There is a class of security problems wherein a program gets a request to do something that requires its authority. It is responsible for not misusing that authority and may thereby require logic to qualify the request.

Very often this qualification depends critically on who sent the message. Many operating systems depend extensively on message mechanisms that do not identify the sender and also are too permissive on who can send. The mechanism thus does not help with the above qualification. For instance in Windows signals from key strokes arrive at the relevant application by means that do not allow identification of the source. This is good and bad. It is good because alternatives to keyboards are thereby enabled where new software is added to adapt alternative hardware to the expectations of extant applications. It is bad in that rogue programs can cause the application to act on a stream of input characters as if the user had typed them.

Described as I have above, this sounds like an insoluble problem. It is almost never a problem in capability systems, however. Briefly this is because the rogue program will lack the capability to send the bogus message, or at lease the ability to send over a channel that appears to the application to be from the keyboard. In the capability scheme of things, the legitimate sender will have acquired the capability to send in a way analogous to how the sender acquires the process ID currently required to send. In short the process ID is replaced by a protected name of the recipient.

Some systems identify the sender to the recipient by some sort of opaque process id. The recipient, however, may not be in a position to know which potential senders should be trusted, at least by contemplating their process id.

A capability to send a message to a particular object may be passed around among programs with the capability to communicate with each other. This seems dangerous at first as it would seem to make reasoning about the real identity of the sender difficult. The key to reasoning about this is to note that a holder of such a capability to send, is responsible both for

In the case of a keyboard adaptor program the software that discovers the keyboard upon booting will be in charge of recognizing the substitution and replacing the conventional keyboard capability by one that is to the adaption software. The rest of the system is thus oblivious to the change.
Here are some instances of this problem:
The Window Shattering Exploit seems to be a significant example of this.

I see here another instance of a pattern. The bogus message is sent to