I want to debug a new version of the space bank code.
I write a small program that behaves like a real range key.
It probably uses an official space bank.
I install the new space bank code and instantiate it with this new fake range key.
I create a new user context whose space bank is this new space bank code.
The Hard Space Bank Scenario
The Keykos space bank is complex, unfortunately, and complex things tend to need to become even more complex by adding new features.
If we add code to the space bank we must not expand the TCB of those who have agreed only to the logic of the old bank.
They may never need to be vulnerable to the new code.
As Keykos runs today programs acquire access to banks indirectly thru the bank provided in the directory of the person who installs the program.
If the installer has access to a new-bank object, incorporating the new code, then he can install the program equipping it with the new-bank.
All other facilities available to the new program that are in a position to vet banks are relativized to the new-bank and accept it and its sub banks as authentic.
If the new program needs the services of older server objects on the machine then the new program will probably need an old bank to placate those fussy old server objects.
If the new logic of the new-bank is needed in conjunction with some of the old server objects, then it will be necessary to make new instances of those server objects with the new bank.
Those new-old-servers will accept new-banks as well as old banks.
This is a complex scenario but it seems clear that only those who have agreed to be vulnerable to the new bank code are indeed vulnerable.