We have described three designs which support interposition of security checks between untrusted code and important system resources. Each design has been implemented in Java and both extended stack introspection and name space management have been integrated in commercial Web browsers.
All three designs have their strengths and weaknesses. For example, capability systems are implemented very naturally in Java. However, they are only suitable for applications where programs are not expecting to use the standard Java APIs, because capabilities require a stylistic departure in API design.
Name space management offers good compatibility with existing Java applets but Java's libraries and newer Java mechanisms such as the reflection API may limit its use.
Extended stack introspection also offers good compatibility with existing Java applets and has reasonable security properties, but its complexity is troubling and it relies on several artifacts of Sun's Java Virtual Machine implementation.
We believe the best solution is to combine elements of these techniques. Name space management allows transparent interposition of security layers between system and applet code with no run-time performance penalty. Stack introspection can allow legacy system code to run with less than full privileges without being rewritten in a capability style. Yet, capabilities provide a well understood extension to remote procedure calls. Understanding how to create such a hybrid system is a main area for future research.