Need for sensory capabilities

[shapj@us.ibm.com]

In the course of the various proof work, we looked at whether sensory
capabilities are required to have confinement.  The answer, in short, is
"no".  That is: it is possible to build confined subsystems without any
sort of sensory capability.

HOWEVER

In the absence of sensory capabilities, it is NOT possible to decide
endogenously whether a given subsystem is confined.  That is: I have an
image of a program X that I intend to run, and I wish to know if any
capability reachable from this image now or in the future conveys write
authority.  Sensory capabilities trivialize this test.  In their absence,
the test requires global knowledge of the capability access graph.  Note
that the global analysis, even if permitted, is not straightforward, as it
must take into account trusted objects that have access to everything (e.g.
space bank).

Pragmatically, then, sense keys are required.

There may, however, be other possible solutions that achieve the same
effect.

Jonathan