[okl4-developer] OKL4 v2.1: about thread identifiers
Gernot Heiser
gernot at cse.unsw.edu.au
Tue Oct 21 13:13:21 EST 2008
>>>>> On Wed, 15 Oct 2008 18:45:41 +0200, "Frank Kaiser" <frank.kaiser at opensynergy.com> said:
FK> [...]
FK> For a safe system the client identification must not be dependent
FK> on something given by the client itself, because this can be
FK> erroneous or faked. Therefore client identification must be
FK> provided by the system. The most simple solution obviously is,
FK> that the client would be able to determine the sender's threadid
FK> from any IPC it receives, which the server then can use for any
FK> type of response.
Hi Frank,
You're right that, for security reasons, the server must not rely on
the client's claim about its identity. However, thread IDs are a
security hole too, which is why they have been removed from
OKL4. (They provide a covert channel.)
The way to securely maintain state on behalf of clients is to use
multiple server threads, and give each client a cap to a different
server thread. Each server thread then knows that it's always talking
to the same client and has no identification problems.
We will provide a more elegant solution sometime in the future.
Gernot
More information about the Developer
mailing list