1) Summarize the Mettler paper in a few sentences.

2) If we want to design code for security review, what are the most
important advantages of using Joe-E instead of privilege separation?
Advantages of privilege separation instead of Joe-E?

3) In Figure 1, suppose the Currency class was modify to add a method
that returns a list of all purses with a matching currency.  Would this
violate capability discipline?  Why or why not?