Any program can create an environment in which to run another program, controlling every aspect of its operation. Trivially, but inefficiently, this can be done by binary emulation. More usefully, most current processors provide sufficient support for confined programs to be executed natively.
Current operating systems do not expose this support in any useful way, making the creation of confined execution environments difficult or impossible. Given the growing desire to run code from untrusted sources (ActiveX controls, web browser plugins, etc.), and the increasing amount of code in current systems (do you trust every program installed as part of your operating system?), this is unfortunate.
This talk introduces Mimesis, an operating system with a kernel designed to support confined execution environments efficiently. The rest of the system is implemented in various confined user-level environments.