From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham
	autolearn_force=no version=3.4.4
X-Google-Language: ENGLISH,ASCII-7-bit
X-Google-Thread: 103376,bc1361a952ec75ca
X-Google-Attributes: gid103376,public
X-Google-ArrivalTime: 2001-09-09 00:46:47 PST
Path: 
 archiver1.google.com!newsfeed.google.com!newsfeed.stanford.edu!paloalto-snf1.gtei.net!chcgil2-snh1.gtei.net!chcgil2-snf1.gtei.net!news.gtei.net!news.binc.net!kilgallen
From: Kilgallen@SpamCop.net (Larry Kilgallen)
Newsgroups: comp.lang.ada
Subject: Re: Progress on AdaOS
Date: 9 Sep 2001 02:46:45 -0500
Organization: LJK Software
Message-ID: <pR+ROou9eMey@eisner.encompasserve.org>
References: <mailman.999540904.22317.comp.lang.ada@ada.eu.org>
 <3b95d429.592218@news.cis.dfn.de> <3B9654AE.CD4382ED@san.rr.com>
 <3b9768b6.1671036@news.cis.dfn.de> <3B97A5C7.3ED71528@san.rr.com>
 <3b9876e0.334859@news.cis.dfn.de> <3B98EEA2.179DD2A1@san.rr.com>
 <3b99f79e.751695@news.cis.dfn.de> <3B9ACEB6.7F06DF1D@san.rr.com>
NNTP-Posting-Host: eisner.encompasserve.org
X-Trace: grandcanyon.binc.net 1000021607 32437 192.135.80.34 (9 Sep 2001
 07:46:47 GMT)
X-Complaints-To: abuse@binc.net
NNTP-Posting-Date: Sun, 9 Sep 2001 07:46:47 +0000 (UTC)
Xref: archiver1.google.com comp.lang.ada:12940
Date: 2001-09-09T02:46:45-05:00
List-Id: <comp.lang.ada>

In article <3B9ACEB6.7F06DF1D@san.rr.com>, Darren New <dnew@san.rr.com> writes:

>> I very like the idea, someone mentioned in a parallel thread, that the
>> access rights can be made dependant on the page the PC points to.

I thought the goal of the exercise was to run on existing hardware.

> If you're trapping to the kernel to change memory protection in order to
> do your call, I'm not sure what the efficiency benefits are between
> doing that in one "process" or in two, especially if the two processes
> can share memory to pass parameters and such.


Ignore efficiency and think about security.

Using inner mode guarantees that the caller cannot modify the parameters
after they have been vetted by the privileged code and before they
have been copied for use by the privileged code.  And regardless of
who is sharing what memory, the privileged code must have a private
copy before execution returns to the unprivileged caller.