Basically it would consist of Recursive Virtual machines (virtual machines built on top of each other). Basically the nanokernel boots and starts the virtual machine monitor. The VMM boots the main userland and starts the network stack and the security system. The security system has two parts. One is the authenticator which handels authenticaion and assigns security policys. The authentication database is a transparent database. The enforcer enforces the security policys in the userland (which is a vm) and the other virtual machines. One virtual machine would be for posix compliance (either a BSD or Linux Kernel). This layer would be emulated by booting one of those kernels that is modified to mount its fs through the DBFS. Those virtual machines can talk to each other by using a shared address space.