genode manual
Prashanth Mundkur
pmundkur.l4 at ...9...
Tue Apr 28 07:35:28 CEST 2015
On 22:36 Mon 27 Apr, Norman Feske wrote:
> > This leads to the following question: can the server refuse to close a
> > session?
>
> yes, a server may ignore the session-close request. Servers that are
> used by clients of different security levels (e.g., the nitpicker GUI
> server that serves both untrusted clients and security-critical clients
> at the same time) must be designed and implemented with special care.
> Besides the correct response to session-close requests, another
> consideration is the adherence to the security policy as configured by
> the parent. The mere fact that a server is a child of its parent does
> not imply that the parent won't need to trust it in some respects.
>
> In cases where is not viable to trust the server (e.g., because the
> server is based on ported software that is too complex for thorough
> evaluation), certain security properties such as the effectiveness of
> closing sessions could be enforced by a small (and thereby trustworthy)
> intermediate server that sits in-between the real server and the client.
> This intermediate server would then effectively wrap the server's
> session interface.
Thanks for the detailed clarification!
--prashanth
More information about the users
mailing list