Where traditional security architectures can answer general questions of the form ``can subject X use object Y,'' they fail when considering problems where one subject may be acting on behalf of another, or may be acting on its own behalf. These systems generally have neither the mechanisms to capture the full security context of a request nor the policies expressive enough to be able to resolve whether these requests should be allowed or denied. Issues such as these arise in mobile code systems, requiring new security mechanisms to address their security.

While a number of traditional security architectures, including capability systems and process-structured systems, can be adapted to the secure execution of mobile code, this dissertation describes an architecture that addresses these issues and does it using an efficient implementation that requires no special hardware or language runtime support. Security-passing style has a well defined semantics describing how it works and allowing for proofs of its soundness. These semantics also allow us to produce an implementation that has extremely low overhead (in principal, just over one instruction per method invocation) based on static analysis of the program to be run and dynamic caching to make common-cases execute faster.