[okl4-developer] OKL4 v2.1: about thread identifiers

Geoffrey Lee glee at ok-labs.com
Thu Sep 18 17:39:30 EST 2008 

On Tue, Sep 16, 2008 at 06:05:42PM +0200, Frank Kaiser wrote:
> Hello, Josh
> 

> The client using my SPI server should register to the server. When the client initiates a data exchange, then the server shall check that it is coming from the registered client. Furthermore the server shall return a notification after the data exchange is completed, so that the client need not to block on the data exchange call. For both purposes the server needs the true thread id of the caller. Since the IPC syscall does not provide it anymore, and the reply cap is a one-shot feature, I had to add an additional parameter carrying the thread id to my IDL4 interface specification. However, this approach has the shortcoming, that the client id is not maintained by the system, allowing any other client interfering with the connection by using a wrong thread id (the one, belonging the the true client). This not only creates an unwanted error possibility, but also a security hole, since the server cannot reliably recognize that it receives commands from the right client.
> This way I cannot see that the reply cap feature in its current stage is an enhancement with respect to system security.


Hi Frank -  Just to add to Josh's reply, as you have noted trusting the client
to send you a correct piece of identification information is a bad
idea, however it should not be taken to imply that reply caps
does not help with system security or even worse compromise it.
Reply caps means that you cannot communicate with other threads
in the system in an arbitary fashion, which stops leakage of
information unless the thread has been specifically granted permission 
to do so.



> 
> Regards
> Frank

	-gl



> > -----Original Message-----
> > From: developer-bounces at okl4.org [mailto:developer-bounces at okl4.org] On Behalf
> > Of Joshua Root
> > Sent: Friday, September 12, 2008 3:48 PM
> > To: Frank Kaiser
> > Cc: developer at okl4.org
> > Subject: Re: [okl4-developer] OKL4 v2.1: about thread identifiers
> > 
> > Frank Kaiser wrote:
> > > According to the implementation in /vspi_serverloop.c/ the first
> > > parameter of this prototype is equal to the dereferenced second
> > > parameter of function *L4_ReplyWait()*, which shall be, according to
> > > section D-5.1.8/.9 of the OKL4 User Manual, a pointer to the sender’s
> > > thread id.
> > 
> > It looks like that section of the manual is incorrect/outdated. What you
> > actually get is not a thread id that can be used however you like, but a
> > reply capability whose use is only valid under certain specific
> > circumstances.
> > 
> > See A-4.4 and A-6 in the manual, and this wiki page:
> > <http://wiki.ok-labs.com/ReplyCaps>
> > 
> > Cheers,
> > Josh
> > 
> > _______________________________________________
> > Developer mailing list
> > Developer at okl4.org
> > https://lists.okl4.org/mailman/listinfo/developer
> _______________________________________________
> Developer mailing list
> Developer at okl4.org
> https://lists.okl4.org/mailman/listinfo/developer

--

More information about the Developer mailing list