Mallet and Bob are not supposed to be able to communicate. However,
both Bob and Mallet wish Mallet to have the power. The Confinement
Problem is ensuring that Bob and Mallet are indeed separated despite
their joint efforts to communicate.
Alice is safe if Alice knows Bob is in a sealed box. Software confinement
requires primitives for constructing a virtual sealed box. Confinement
is not all or nothing. Capability systems at least distinguish these four
types of leakage across the box's boundary. Whether this breakdown is natural
for confinement in non-capability systems remains to be seen. Password
capability systems can't separate the leakage of authority from the leakage
of info. Other capability systems can.
