[EROS-Arch] Questioning need for Call Count
Joerg Bornschein
joerg@zilium.de
Fri, 10 Nov 2000 18:13:27 +0100
On Fri, Nov 10, 2000 at 10:31:00AM -0500, Jonathan S. Shapiro wrote:
> I believe you may be confusing a security feature for a bug catching
> feature. I believe that the consumption of the resume capability on use is
> not a security feature. Certainly there is nothing in our access model to
To me is seems it is a security feature:
A program calling a capability can never be sure it is the
called service which returns. It may be every service which
had be called in the past. As you sad: serial numbers catch
bugs, but wont stop malicious services.
Example:
A domain (L) providing some kind of login service holds two start capabilies:
1. to a domain (W) printing a welcome message.
2. to a domain (V) validating a login and just answering ALLOWED / NOT_ALLOWD
(Bad design -- really bad design... I know)
L first calls W.
Later L questions V whether a certain login should be allowed or not.
How could L be sure its V replying "ALLOWED"? It could be W sending replies
with different serial numbers.
Placing the serial number check in the stubs seems fine, but making this
serial numbers forgable by the called service seems to make things much
more complicated.
Just 2e-9 cents from a newbie in your wonderful capability land.
Joerg