Data Caging

•Separating code from data
•File-system structure changes
…\sys, \resource, \private\, \
…Executables will be placed in and only run from \sys\bin
•Processes are confined to their own part of the file-system
•Access rules based on directory path
…Single user, no access control list required
…No extra storage needed
•Support for removable media file systems
…tamper evidence for binaries