At Tue, 25 Apr 2006 06:52:05 -0400, "Jonathan S. Shapiro" <[EMAIL PROTECTED]> wrote: > > On Tue, 2006-04-25 at 10:38 +0200, Michal Suchanek wrote: > > On 4/25/06, Jonathan S. Shapiro <[EMAIL PROTECTED]> wrote: > > > > > > Yes, so now you have a situation where client A is notified of the > > > server's mishandling of client B. This is a security error. Coyotos will > > > not expose this fact. > > > > How is client A notified of mishandling of client B? It is only > > notified when its own capability is dropped for whatever reason. Be it > > server is killed, just drops it, forwards it to another server that > > fails to handle it, or overwites it with a capability received from B. > > But A cannot tell that. > > You are mistaken. Assume that A and B are trying (improperly) to > communicate by exploiting the drop notices. They *can* communicate this > way. > > When reasoning about system architecture, it is rarely good to say "X > doesn't know Y", because this assumption is often wrong. A more > productive approach is to ask "how could X and Y exploit this to achieve > something unexpected?"
This discussion has gone astray, probably because parties have different models in mind (I am not sure). In the move-only-and-send-exactly-once model, there is no communication possible between A and B if S properly handles the reply capabilities. If S does _not_ properly handle the reply capabilities, all bets are off anyway. That would just be an exploit of a bug in S, not of the system architecture. Thanks, MArcus _______________________________________________ L4-hurd mailing list [email protected] http://lists.gnu.org/mailman/listinfo/l4-hurd
