Restricting Code

Code written in a turing complete language and run on a proper execution platform can do anything. What are the core restrictions code should or could have? First, code should follow the users intentions, i.e. do what the user wants. Next, code should do what the programmer wants - but his can be the same as the user, an error or even a malicous attempt. And last, the code is restricted by the services and resources it can access. In many systems the last point is equal to the rights the user has (via Access Control Lists) and allows the code to access everything the user has access too.

Capability systems try to restrict the code by giving it only access to those resources which are absolutely needed to fulfill the users intentions. This does not prevent accidents but restricts malicious programs as much as possible.Unfortunately it requires different programming styles and runtime platforms as we will see.

But even with ACLs in place one can do better than just let malicious code access all the users objects. The solution is to put the code together with special rules and objects into a box which it cannot leave. The last fact designates this approach - the sandbox - as one kind of mandatory access control: the code cannot bypass the rules, no matter how powerful the users rights are.