... even if there are multiple personalities, there are still typically some set of globally trusted services that the entire system depends on for correctness, but don't necessarily run with the supervisor mode bit on.
In KeyKOS, an example would be something like a space bank, which multiple personalities depend on.
One example would be a user-level disk device driver that is used
to page kernel data: it's perfectly OK to put it outside of the
kernel, as long as you recognize that it's still globally trusted.
I understand what you are saying, and there is merit to it.
For the kernel to entrust privileged state to a user-mode device
driver that is part of the TCB is fine. I wasn't arguing against
that. In the example you give, the kernel can still make progress on
other tasks while the pageout is in progress.
The question is whether it is "safe" for the kernel to *block* on such
a process. In my opinion this is unsound.
This is not an argument against user-mode device drivers. It is only an argument against blocking the kernel on one. Device driver interfaces tend to want to be asynchronous in any case, so the issue doesn't much arise if one is careful.
I'm not making the case well. Perhaps Norm will be able to state it better.
Kernel data [in L3] is not different from user data other than being globally trusted and inaccessible by user-level code. I had thought that this was the way KeyKOS handled persistence of nodes as well, but now I'm not sure.
>From the standpoint of persistence you were right. The difference is Status: O
only that KeyKOS nodes are smaller than pages, primarily because most of the kernel implemented objects are much smaller than a page. Also, the virtual address space would have to support far more than 2^32 bytes to hold any sizable system.
In a ... system that allows virtual memory to be backed by untrusted entities, such as Mach or NewSys, the server can't just take any page and use it, even if it's a "real" page.
You are absolutely correct, and I had not thought this through.
>Consider a pernicious client process that has created a meter with no
>keeper and allocate 5 ticks of runtime to that meter. The client
>calls a shared service which runs on the client's meter. The quanta
>runs out midway through the service, and the client perniciously
>refuses to refill the meter. Denial of service.
...to the client itself. Big deal. As long as the server is correctly written under the "migrating-resource" model, a malicious client won't impede the functioning of the server for other clients.
I think you're mistaken. The server can no longer service anyone, because it is halted in the middle of processing the client's request, and is therefore not waiting for requests. In mach, I suppose this only ties up a single server thread, but threads are not free! Note that the dead thread doesn't have enough run time authority to clean up any temporary locks, and that no other thread in the server can easily tell the difference between a low priority client and a dead client.
I'll reread your migrating threads paper, though.
One obvious objection is that the client is occupying resources in the server - a stack, an activation (domain in KeyKOS terms), and possibly other allocated memory. But this isn't a problem if the server is fully playing in the new model, and all of those resources were "provided by" or "charged to" the client properly.
I'm very interested to see a secure model that supports this. The KeyKOS group tried to come up with one, and was unable to.
Jonathan