At 02:30 PM 7/15/99 -0400, email@example.com wrote:
>The design question is whether reclaimed storage reverts to the prime bank
>the bank from which it was allocated. If it reverts to the prime bank, the
>logic is "you lose it and the system as a whole gets it back" If it
>the bank that allocated it, the logic is "the owning bank gets the space back
>when the last capability to it goes away."
>Either is feasible, but there is a covert channel issue: the release of
>capability now becomes observable by other parties, including the allocator.
It doesn't matter which bank gets the storage. The covert channel comes from being able to detect the change (either by query or by attempting to allocate). The only way I know to plug the covert channel is to give each security partition its own pool of storage. The sum of these pools can not over-allocate the real storage available to the system. That way, storage signals can only be read from within the security partition where they are generated.
VM/370 accomplished this goal by allocating each user a separate "minidisk", which was backed by a fixed set of cylinders on a real disk. (VM/370 had a bunch of other problems, but it was probably the most tractable system from a security point of view in the early 1970s.)