Compound Abstraction
Just as subroutines can call subroutines, without confusion, Abstracted data structures can include abstracted data structures where two different abstractions are in play at once.
Somehow our abstraction metaphors lead one to think in terms of one boundary between custodial code and client code.
The Keykos kernel not only provides abstracted objects, such as nodes, but also provides the tools necessary for user mode code to create abstractions.
Here is an example of the confusion that I have seen arise:
We say that as we buy a page from the space bank the bank returns “the only key to the page”.
This is true only for an abstraction that hides bank working as well as kernel workings.
Abstraction levels are relative and are not simply ordered.
In the context of a single object, Keykos security properties protect the interests of one party with one abstraction, while protecting the interest of a different party with another abstraction.
Of these two abstractions neither is within the other.