Definition
Application isolation separates execution environments:
\text{App}_1 \not\leftrightarrow \text{App}_2 \text{ (no direct χ-mode access)}
In SCU terms: Isolation creates χ-mode boundaries between applications—preventing one application's information states from affecting another's.
Why Isolation?
Without isolation:
\text{Compromise}_{App1} \rightarrow \text{Compromise}_{App2}
With isolation, damage is contained.
Isolation Techniques
| Technique | χ-Mode Separation |
|---|---|
| Processes | Separate χ-mode address spaces |
| Containers | Isolated χ-mode namespaces |
| Virtual machines | Complete χ-mode separation |
| Privilege separation | Limited χ-mode access per component |
Isolation Spectrum
| Strongest | Weakest | ||
|---|---|---|---|
| Separate hardware | VMs | Containers | Processes |
More isolation = more χ-mode separation = more overhead.
Benefits
| Benefit | χ-Mode Effect |
|---|---|
| Blast radius | Compromise limited to one χ-mode domain |
| Multi-tenancy | Different users' χ-modes separated |
| Reliability | Failure isolated to one domain |
| Security reasoning | Clear χ-mode boundaries |
Container Isolation
\text{Container} = \text{Isolated namespaces} + \text{Shared kernel}
Containers share kernel χ-modes but isolate application χ-modes.
VM Isolation
\text{VM} = \text{Separate kernel} + \text{Virtualized hardware}
VMs provide stronger χ-mode separation at higher cost.
Trade-offs
| Cost | Reason |
|---|---|
| Performance | χ-mode mediation overhead |
| Communication | Crossing χ-mode boundaries |
| Resources | Duplicated χ-mode states |
| Complexity | Managing χ-mode boundaries |
The Key Insight
Isolation creates χ-mode boundaries.
Security through separation:
- Each application has isolated χ-mode domain
- Boundaries prevent cross-contamination
- Compromise doesn't spread
- Multi-tenancy becomes possible
When we isolate applications, we're creating χ-mode boundaries that prevent one application's information state changes from affecting others—containing failures and compromises.