A note on rationale
Tue, 2 Nov 1999 09:45:12 -0800 (PST)
On Tue, 2 Nov 1999 email@example.com wrote:
> Assume that the user is not competent to judge the safety of the tools they
> use, and that indeed some of those tools are in some way compromised. This
> is the necessary presumption if we are to run commercial off-the-shelf
> software. How can we grant those tools the capabilities they need to have
> in order to operate without having the capabilities leak, and without
> demanding that the users exercise a greater degree of paranoia than their
> degree of knowledge can sustain?
I'm confused. I thought that confinement was devised specifically
to address this problem. You give the untrusted, possibly-compromised
application just the few capabilities it needs to do the job you want,
and run it inside a confined, protected box so those capabilities
cannot get out and so that the application cannot manipulate those
capabilities under the instruction of an external commander.