Security analysis and extensions of a capability-based type manager