Capability Security Without Confinement (was: Thoughts on droplets)

shapj@us.ibm.com shapj@us.ibm.com
Mon, 1 Nov 1999 20:57:39 -0500


> ...here are some further examples of programs or protocols that
> need security but don't need confinement

All of these applications need encapsulation.  None of them need
sandboxing.  Encapsulation is the other, often forgotten, guarantee
provided by confinement.

E, for example, is careful to ensure that if a particular VAT is
compromised, only the content owned by that VAT is compromised. In the
presence of viruses, and in the absence of operating systems that can be
relied on to securely encapsulate the VAT (i.e. protect it from outside
inspection), I submit that we must assume that ALL VAT's are compromised.

Off hand, I do not see how a VAT offers no marginal benefit where viruses
are concerned over a web browser running SSL (assuming the SSL installation
has been done correctly -- I'm aware that's a problem).  Does it?

Even if it doesn't, VATs remain useful.  They move us to a position where
in practice most machines are not compromised and in the limit all we are
left needing to finish the picture is a secure OS and bootstrap mechanism.

Jonathan S. Shapiro, Ph. D.
IBM T.J. Watson Research Center
Email: shapj@us.ibm.com
Phone: +1 914 784 7085  (Tieline: 863)
Fax: +1 914 784 7595