Capability integrity and application's identity

Norman Feske norman.feske at ...1...
Wed Jan 20 15:11:52 CET 2016

Hello Mark,

welcome to the mailing list!

> is there any mechanism to ensure the integrity of a capability?

The integrity of capabilities is protected if the underlying kernel
supports this. This is the case for base-hw, base-nova, base-foc, and
base-sel4 (a few corner cases notwithstanding). On base-linux and the
traditional L4 kernels, capabilities remain unprotected. Here a
capability is represented by a plain number, which can naturally be forged.

On kernels with capability support, each capability is represented by a
distinct kernel object. Even though the user land can create those
objects, it has no means to manipulate those kernel objects directly. A
kernel object can be manipulated only via the kernel interface (e.g., by
telling the kernel to delegate a capability to another protection
domain). The kernel ensures that all its operations preserve the
integrity of the capabilities.

> i read in the book about the identity but it is still not clear to me.
>  could i use this  identity to authenticate the connection between tow
> application in my platform or even in remote one instead of the port or
> IP address.

No. As Genode capabilities are protected by the underlying kernel (at
best), the protection is limited to the bounds of the machine the kernel
is running on.


Dr.-Ing. Norman Feske
Genode Labs ·

Genode Labs GmbH · Amtsgericht Dresden · HRB 28424 · Sitz Dresden
Geschäftsführer: Dr.-Ing. Norman Feske, Christian Helmuth

More information about the users mailing list