The apartment is an area within a computer system where untrusted tenant code can run. Some existing agency, the apartment creator, within the system must first have created the apartment and imported the code as data. Here I talk about how apartments might solve some problems with personal computers. Here I consider some ramifications of these ideas on software architecture.
The machine operator may choose to create an apartment because of:
An orthogonal issue is the safety and privacy for the tenant. The tenant code or its actions may be proprietary. Some agent outside the machine, such as the owner of the tenant code, may want to veil or defend the apartment. This will require attention of the apartment creator which must be trusted by the tenant. Some degree of defense of the apartment will already be required to support the interests of the apartment creator. This will in turn require some degree of tamper resistance if the tenant does not entirely trust the machine operator. Apple provides the bundle as a weak form of protection against the user. We postpone further consideration of tenant interests for now.
The exigent issue for the apartment design is what capabilities the tenant code should have access to. There are several requirements that must be juggled here:
The creator of these apartments is in a strategic position to grant these initial capabilities so as to provide security for the system that is not available in conventional systems. The apartment creator is able to build apartments with the following kinds of attributes, subject to the combined restrictions by the system operator and tenant.
It seems strategic for a tenant to not have access to local facilities that it does not need. This tactic allows deletions of local facilities in more situations where no critical applications rely on them.
Within your apartment you can establish sub apartments suitable for applications of your choice. The logic of the sub-apartment protects you from some malfeasance of the application while the larger private apartment protects the employer’s agents from even your blunders in empowering the applications of your choice.
Alternatively you might buy the hardware with a security kernel that lets you create apartments for work purposes. If you are a consultant you might create and apartment for each client that wants its own secure presence in your computer. This would help you keep proprietary information of clients separate. These apartments would be like those designed for DRM except that they might include the ability to establish sub-apartments for software vendors.