Lex,

> There is another approach, which allows running inside a single
> full-featured VM.  Use object references as capabilities, and only
> provide *safe* object handles to the code that is being 
> loaded.  Notice that for Squeak code to do something bad, it must 
> first get an object and send a message to it.
> For example, it's impossible to delete a file if you can't get 
> an instance of FileDirectory.

This is not true with the current system. You can trivially write a method
like

MyObject>>iWillShowYouWhatICanDo: aFileName
	<primitive: 156>
	^ nil

And invoking this with

	myObject := MyObject new.
	myObject iWillShowYouWhatICanDo: 'C:\autoexec.bat'.

would be fatal. A fully fledged capabilities approach has to extend to the
image level as well to work the way you'd expect it to (e.g., preventing
these primitives in any unsecure code). The I/O approach is a lot simpler in
this respect.

  Andreas