On Tue, 2 Nov 1999 shapj@us.ibm.com wrote:
>
> Assume that the user is not competent to judge the safety of the tools they
> use, and that indeed some of those tools are in some way compromised. This
> is the necessary presumption if we are to run commercial off-the-shelf
> software. How can we grant those tools the capabilities they need to have
> in order to operate without having the capabilities leak, and without
> demanding that the users exercise a greater degree of paranoia than their
> degree of knowledge can sustain?
I'm confused. I thought that confinement was devised specifically to address this problem. You give the untrusted, possibly-compromised application just the few capabilities it needs to do the job you want, and run it inside a confined, protected box so those capabilities cannot get out and so that the application cannot manipulate those capabilities under the instruction of an external commander.
Uh... right?