[cap-talk] Confinement Confusion (was: Communicating conspirators)

[David Wagner]

Toby Murray writes:
>Thus, it looks to me that *-property and confinement are inherently 
>tangled in the minds of many in the community. If anyone out there could 
>give some history on this I'd certainly be interested to hear it.

Confinement is the goal.  The *-property is one approach to try to
meet that goal.  To put it another way, the *-property is a means to
an end; that end is confinement.

>1. We have Lampson confinement, which I believe can be achieved in an 
>(object)-capability system by using the Factory pattern (of Norm Hardy).

I suspect you know that I think achieving bit-confinement (what you're
calling Lampson confinement) is pretty well hopeless at present -- at
least, outward bit confinement seems to be out of reach, for applications
with any non-trivial amount of authority.  I won't drag you through that
debate yet another time.

>Of course that most recent Halevi. Karger. et. al paper also models 
>confinement using "probabilistic non-interference". Given the huge 
>number of different variations on non-interference, I feel this only 
>further confuses things.

Hmm.  I'm not sure I understand this criticism.  Probabilistic
non-interference seems to be a reasonable formalism for analyzing covert
channels and bit-confinement.  Are you saying that use of that formalism
is likely to spread confusion, among readers who aren't familiar with
probabilistic non-interference?  That seems plausible, but that's an
inherent problem with any formalism that isn't universally known.