We present an approach to language design aimed at enforcing modular security, where a security architect can define specific object capabilities that enforce custom security properties. Unlike traditional models that assume an uncompromised system (‘clean garden’), this model (‘dark forest’) assumes local machines are already compromised but anchored by a secure root. Security is maintained even in the presence of adversarial code execution within security-critical processes: a process may be rendered inert, or be subjected to crashes or infinite loops, but it is precluded from engaging in insecure interactions.
