Palladium promises an area within a Windows system where simple security properties can be relied upon for critical functions. Butler Lampson suggests that the software that is developed for such an area may become so complex as to vitiate all of the advantages of the new area—that the security will deteriorate to that of current systems.

This is a serious concern and indeed a credible plan for maintaining order in the new world is needed to warrant the great expense. I view Palladium (yes I know that there is a new name) as an alternate concurrent platform within the Windows system.

I will make the following bold claim, support for which is the subject of many of the pages at this site.

The Palladium hardware can support a software based capability platform within the Intel box, and upon which secure applications can run securely despite other buggy and malicious applications concurrently running on the same platform.
A subsidiary claim is that the design of such code is convenient if not entirely conventional.

Capabilities do not alleviate the necessary trade-offs between code simplicity and GUI elegance. Many megabytes of code seem necessary today for the elegant GUI. Bugs within such code will still impact security of applications that use such GUIs. Some current serious problems, such as viruses, can be virtually eliminated in the new platform. Applications will survive installation of new code on the platform even when that code is malicious. An application is vulnerable to only the middleware that it relies on, and its integrity is at risk to even less.

I am of the current opinion that stack inspection is deeply flawed and cannot support a number of useful security patterns, such as confinement.