How Much Confinement Do We Want?

NOTE: I am absolutely sure this is incredibely incomplete and/or wrong. This is not up to date!

Introduction

There has been a lot of traffic on the l4-hurd list lately. A good bit of this is related to the question this entry is about: How much confinement do we want? The idea not to implement the full confinement was (accidently?) raised by marcus, who planned to raise it somewhen, but not yet.

Terminology

In this section I try to sketch some terminology that came up during the discussion.

Creator

Creator we call the creator of the confined (constructor) object.[2]

Instantiator

Instantiator we call the user of the confined (constructor) object. [2]

Encapsulation

Encapsulation means that information (including authority) cannot be extracted from a program without its consent. This is a restriction on "read in" behavior. [3]

Confinement

Confinement means that a program cannot communicate outward through unauthorized channels. This is a restriction on "write out" behavior. [3]

non-trivial confinement

Marcus: ``[non-trivial confinement] is the confined constructor design pattern.'' [1]

We speak about non-trivial confinement when creator != instantiator. [2]

trivial confinement

Marcus: ``[trivial confinement] is what the Hurd will do'' [1]

We speak about trivial confinement when creator == instantiator [2]

principle of user freedom/autonomity

The principle of user freedom and autonomity means the right to use, inspect, alter and copy all resources attributed to/owned by the user.[4]

freedom of digital information

TBD

The Positions

Here I try to sketch the different positions.

Use and Implement Only Trivial Confinement by Default

Pros

• Follows the principle of user freedom
• add more here

Cons

• Possibly use cases for non-trivial confinement exist we cannot yet think of.
• add more here

Implement Full Confinement and Utilize It

Pros

• There are many years of experience with confinement.
• add more here

Cons

• It does not follow the principle of user freedom.
• add more here

Preliminary Summary Statements

• Jonathan

A Try to Push the Discussion into a Constructive Direction

Marcus started a challenge [5] to find a use case for non-trivial confinement that is interesting for the Hurd and cannot be implemented otherwise. The exact challenge definition can be found in the mail.

---

• [1] http://lists.gnu.org/archive/html/l4-hurd/2006-04/msg00339.html
• [2] http://lists.gnu.org/archive/html/l4-hurd/2006-04/msg00383.html
• [3] http://lists.gnu.org/archive/html/l4-hurd/2006-04/msg00415.html
• [4] http://lists.gnu.org/archive/html/l4-hurd/2006-05/msg00012.html
• [5] http://lists.gnu.org/archive/html/l4-hurd/2006-04/msg00407.html

-- ?TomBachmann - 01 May 2006