Reinventing the Privilege Drop: How Principled Preservation of Programmer Intent Would Prevent Security Bugs