genode manual

[Prashanth Mundkur]

On 22:36 Mon 27 Apr, Norman Feske wrote:

> > This leads to the following question: can the server refuse to close a
> > session?
>
> yes, a server may ignore the session-close request. Servers that are
> used by clients of different security levels (e.g., the nitpicker GUI
> server that serves both untrusted clients and security-critical clients
> at the same time) must be designed and implemented with special care.
> Besides the correct response to session-close requests, another
> consideration is the adherence to the security policy as configured by
> the parent. The mere fact that a server is a child of its parent does
> not imply that the parent won't need to trust it in some respects.
>
> In cases where is not viable to trust the server (e.g., because the
> server is based on ported software that is too complex for thorough
> evaluation), certain security properties such as the effectiveness of
> closing sessions could be enforced by a small (and thereby trustworthy)
> intermediate server that sits in-between the real server and the client.
> This intermediate server would then effectively wrap the server's
> session interface.

Thanks for the detailed clarification!

--prashanth