Many pages on this site mention confinement. I will try to organize pointers to them here.
Butler Lampson named and described the Confinement Problem in [Butler Lampson, “A Note on the Confinement Problem,” Communications of the ACM, V 16, N 10, October, 1973]. In brief, it outlined the task of confining an untrusted program so as to make the program incapable of transferring information that it possessed to conspiring unconfined programs running on the same machine. He listed many such possible transfers that operating systems of the day failed to prevent. Current conventional operating systems do no better; indeed they provide even more unchecked flows.
Lampson mentioned, but did not discuss, the further problem of protecting the proprietary information of the confined program from its caller. Such proprietary protection is normally provided in Keykos by data abstraction and this protection is also available and natural to objects from factories. Here is a brief introduction without jargon.
Confinement can serve privacy or information commerce among other uses.
Read also about practical confinement, and distributed confinement. Factories run as an application, not a part of the security kernel! Debugging confined programs is a novel problem.
Selective demand by a presumably confined program, on computer resources can be detected by unconfined conspirators. Unless controlled by capabilities this can lead to covert channels. US Patent 5,574,912 (1996) describes a scheme for eliminating or greatly diminishing this channel. It would complement factory logic nicely. My own fragments of ideas on the same subject. Sometimes programs want “true random signals”. This is hazardous. Here is the story of an actual covert operation. Inadvertent signaling.
There are designs for the confined programs to send billing information thru a very narrow and audited channel.
Deterministic hardware makes confinement easier. transitively immutable?
See Markm & Ping's auditing approach to confinement.
Matt Hamblen and Sharon Gaudin seem to think that you can confine employees.