[seL4] Capability unwrapping

Norman Feske norman.feske at genode-labs.com
Fri Feb 13 22:46:27 EST 2015

Hi Tim,

> Doesn't the fact that these three capabilities are not bound together
> in any way lead to problems?  What if a malicious server juggled a
> few capabilities, replacing the third capability in a response with
> a different third capability from an earlier request, for example?

that is indeed an important question. But I am confident that this is
not a problem. Please consider that the two supplemental capabilities
are merely used by the receiver as a key to look up an existing Genode
capability (triple of seL4 caps) at the receiver. The receiver will
never use the endpoint capability (the first one of the triple) that
came from the sender, but will keep using the looked-up (known-good)
Genode capability.

In the worst case, the sender could replace the supplemental caps of a
Genode capability A by the ones of another Genode capability B, and pass
the forged version of capability A to the receiver. The lookup at the
receiver would indeed wrongly find B. But what would be the benefit for
the sender? It could have specified B instead of the forged version of A
in the first place.


Dr.-Ing. Norman Feske
Genode Labs

http://www.genode-labs.com · http://genode.org

Genode Labs GmbH · Amtsgericht Dresden · HRB 28424 · Sitz Dresden
Geschäftsführer: Dr.-Ing. Norman Feske, Christian Helmuth

More information about the Devel mailing list