Limit one's modules that he can import.. securing what he can do. For example, in DevWik we discussed how in a programming language and a system with modules.. one could limit the modules used in the import or uses clause. Security through limited modularity would allow the administrator to choose which modules to grant access to. This can be used for limiting access to drivers, libraries, source code modules, etc. ---- ''The question becomes how you systematically limit access, and how you prevent programmers from writing their own versions of these modules.'' The uses clause is strictly checked.. and users are not able to call any Windows API, Linux API, or BSD API calls themself (unless they API calls are audited first... and then those audited ones are placed into a special module using a "type"). This can be implemented through the language itself, or as part of a system such as DevWik which strictly parses the files and checks the uses clauses (import sections). If someone creates their own module, they only have strict limited access to whitelisted modules or moduels that contain links/aliases to API calls that are safe. Anything like a "system" call is bad. In freepascal for example, one would not be able to use the Windows.pas unit or the Unix.pas unit since those contain system functions. There are some functions that can be referenced from those units and put into other modules through a type alias.. if they are safe. For example some of the windows api functions aren't harmful.. but then again the windows api and unix api may not even be needed as part of something like DevWik.. so those units could be banned entirely. ''Well, you might manage to make it work. It's similar to how many other languages attempt security - banning certain calls and such. If there are no ways around it, and no gotchas, it may be implementable.'' Here is an example: '''unit''' safemodule '''uses''' Windows, Unix; '''interface''' ''// the entire windows api and unix api is NOT available. '' ''// only below functions that we whitelist with freepascals type/alias system'' '''type''' TSomeFunc = function(i: integer): integer; TOtherFunc = function(p: pchar): integer; '''var''' somefunc: TSomeFunc = windows.somesafefunction; otherfunc: TOtherFunc = unix.somesafefunction; '''implementation''' // Your other functions here that you create for people to use '''end'''. And then you create another unit (emphasising this is not like braindead standard pascal ;-) '''unit''' anothersafemodule; '''interface''' ''// this is available to them'' '''procedure''' foobar; '''implementation''' '''procedure''' foobar; '''begin''' '''end'''; // this is NOT available to them as it is private '''procedure''' unsafe; '''begin''' '''end'''; '''end'''.