "real" memory object and the kernel/VMM.
   The semantics of this intermediate "composition" layer can be whatever
   you want.

I don't think you can get access rights correct if you go at it that
way.  The kernel needs to be able to determine what the access rights
should be.  Suppose it does this by asking the composed object's
manager.

Imagine that you are a hostile user.  I hand you an RO segment.  You
compose it into a segment which you assert to the OS has RW access
rights.  Basically, the OS must know enough to ask MY segment manager
rather than the composed segment manager.

I believe that in trying to solve this you will conclude that an
explicit representation of the composition must be known to the
kernel. Any such composed segment representation constitutes an
important system abstraction.

The alternative is to re-invent the page key, at which point you can
trust the composed manager again, but at the cost of implementing a
lower-level memory abstraction.  Note also that (ding ding ding!) you
just introduced sub-segment protections.

Composition implies sub-segment protections.


Jonathan