I propose a technical definition of defend
here.
How well can we defend an application in Keykos?
Capability discipline allows the following promising beginning.
Implement the application as a set of pages and nodes so that:
- capabilities within the set to things outside the set do not convey signals into the set except as explicitly interpreted by code in the set that is designed to interpret and be wary of those signals.
- Capabilities outside the set designating things within the set, such as start keys, likewise deliver messages only to application code that is likewise wary.
This pattern is similar to an application running on a dedicated machine and gains the security familiar in that case.