Hi Tim,
Doesn't the fact that these three capabilities are not bound together in any way lead to problems? What if a malicious server juggled a few capabilities, replacing the third capability in a response with a different third capability from an earlier request, for example?
that is indeed an important question. But I am confident that this is not a problem. Please consider that the two supplemental capabilities are merely used by the receiver as a key to look up an existing Genode capability (triple of seL4 caps) at the receiver. The receiver will never use the endpoint capability (the first one of the triple) that came from the sender, but will keep using the looked-up (known-good) Genode capability. In the worst case, the sender could replace the supplemental caps of a Genode capability A by the ones of another Genode capability B, and pass the forged version of capability A to the receiver. The lookup at the receiver would indeed wrongly find B. But what would be the benefit for the sender? It could have specified B instead of the forged version of A in the first place. Cheers Norman -- Dr.-Ing. Norman Feske Genode Labs http://www.genode-labs.com · http://genode.org Genode Labs GmbH · Amtsgericht Dresden · HRB 28424 · Sitz Dresden Geschäftsführer: Dr.-Ing. Norman Feske, Christian Helmuth