"A Note on the Confinement Problem" Butler Lampson, CACM 16(10):613-615, 1973 Context: written about 1-2 years into developing the Alto, which had no VM and a single-user, "single-process" OS, that runs programs written in a typeless language (BCPL). The confinement problem: a program invokes another untrustworthy program which runs in the caller's space; how can we prevent the invoked program from leaking information to its owner? Possible ways to leak: keep data in memory for later, write info to a file accessible to the invokee's owner, send a message to another process via IPC, encode information in something the owner gets (e.g., the copy of the service bill), use file locks to communicate bits, use load information (e.g., ratio of computing to I/O), etc. How to confine: 1. No persistent memory for programs. 2. Assuming a trusted supervisor, any call made by a confined program must be made to another confined program. Three categories of channels: 1. storage --> straightforward to resolve (e.g., copy-on-write) 2. legitimate channels (e.g., bill, IPC), and 3. covert channels (e.g., using load, file locks) --> resolve by masking: the caller of a confined program must be able to determine all the confinee's inputs into legitimate and covert channels --> supervisor must enforce a confinee's inputs to conform to its caller's specifications (may come at high cost) Discussion points: a. What exactly did Lampson envision when talking about masking ? b. Which (if any) of these problems are eliminated by VM? For example, the memory restriction goes away, but still cannot have shared mem. c. What is the relevance of these lessons to today's software, such as JVMs? Related tidbit: VMWare is teaming up with the NSA to enable the government to safely use COTS software for sensitive/classified stuff.