Has anyone in this thread seen E? I get the feeling that a capability  
based security model could be retrofitted onto ruby with some (a lot  
of) work. Here's one possible way I can see of doing it

All methods that allocate / initialize new objects would not return  
the object. Instead they would return a "name" some kind of unique  
symbol (generated ala gen_sym in lisp). There would then be some kind  
of object that kept track of the name -> object mappings. This leaves  
you with 1 object to audit and secure instead of hundreds. You then  
provide some mechanism for objects to have capabilities granted to  
them. You would grant capabilites to objects, NOT "name"s. The name  
would have a reference this master mapping object. the master mapping  
object would nto have any way to change what object was pointed to by  
what name. Any mehtod called on a "name" would turn into master_object 
["name"].check_capabilites_and_send(meth_sym, *args)
The result objects of this call would be another "name" again. You'd  
never get back the actual object you were working with so even if you  
hacked "name" to add evil methods it wouldn't matter since you can't  
send any message directly to the referenced object. You can't even  
get a reference to it. I leave implementing this as an exercise to  
the reader ;)