[seL4] Capability unwrapping

Tim Newsham tim.newsham at gmail.com
Fri Feb 13 04:20:25 EST 2015


On Thu, Feb 12, 2015 at 2:27 AM, Norman Feske
<norman.feske at genode-labs.com> wrote:
> Under the hood, when passing a Genode capability as argument to an RPC
> call, all three seL4 endpoint capabblilities will be transferred. When
> such a Genode capability is handed back to the component, the third
> received seL4 capability can be used to re-identify the context
> associated with the Genode capability because its badge was imprinted
> locally by the component.

Doesn't the fact that these three capabilities are not bound together
in any way lead to problems?  What if a malicious server juggled a
few capabilities, replacing the third capability in a response with
a different third capability from an earlier request, for example?

> Norman

-- 
Tim Newsham | www.thenewsh.com/~newsham | @newshtwit | thenewsh.blogspot.com



More information about the Devel mailing list