On Tue, 2006-04-25 at 10:38 +0200, Michal Suchanek wrote: > On 4/25/06, Jonathan S. Shapiro <[EMAIL PROTECTED]> wrote: > > > > Yes, so now you have a situation where client A is notified of the > > server's mishandling of client B. This is a security error. Coyotos will > > not expose this fact. > > How is client A notified of mishandling of client B? It is only > notified when its own capability is dropped for whatever reason. Be it > server is killed, just drops it, forwards it to another server that > fails to handle it, or overwites it with a capability received from B. > But A cannot tell that.
You are mistaken. Assume that A and B are trying (improperly) to communicate by exploiting the drop notices. They *can* communicate this way. When reasoning about system architecture, it is rarely good to say "X doesn't know Y", because this assumption is often wrong. A more productive approach is to ask "how could X and Y exploit this to achieve something unexpected?" shap _______________________________________________ L4-hurd mailing list [email protected] http://lists.gnu.org/mailman/listinfo/l4-hurd
