[[!meta copyright="Copyright © 2007, 2008 Free Software Foundation, Inc."]] [[!meta license="""[[!toggle id="license" text="GFDL 1.2+"]][[!toggleable id="license" text="Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled [[GNU Free Documentation License|/fdl]]."]]"""]] Interference can be destructive or non-destructive. When a [[principal]] invokes an object (thereby requesting a service) and the implementation carries out the principal's intent, the interference was non-destructive in the sense that the interference was desired. In invoking the object, the principal may make itself vulnerable to destructive interference. When a user runs Solitaire on Windows, the Solitaire program is instantiated and given all of the user's authority. The program may delete all of the users files after publishing credit card and other sensitive information on the Internet. This type of interference is undesirable, however, generally practically unavoidable due to the way programs work on Windows (and [[Unix]], for that matter). The problem is that the callee has induced negative consequence for caller due to actions of the former. To not have to depend on another program (and thereby not have to add it to its [[tcb]]), it is necessary that the caller only make itself vulnerable to destructive inference in ways that can be detected and from which it can recover. Mark Miller examines the idea of destructive interference in his PhD thesis [Robust Composition: Towards a Unified Approach to Access Control and Concurrency Control](http://www.erights.org/talks/thesis/).