I've now had time to read Norm's note. It seems problematic.
To reprise briefly, Mark Miller proposes the following method for transmitting over a covert channel:
The confined program, wishing to transmit, first allocates an array rather larger than real memory. The program then examines the bits that it wishes to transmit and for each bit does if(bit) {touch each page in the array} else {compute for several seconds}. Standard coding tricks ensure sufficiently short strings of 0's and 1's. The covert observer notes the paging and computing availability and applies standard noisy channel error correction.
Norm's proposed solution, limiting the space bank, has no impact on this attack. The attack is feasible not because space restrictions are violated, but because a large store is being used to virtualize a small store. The paging activity is the source of the communication, not the allocation of storage. There is an analogous attack that operates through storage allocation, and Norm's solution does solve that one.
To limit MarkM's proposed channel, we need to understand how paging activity is to be observed.
Let's first assume that the outside party has no access to a kernel interface that exposes paging statistics for real pages. I'll come back to this point, but bear with me for now.
The receiver can detect paging activity by first establishing a working set, waiting for the sender to touch pages, and then probing its working set to determine if any of it has been reclaimed. In most operating systems (but not in KeyKOS or EROS), there is a kernel-imposed policy that makes it costly to steal pages from small processes, but this can be overcome through use of suitably large working sets. The receiver tests its working set presence by first examining a clock and then loading bytes from several pages. A coarse clock will suffice, as page reloads require several milliseconds. If a sufficient number of receiver pages have been paged out, the receiver may assume with some confidence that it has received a bit.
On systems imposing page coloring strategies, you can transmit efficiently as many bits as there are colors in one "round trip."
This all assumes, however, that activity on the part of the sending process is visible to the receiving process. Introduction of capacity reserves for CPU and real memory consumption is sufficient to mitigate this. In short, if the sender can only page against its own pages the receiver has no way to detect the paging activity. This works fine *provided* that the respective memory reserves are not oversubscribed.
Now let's go back to the kernel reporting interface and justify that assumption.
There are programs sufficiently trusted that they should be permitted to examine the "real" state of the machine. The ability to do this is necessary for certain activities such as performance tuning.
Most programs, however, execute in a constrained environment. This environment constitutes their world, and it is meaningless to grant them access to performance statistics outside this world.
Jonathan