Functional Components Privileged application Assumed to not intentionally attack the system, but may be greedy for resources Non-privileged application Desire to provide benefits of RDMAP/DDP without introducing additional security risk Not trusted, granted only a subset of the capabilities granted to a privileged application Resource Manager Controls allocation of “scarce” resources Implements policies to detect and prevent DoS attacks |