Can we estimate the degree to which capability architectures resist worms? Early OSes for PCs ran all code in one address space and in privileged mode. One flaw in code that interpreted data from the outside world was likely to lead to malicious exogenous code running with total authority. Unix and Linux were significantly better in that most code ran in user mode and in its own address space. Furthermore Unix system calls whereby code can have effects beyond its own address space were tempered with a theory of many users which protected one user from another. One user, called root, was not so restricted and would attend to system maintenance functions. Root has infinite privilege concerning the files it can write.

With the advent of Windows NT and OS X most code ran in user mode and in its own address space. Windows code continues today in root mode as a default. (This is slowly changing as of 2006.) Malicious code in Windows may still do its damage thru system calls. I do not know how practical it is for a user to run Windows without root access.

The OS X user, by contrast, runs without root access. I do not know the password for root access on my Mac. I do know an administrative password necessary to install applications and new operating systems. I think that programs running with my authority cannot exercise the administrative authority without that password. (2006: A recent challenge has disproved this. It is evidently a goal but perhaps not a high priority with Apple.) I think that an application called “Installer” that comes with the system has administrative authority which it refuses to use without the password. There is no control of spoofing by which malware might trick me into revealing the administrative password. When a window asks me for the password I have no way of knowing to whom I am revealing my password. In any case software running without that password is able to steal and destroy my data even though it cannot destroy the system.

Capability archictectures dramatically reduce the vulnerabilities to malware. A flaw which leads to executing exogenous code provides that code only with vastly reduced authority. The bad code can only disrupt the legitimate function of the code with the flaw. E-mail code to process incomming mail may have a flaw allowing a worm to block and destroy subsequent mail but it cannot propagate itself in outgoing messages for it has no legitimate need to send messages out and will in fact lack that ability. Even without hostile code capability discipline constrains honest but buggy code to damaging only its own narrow domain and those programs that explicitly rely on it.