On Sat, 2006-04-22 at 20:05 +0200, Marcus Brinkmann wrote: > At Sat, 22 Apr 2006 13:57:18 -0400, > "Jonathan S. Shapiro" <[EMAIL PROTECTED]> wrote: > > If the server is malicious, the presence of a "notify on drop" bit (or > > even a "notify on container destroy" bit) is insufficient to achieve the > > robustness that you are looking for. > > Why do you think so? As far as I know, I have not yet made my case > for why I think that it may be sufficient.
The problem is that a malicious server may indefinitely hold a reply capability without invocation. It will not drop the capability, and it will not die. > There seem to be, > admittedly narrow, but still useful (for us), design patterns for > which this mechanism is sufficient to successfully argue about > invariants of the system. The pattern you argue for is sufficient to catch *some* forms of error. It is not a sufficient defense against malice. My observation: any solution that deals with the broader cases of malice will subsume the narrower cases of error-catching. shap _______________________________________________ L4-hurd mailing list [email protected] http://lists.gnu.org/mailman/listinfo/l4-hurd
