"object-capability model"@cs .