Push/Pull

[Jonathan Shapiro]

   This is a non-problem.  To continue your example, I (the hostile user)
   map the composed segment into my address space with RW access, and
   the kernel happily obliges on the assumption that I'm telling the
   truth about the permissions.  If I actually to write to that memory,
   the kernel will allow that.  But eventually the kernel will have to
   flush the page back to the external pager: first it sends the page
   to the (untrusted) segment manager, and then the segment manager
   forwards the page on to the _real_ backing store manager, which fails
   the page-out request because it knows that I only have RO permission.
   So the page-out fails and I'm probably hosed - basically, by lying to
   the kernel I can only hurt myself.

Your not thinking perniciously enough.  The untrusted manager is doing
a denial of service attack, and simply refuses to remove the page,
thereby tying up a run-time resource (the page frame) indefinitely...


Jonathan