Push/Pull

[Bryan Ford]

>   This is a non-problem.  To continue your example, I (the hostile user)
>   map the composed segment into my address space with RW access, and
>   the kernel happily obliges on the assumption that I'm telling the
>   truth about the permissions.  If I actually to write to that memory,
>   the kernel will allow that.  But eventually the kernel will have to
>   flush the page back to the external pager: first it sends the page
>   to the (untrusted) segment manager, and then the segment manager
>   forwards the page on to the _real_ backing store manager, which fails
>   the page-out request because it knows that I only have RO permission.
>   So the page-out fails and I'm probably hosed - basically, by lying to
>   the kernel I can only hurt myself.
>
>Your not thinking perniciously enough.  The untrusted manager is doing
>a denial of service attack, and simply refuses to remove the page,
>thereby tying up a run-time resource (the page frame) indefinitely...

That is a totally different problem - you have to deal with the
potential problem of pagers refusing to page things out _anyway_,
if you want to have any kind of external pager interface.
Assuming you _do_ have an external pager interface, and have dealt
with the page-out security problem, then there's no reason I can see
that memory object composition has to be a fundamental abstraction
provided by the kernel.

Jonathan, I hate to say this, but this discussion is starting to get
really frustrating to me.  It seems more and more like we're running
in circles without any meaningful communication happening.  From my
point of view, it seems like it's taking innumerable messages just
to get the most basic ideas across.  It's probably partly due to
bad explaining on my part, as well as our different OS backgrounds.
However, if we're going to get anywhere, we really have to find
some better way of communicating.  Any ideas?

				Bryan