next up previous
Next: Scheduling Up: Loading application-specific code Previous: Code and available operations


Running foreign code in the heart of the MCA introduces risks that range from the risk that the code steals or manipulates sensitive information, to the risk that a DLA uses up too much resource capacity. The former could be handled by careful shielding between the code and the rest of the Sandman while the latter can be dealt with by using an operating system such as Nemesis [#!Leslie:96a!#]. Another issue concerns the question of access restriction, i.e. which applications do we allow what sort of access to the MCA's functionality. The current implementation uses a capability-based access control scheme. In this document we will not address security issues any further.

Herbert Bos