On Thu, Feb 12, 2015 at 2:27 AM, Norman Feske <norman.feske@genode-labs.com> wrote:
Under the hood, when passing a Genode capability as argument to an RPC call, all three seL4 endpoint capabblilities will be transferred. When such a Genode capability is handed back to the component, the third received seL4 capability can be used to re-identify the context associated with the Genode capability because its badge was imprinted locally by the component.
Doesn't the fact that these three capabilities are not bound together in any way lead to problems? What if a malicious server juggled a few capabilities, replacing the third capability in a response with a different third capability from an earlier request, for example?
Norman
-- Tim Newsham | www.thenewsh.com/~newsham | @newshtwit | thenewsh.blogspot.com