The confinement problem, as identified by Lampson, is the problem of assuring that a borrowed program does not steal for its author information that it processes for a borrower. An approach to proving that an operating system enforces confinement, by preventing borrowed programs from writing information in storage in violation of a formally stated security policy, is presented. The confinement problem presented by the possibility that a borrowed program will modulate its resource usage to transmit information to its author is also considered. This problem is manifest by covert channels associated with the perception of time by the program and its author; a scheme for closing such channels is suggested. The practical implications of the scheme are discussed.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Bell, D. Elliott and LaPadula, Leonard J. Secure computer systems. ESD-TR-73-278 (AD 770768, 771543, and 780528) The MITRE Corporation, Bedford, Massachusetts (November 1973).
	2	Burke, Edmund L. Private communication—Burke and Schell seem to have devised the scheme of applying the *-property to variables inside a security kernel during late 1972 or early 1973.
	3	Honeywell Information Systems. Design for Multics security enhancements. ESD-TR-74-176, Electronic Systems Division (AFSC), L. G. Hanscom AFB, Massachusetts (1974).
	4	Butler W. Lampson, A note on the confinement problem, Communications of the ACM, v.16 n.10, p.613-615, Oct. 1973  [doi>10.1145/362375.362389]
	5	Millen, Jonathan K. Security kernel validation in practice. MTR-2932, Vol. 2, The MITRE Corporation, Bedford, Massachusetts (In preparation).
	6	Elliott I. Organick, The Multics System: An Examination of Its Structure, The MIT Press, 1972
	7	D. L. Parnas, A technique for software module specification with examples, Communications of the ACM, v.15 n.5, p.330-336, May 1972  [doi>10.1145/355602.361309]
	8	William Robert Price, Implications of a virtual memory mechanism for implementing protection in a family of operating systems, 1973
	9	Lawrence Robinson , Karl N. Levitt , Peter G. Neumann , Ashok R. Saxena, On attaining reliable software for a secure operating system, Proceedings of the international conference on Reliable software, p.267-284, April 21-23, 1975, Los Angeles, California
	10	Rotenberg, Leo J. Making computers keep secrets. MAC-TR-115, Massachusetts Institute of Technology, Cambridge, Massachusetts (February 1974).
	11	Saltzer, Jerome H. Private communication. (April 1975).
	12	Schell, Roger R. See reference {2}.
	13	Schiller, W. Lee. Design of a security kernel for the PDP-11/45. ESD-TR-73-294 (AD 772808), The MITRE Corporation, Bedford, Massachusetts (December 1973).
	14	Schiller, W. Lee. The design and specification of a security kernel for the PDP-11/45. ESD-TR-75-69 (AD A011712), The MITRE Corporation, Bedford, Massachusetts (March 1975).
	15	Weissman, Clark. Security controls in the ADEPT-50 time-sharing system. AFIPS Conference Proceedings 35 (FJCC 1969) 119-133.

• Data structures for quadtree approximation and compression Communications of the ACM   28, 9
  Hanan Samet
  
  
• A hierarchical single-key-lock access control using the Chinese remainder theorem Proceedings of the 1992 ACM/SIGAPP Symposium on Applied computing
  Kim S. Lee ,  Huizhu Lu ,  D. D. Fisher
  
  
• The GemStone object database management system Communications of the ACM   34, 10
  Paul Butterworth ,  Allen Otis ,  Jacob Stein
  
  
• Putting innovation to work: adoption strategies for multimedia communication systems Communications of the ACM   34, 12
  Ellen Francik ,  Susan Ehrlich Rudman ,  Donna Cooper ,  Stephen Levine
  
  
• An intelligent component database for behavioral synthesis Proceedings of the 27th ACM/IEEE Design Automation Conference on
  Gwo-Dong Chen ,  Daniel D. Gajski
  
  

• ACM SIGOPS Operating Systems Review
  Volume 9 ,  Issue 5   November 1975