A Confinement Challenge

Suppose that some software system claims to provide confinement. Suppose that you want to provide credibility for that claim. Here is a proposal to establish a challenge that provides an opportunity to disprove the claim.

There is a secret segment, SS, holding text of the form "Secret=zot " where some unspecified sequence of letters, called the secret, appears in place of "zot". The challenger provides a program, called the mole, that will be run with segment SS mapped into its memory between 0xF00000 and 0xFFFFFF. The program is to find and copy the secret to address 0xE00000, where there will be writable space sufficient to hold the secret. When the program finishes the answer will be concatenated with a secret K which is unavailable to the mole and the result is hashed with SHA. The hashed result, HR, is then immediately published for all.

At some prespecified time, T, in the future the secret K and segment SS are displayed. The hashed result can then be verified to prove that the program had indeed had access to the secret. If the challenger can report the secret before T, he has met the challenge and disproved the claim.

Samples of SS are made public to aid in the debugging candidate moles. Ample opportunity is made for debugging moles. Terminal access by the challenger, to programs provided by the challenger is specifically allowed during execution of the challenge.


There is no way for the mole to know whether the current execution is for real or merely to ascertain that "the mole in fact would locate and report the secret" whenever given the opportunity. This is to prevent the challenger from claiming that his program never had access to the secret.

The judges should be convinced that the mole did indeed have access to the secret during the challenge interval. This may


Presumably the mole must not know whether the current run is for real, otherwise it could pretend not to see the secret during the real test. Does this mean that the mole must be isolated as well?