What can go Wrong?

We make a few broad categories of software that runs on our platform:
The largest amount of software is benign yet vulnerable, mainly to messages from outside the machine that they are purposed to understand.
in someone’s reliance set. Sometimes critical code must interact with the outside but not usually.
which is out to get you.
The great bulk of the code on your machine is benign and not out to get you. It was written by some set of programmers you know nothing of and that should worry you. Even when benign, such code is often charged with reading files from other systems which we must distrust as potentially “maliciously crafted”. There is no central reason why reading such files should make the local code vulnerable, but the game between suspicious reader and clever malicious writer too often goes to the writer. When a sufficiently clever malicious file arrives and is read my some local benign application, malicious code may replace the benign code and acquire the authority of the benign code.

In OCAP systems it is natural to give the benign code mush less authority than is possible in Unix. The great bulk of the benign code is thus not in the reliance set.

Critical code, in the reliance set of some important application, enforces the general rules of the platform and specialized rules for the security of the application. It must generally be perfect.