A hierarchical mechanism is also provided by Java to reduce the rights of a process when it executes downloaded code. Access control for a process that allows code to be dynamically downloaded into it needs to distinguish between local and downloaded code and provide restricted rights to downloaded code to ensure, for instance, that it does not destroy or leak the contents of local data. Thus some methods must be protected from downloaded code. Two approaches have been used to restrict access of dowloaded Java applets. One approach relies on the fact that separate class loader objects are used to load local and remote code and that the stack frame of each method points to the object that loaded it. As a result, when a protected method is called, the browser can provide restricted access if the stack contains a method that was called (directly or indirectly) by downloaded code.
The other approach relines on the fact that the loader can determine the name space of downloaded code. It creates restrictive proxy classes for the protected classes, and makes sure that downloaded code sees the proxy classes instead of the protected classes. The division between protected and non protected methods is hardcoded. In the stack introspection method, the hardcoding is done by ensuring the method checkPrivilege() is called before the method is executed. In the name space approach, the hardcoding is done by defining proxy classes for protected methods.
It seems that PC or Multics rings should be able to capture this form of hierarchical access. Let us try to capture it using PC Rings. Local code can be considered to reside at a level that is more privileged than downloaded code. The gate descriptors for protected methods do not allow access from the non-privileged level, while those for non-protected level do allow access from that level. When a process executes downloaded code its ring number is reduced to the non-privileged level. (No ring number is actually kept with a process, instead the stack or name space is used to record the privilege level.)
However, this simulation does not really work. The reason is that in a ring based system access to an object is determined by the properties of the method directly accessing the object, not the properties of the methods that called this method. For instance, in Java a method to read a file can be called by a method that mails the file if the latter was not directly or indirectly called by downloaded code. In PC or Multics, the privilege levels of the history of calls is not kept by the system - the current ring no of a process reflects the privilege level of the current method. (The only exception is changing the effective ring number of an address to the maximum of the caller's and address's ring number.)