Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!watmath!clyde!rutgers!sri-spam!ames!oliveb!sun!gorodish!guy
From: guy@gorodish.UUCP
Newsgroups: comp.arch
Subject: Re: subroutine frequency
Message-ID: <12510@sun.uucp>
Date: Sun, 1-Feb-87 05:41:01 EST
Article-I.D.: sun.12510
Posted: Sun Feb  1 05:41:01 1987
Date-Received: Sun, 1-Feb-87 16:49:45 EST
References: <1881@homxc.UUCP> <898@moscom.UUCP> <476@mntgfx.MENTOR.COM> <1859@cwruecmp.UUCP>
Sender: news@sun.uucp
Reply-To: guy@sun.UUCP (Guy Harris)
Organization: Sun Microsystems, Mountain View
Lines: 21
Keywords: register stack frame variable

>    I am just curious.  Isn't it a security hole to use the method c)
>    above?  If the caller is a system routine and the callee is my program
>    and I am supposed to save and restore registers that I intend to use,
>    I can have some fun by not saving the registers in the first place and
>    in addition destroying them. 

In general, calls that leave one protection domain and enter another
domain that lacks certain privileges that the original domain had are
insecure unless some care is taken.  The callee can have some fun
simply by returning to a location other than the one it was supposed
to return to.  You have to prevent this from happening.  If the
caller passes some datum to the callee by reference, the callee must
not be able to modify anything other than that datum.

Cross-domain calls of this sort would have to be treated differently,
whether by the instruction-set processor, the compiler, the run-time
support code, or some combination thereof - unless the overhead of
treating such calls differently is minimal, and the system can affort
to make all calls "secure" against the callee doing something
unpleasant to protected objects in the caller's domain ro to the
caller itself.