A note on rationale

Ka-Ping Yee ping@lfw.org
Tue, 2 Nov 1999 09:45:12 -0800 (PST)


On Tue, 2 Nov 1999 shapj@us.ibm.com wrote:
> 
> Assume that the user is not competent to judge the safety of the tools they
> use, and that indeed some of those tools are in some way compromised.  This
> is the necessary presumption if we are to run commercial off-the-shelf
> software. How can we grant those tools the capabilities they need to have
> in order to operate without having the capabilities leak, and without
> demanding that the users exercise a greater degree of paranoia than their
> degree of knowledge can sustain?

I'm confused.  I thought that confinement was devised specifically
to address this problem.  You give the untrusted, possibly-compromised
application just the few capabilities it needs to do the job you want,
and run it inside a confined, protected box so those capabilities
cannot get out and so that the application cannot manipulate those
capabilities under the instruction of an external commander.

Uh... right?



-- ?!ng