Update Security.md with details on capabilities

[jfbastien]

POLL: WebAssembly instances must never be able to cause effects other than by wielding explicitly granted access (e.g. the importObject in a JS embedding).

SA	A	N	F	SF
0	0	6	9	7

Action item: Mark clarify what this poll is getting at, add to design repo’s “security.md” document, etc.

[erights]

Interesting discussion at
https://groups.google.com/d/msg/e-lang/3A6zYWF6u5E/_41J3xYCAQAJ
clarified the issue.

By "effects" above we mean input, output, mutating state outside the instance, or reading mutable state outside the instance. This is closely related to the criteria that should be used to distinguish user-mode instructions from other actions, as stated at

Formal Requirements for Virtualizable Third Generation Architectures
https://www.princeton.edu/~rblee/ELE572Papers/Fall04Readings/secureOS/popek_virtualizable.pdf

We do not currently include resource use or non-determinism, even though OSes can control these aspects of user-mode computation. Note that blockchain usage of wasm
(Dfinity, ewasm, EOS, Polkadot, Parity) do restrict resource use and non-determinism, so perhaps we would revisit; but that would be a separate proposal.