Re: Challenge: Find potential use cases for non-trivial confinement

[Marcus Brinkmann]

At Sun, 30 Apr 2006 23:13:49 -0400,
"Jonathan S. Shapiro" <address@hidden> wrote:
> 1. I create a new constructor, so I am the creator. I put stuff into the
> constructor. I instantiate programs. So far this is all just "trivial
> confinement" as you call it.

In my current system design, there is no constructor.  There is also
no meta-constructor, and the space bank will happily let you inspect
and alter the content of any memory that is taken from your reserve
(well, the last point may or may not be true, but for the purposes of
analysis, we can assume it to be true).

> 2. In general, if I hold the ability to invoke an arbitrary process P,
> and I also hold the ability to communicate with you, then I can send you
> a capability that allows you to invoke process P. 
> 
> 3. The constructor is merely a process, so I can hand you a capability
> to the constructor.
> 
> 4. You can now invoke the constructor, which is non-trivial confinement.

You can run your own meta-constructor, constructor and space bank, and
have users negotiate on them and use them for their own purpose.

If this is sufficient for you, then you have just disproved your claim
that the system can not be retrofitted to support this.

However, we discussed this before (in real life) and you were clear
about it that this was not sufficient for you.  Maybe we misunderstood
each other.

> I do not see how to prevent this without disabling IPC altogether. What
> am I missing here?

I have never made any attempt to prevent it.  Are you still chasing
the "banning" stuff?

Thanks,
Marcus