Background:
Amoeba's server-side model of protection was applied to protecting
capabilities for communications links. Consider a system using a
similar model to protect capabilities for pages. The relevant system services
are:
- p = newpage()
- The newpage function returns a capability for a page with all access
rights turned on.
- r = restrict(p,m)
- The restrict function returns a restricted capability r for page p,
where the rights to r are the same as those for p, except in cases where
the corresponding bit of m is zero.
- s = map(p,a)
- Maps page p into the virtual address space of the caller at address a.
The rights associated with capability p will be enforced with each memory
reference to the mapped page. If successful, returns s=0. This fails if
the capability p is invalid, in which case it returns -1, or if a page is
already mapped to address a, in which case it returns -2.
- unmap(a)
- Any connection between virtual address a in the caller's address space
and any page is broken, allowing a to be mapped to other pages.
- invalidate(p)
- All capabilities for the page referenced by p are declared to be invalid.
This is only legal if the invalidate right is present in the capability p.
This service allows the kernel to reuse some physical page, creating new
capabilities for it in response to later calls to newpage.
Part A:
Suggest a reasonable representation for the capabilities used by this service,
and explain how the kernel verifies that a capability is valid and has
not been tampered with.
Part B:
Is this system vulnerable to memory leaks? Explain!