[EROS-Arch] Proposed new facility: reducing resume capabilities

Bill Frantz frantz@pwpconsult.com
Fri, 21 Sep 2001 11:44:25 -0700 

At 7:17 AM -0700 9/21/01, Jonathan S. Shapiro wrote:
>    The proposal is that there should be some mechanism  -- probably a new
>kernel capability -- by which to convert a resume capability  into a fault
>capability to the same process.   This mechanism would allow a service to
>induce an  invoker to retry an invocation. This is usually innocuous, but
>combines with  POST events in an interesting and useful way.   Relevant
>Detail:   In the EROS invocation protocol, the invoker PC is  not advanced
>until the subsequent *inbound* invocation.  When a CALL is  performed, the
>PC is not advanced until the generated resume key is  invoked. When a
>RETURN is performed, the PC is not advanced until some start key  is
>invoked.   By enabling a service to return to a fault key  instead of the
>intended RETURN key, the server can induce the invoker to retry  the
>invocation.   Security Implications:   The original caller has already
>sent the  information that would be retransmitted, so there are no
>negative security  implications. The effect from the server side can be
>simulated by performing a  RETURN operation on the same server start key
>originally invoked by the original  caller, passing the arguments supplied
>by the original caller.   There is a slight exposure if a caller-side
>debugger has tweaked things. I don't see a problem with this, but perhaps
>someone else may?

Any of the keys invoked or passed in the jump could become null keys which
means that the second try would not be the same as the first.  Any user of
this mechanism would be well advised to make no changes in state as a
result of the first try.  This is classic "dry run" programming.

In addition, the debugger/domain key holder could:

Change the invoked key resulting in the information going to a different
domain.

Change the keys/data passed in the jump.

Since the PC has not advanced, the domain key holder sees the view that the
jump has not yet occurred, and should be suitably warned.

Cheers - Bill


-------------------------------------------------------------------------
Bill Frantz           | The principal effect of| Periwinkle -- Consulting
(408)356-8506         | DMCA/SDMI is to prevent| 16345 Englewood Ave.
frantz@pwpconsult.com | fair use.              | Los Gatos, CA 95032, USA