| > Or somebody closes your socket. There are several ways in which this can happen, most of them undesirable Please tell me how a third party can close an anonymous socket connection between two processes (because if there really is a way to do that, it's a huge problem in a bunch of existing programs). > You can, for instance, pass your socket to another process and it can (maliciously) close it That won't have any effect; if you pass a socket to another process, it's a separate file descriptor in the other process. It can't close your file descriptor, and it can't close the socket since there remains an open descriptor. > So you can't really pass your own sockets around, you need some protocol to obtain a new socket Right; this is discussed in the blog post. > Will this new socket be closed automatically if your parent closes the socket? No. It's an independent connection. There's no way AFAIK to have two connections to the same socket where closing one will automatically close the other, even if you did want to do that, without kernel-level changes. > The guarantee you have in an object capability system is that you can only communicate with a node if you have obtained its address (the capability to communicate) beforehand This is also guaranteed by the file descriptor = handle model. If you don't have a file descriptor representing a channel to some particular service, you can't magically create one, not by guessing addresses or any other means. > and this causes a lot of pain in the design of distributed algorithms Hmm, usually distributed algorithms are used for distributed nodes - to which Bus1 doesn't apply; it's for local communication only (or did I miss something important)? |
> More importantly, this is an error which can happen purely on the client side. You don't need to compromise the node itself, you just need to compromise some peer between the client you wish to attack and the node. This is a larger attack surface and potentially allows you to force a reconnect and other bad things.
I don't understand what you mean by this. There aren't any peers between the client and the node. The node (socket) is owned by some process and the client has a connection to that socket.