Make everything into an object!
OK, what’s “everything”?
Well first look at all(!!) of the system calls.
If there is a call to read the real time, make it into an object, or a call to read a source that is used to make random numbers, make it into an object.
Remove the system call and invent a clock object access to which is via a capability.
Since performance is important here the code defining the object is in the kernel, but access to this kernel function is contingent on holding the capability to the kernel clock.
Some programs should run without the authority to read the clock.
This means that when one launches a program that needs one of these that one must remember to include access to those objects.
These two objects are sources of non-repeatability and it would be a great luxury to be able to deny the programs that you start the ability to be capricious.
There are some systems of hardware and software that can provide an environment for a program that ensures its repeatability.
Programs designed to be interactive can be put thru test and debug regimes where they become repeatable.
The privileged code of Keykos on the 370 interprets only the key invocation SVCs.
For the Motorola 88K we implemented a virtual compare and swap instruction.
For reasons that are obscure that may have been poor design.
It was quite slow for it cut across many internal kernel abstractions awkwardly.
The 370 also implemented about two privileged instructions purely for performance.
These were interpreted only if control bits in the domain root requested the privileged interpretation.
Here are some things that should be ownable in Keykos by capabilities, but are not yet.