One way to limit the effect of an untrusted program is confinement: controlling what processes have access to the untrusted program and what access the program has to other processes and data. Explain how confinement would apply to the earlier example of the program that computes the sum of the integers 1 to 10.

What will be an ideal response?

---

Assuming the only activity of the program is computing the sum from1 to 10, confinement would achieve two things. First, the confining program would act as a filter between the callers and the untrusted program. A calling program would call the confining process, requesting to call the summation program. The calling program would have no direct access to the summation program. Second, the confining program would check the result of the summation program. In this simple situation, the confining process could check that the answer was exactly 55 (the sum from 1 to 10). In a more realistic situation, the confining process could check the computation for reasonableness: considering the magnitude of the input values, values of other system variables, the name or owner of the calling program, and so on, is the result reasonable? Are the requests for access to auxiliary system resources by the untrusted program reasonable?

Confining programs such as described here do exist. They are generally called wrappers because they wrap the untrusted code in a trustworthy filter.