On Thu, Dec 1, 2016 at 1:29 PM, Mark Reus <markreusva@gmail.com> wrote:

The user level resource managers can access both the kernel memory and other memory as well because they have capabilities to both. What exactly in the above quote causes the isolation of user level memory with kernel memory. I am of the notion that the kernel allocated objects are still accessible and can be modified to point to some other memory? Am I misunderstanding something?

The user level resource managers have access to the capabilities of kernel objects, but not their memory. As soon as you retype an untyped block of memory into, say, endpoint objects, you can't poke around in it. You'll get a memory protection fault.

To be precise: you can’t poke at it before the retype either. The only memory you can access is what is mapped into your address space, and only frame objects can be mapped into an address space.

If you think about it in object oriented terms, it's like you don't even get an API to screw this up. :-)

Caps are essentially opaque object references. All you can do is invoke type-specific methods (which map to system calls). A frame object you can’t directly touch either, but you can invoke a map method on it which creates a virtual-address mapping, after which you can touch the storage addressed by the VA.