[cap-talk] Confinement Confusion (was: Communicating conspirators)
Mark S. Miller
markm at cs.jhu.edu
Tue Jul 18 02:25:58 EDT 2006
David Wagner wrote:
> Confinement is the goal. The *-property is one approach to try to
> meet that goal. To put it another way, the *-property is a means to
> an end; that end is confinement.
I don't think this is right. Earlier I wrote
> Confinement is necessary but not sufficient for the *-properties. For example,
> a hypothetical caps-as-data system without covert channels, in which full
> isolation could be provided, would be able to do confinement but still not the
> *-properties.
Even if it's not practically achievable to prevent covert channels, it is not
logically inconsistent to imagine a system in which they have been prevented.
In such a system, I believe the above would hold. This shows that the
*-properties go beyond confinement -- they are a tougher challenge.
Btw, I do not mean to imply that the *-properties have much practical utility.
I doubt they do, and I sympathize with other expressions of such skepticism on
cap-talk. However, I think they are a wonderful challenge problem for
developing a taxonomy of what's logically possible within different
frameworks. Once a crisp difference has been so illuminated, we may find other
unnoticed implications of this difference, and some of these may have
practical implications.
--
Text by me above is hereby placed in the public domain
Cheers,
--MarkM
More information about the cap-talk
mailing list