|
|
|
|
|
|
by Veserv
607 days ago
|
|
|
Revokation that demands a full memory sweep is problematic in high security use cases, but potentially workable. Which is my point about questions; there exists a potential solution but it remains to be seen how effective it would be in the circumstances. Personally, I think they should probably implement a two-level capability. The kernel presents a top-level capability during allocation requests which userspace can then derive from at will. Kernel revokation of the top-level capability would revoke any derived capability. The derivation relation can almost certainly be stored in the tag resulting in no additional space requirements per-capability. At worst you could add some additional hardware machinery to support efficiently managing and resolving the derivation relation. But again, potential solutions with some questions around usability. |
|
|