In traditional operating systems such as Windows or Unix, the security model is user-oriented. Processes execute under a certain security identity—usually that of the launching user—and the operating system grants access to resources or permission to perform certain operations based on that identity. Typically, either the user is omnipotent (an administrator or root account), or the user is restricted and can perform only a narrow set of operations. The user-oriented security model has a number of shortcomings. For one thing, even powerful users can make mistakes, such as installing harmful applications from dubious sources or simply launching email viruses. In general, all users are vulnerable to attacks, and only through experience do users learn how to prevent them. Even if no foul play is involved, users are often required to be involved in making runtime decisions about the nature of components, such as whether or not to trust content coming from a particular source. Furthermore, restricted users often don’t get to work in an environment that is tailored to their needs and preferences, and the overall quality of their sessions suffers. New breeds of threats such as worms, luring attacks, and Trojan horses target such weaknesses and can wait for an administrator to log on before striking—long after the initial security breach.

In today’s component-oriented environment, there is a need for a component-oriented security model. A component-oriented operating ...