This note explores the problem of confining a program during its execution to prevent it from transmitting information to any other program except its caller. The author, Butler W. Lampson, from Xerox Palo Alto Research Center, discusses various methods and examples to illustrate the boundaries of the problem and proposes necessary conditions for a solution. Key points include: 1. **Introduction**: The focus is on preventing unauthorized access or modification of data and ensuring smooth control transfers and error handling. The main concern is data leakage, which can occur through various means such as memory usage, file operations, interprocess communication, and system performance. 2. **The Problem**: The goal is to confine an arbitrary program so that it cannot leak data. The note identifies several potential paths for data leakage, including memory usage, file operations, interprocess communication, and system performance. 3. **Confinement Rules**: - **Total Isolation**: A confined program should not make any calls to other programs. - **Transitivity**: If a confined program calls an unconfined program, the called program must also be confined. - **Masking**: A confined program must allow its caller to determine all inputs into legitimate and covert channels. - **Enforcement**: The supervisor must ensure that a confined program's input to covert channels conforms to the caller's specifications. 4. **Summary**: The note proposes a classification of methods for blocking data leakage and suggests simple principles that can be implemented to enforce these rules. The author acknowledges the contributions of A.G. Fraser of Bell Laboratories to examples 5 and 6. The note concludes with a discussion of the feasibility of implementing these principles and the potential costs involved.This note explores the problem of confining a program during its execution to prevent it from transmitting information to any other program except its caller. The author, Butler W. Lampson, from Xerox Palo Alto Research Center, discusses various methods and examples to illustrate the boundaries of the problem and proposes necessary conditions for a solution. Key points include: 1. **Introduction**: The focus is on preventing unauthorized access or modification of data and ensuring smooth control transfers and error handling. The main concern is data leakage, which can occur through various means such as memory usage, file operations, interprocess communication, and system performance. 2. **The Problem**: The goal is to confine an arbitrary program so that it cannot leak data. The note identifies several potential paths for data leakage, including memory usage, file operations, interprocess communication, and system performance. 3. **Confinement Rules**: - **Total Isolation**: A confined program should not make any calls to other programs. - **Transitivity**: If a confined program calls an unconfined program, the called program must also be confined. - **Masking**: A confined program must allow its caller to determine all inputs into legitimate and covert channels. - **Enforcement**: The supervisor must ensure that a confined program's input to covert channels conforms to the caller's specifications. 4. **Summary**: The note proposes a classification of methods for blocking data leakage and suggests simple principles that can be implemented to enforce these rules. The author acknowledges the contributions of A.G. Fraser of Bell Laboratories to examples 5 and 6. The note concludes with a discussion of the feasibility of implementing these principles and the potential costs involved.