18 Aug
2006
18 Aug
'06
11:25 p.m.
Chuck Guzis wrote:
On 8/19/2006 at 12:49 AM Alexey Toptygin wrote:
You're still relying on the application ("the calling program")
to do this properly. It's yet another place for bugs to creep in.
OTOH, if you can treat the features/facilities provided by
that DLL as a *service* and can encapsulate that service
within a protection domain, then the service can be robust
(at the added expense of yet another protection domain
to cross)
This is computationally expensive and
complicated. Every time you have to
cross a privilege boundary you have to switch context, validate any data
going across and verify permissions. You also need an exact specification
of the interface for every such interface - if the system doesn't know
what your DLL is allowed to do, how can it stop it from doing what it
shouldn't? This is why this sort of pain is usually reserved for the
user-kernel interface.
I don't think so. There is a subset of all DLLs that can be classified as
"trusted"--they know to check arguments and the operation is well-defined.
One might classify these as "friendly" DLLs and omit any sort of checking.
For all others, the calling program can specify a tighter degree of control
at the expense of more overhead.