A note on rationale
Ka-Ping Yee
ping@lfw.org
Tue, 2 Nov 1999 09:45:12 -0800 (PST)
On Tue, 2 Nov 1999 shapj@us.ibm.com wrote:
>
> Assume that the user is not competent to judge the safety of the tools they
> use, and that indeed some of those tools are in some way compromised. This
> is the necessary presumption if we are to run commercial off-the-shelf
> software. How can we grant those tools the capabilities they need to have
> in order to operate without having the capabilities leak, and without
> demanding that the users exercise a greater degree of paranoia than their
> degree of knowledge can sustain?
I'm confused. I thought that confinement was devised specifically
to address this problem. You give the untrusted, possibly-compromised
application just the few capabilities it needs to do the job you want,
and run it inside a confined, protected box so those capabilities
cannot get out and so that the application cannot manipulate those
capabilities under the instruction of an external commander.
Uh... right?
-- ?!ng