[EROS-Arch] Proposed new facility: reducing resume capabilities

[Jonathan S. Shapiro]

I don't see that it's a replay attack if the server has *asked* you to
replay, and the scenario doesn't happen unless somebody with a resume key
asks you to replay.

The one rather odd case might go like this:

A calls B. B forwards request (with resume key) to C. C requests replay, as
a result of which A re-calls B.

I'm not sure if this is important or not. Offhand I think it's not, but it's
certainly odd behavior.

Oh. Yuck. This is already possible without the reduction mechanism. Here's
how:

Keeper of A "stuns" A by requesting a fault key. Using register interface,
places a known fault code in A so as to regain control later. Makes call to
B using A's keys, pretending to be A, passing fault key in resume key
position.

When B or C later invokes the resume key slot (which is a fault key), A will
be set running, immediately fault back into keeper, who can replay the whole
thing at will.

So the only real distinction here is that the server can *request* the
replay. There is no newly-introduced exposure that the server will receive
unsolicited replays.


Jonathan