> ...here are some further examples of programs or protocols that
> need security but don't need confinement
All of these applications need encapsulation. None of them need sandboxing. Encapsulation is the other, often forgotten, guarantee provided by confinement.
E, for example, is careful to ensure that if a particular VAT is compromised, only the content owned by that VAT is compromised. In the presence of viruses, and in the absence of operating systems that can be relied on to securely encapsulate the VAT (i.e. protect it from outside inspection), I submit that we must assume that ALL VAT's are compromised.
Off hand, I do not see how a VAT offers no marginal benefit where viruses are concerned over a web browser running SSL (assuming the SSL installation has been done correctly -- I'm aware that's a problem). Does it?
Even if it doesn't, VATs remain useful. They move us to a position where in practice most machines are not compromised and in the limit all we are left needing to finish the picture is a secure OS and bootstrap mechanism.
Jonathan S. Shapiro, Ph. D.
IBM T.J. Watson Research Center
Email: shapj@us.ibm.com
Phone: +1 914 784 7085 (Tieline: 863)
Fax: +1 914 784 7595