KeyKOS Architecture


This publication provides a description of KeyKOS, a microkernel-based system, at a level sufficient to understand its basic architectural aspects. Thus, a designer of program systems could use the information here to guide alternative design efforts, but a programmer will find insufficient detail to produce code for the system.

Because of the formal aspects of the KeyKOS architecture, it is possible to reason about many characteristics of systems implemented within it in useful ways. The information presented in this publication is sufficient to allow one to begin such reasoning about KeyKOS and programming systems built using its principles.

Other Key Logic publications of a theoretical nature include KeyKOS Security: Formal Security Model , A KeyKOS Solution to the Confinement Problem , and Security in KeyKOS. They are available from Key Logic upon request.

This publication is presented primarily for those who are interested in reasoning about complex computer programming systems, and for those interested in the structures of such systems. It assumes that readers have a basic knowledge of computer architectures, and some awareness of both objects and capabilities.

Largely because of an attempt at conciseness, but also because of the compactness of KeyKOS and the mutual reliance of the abstractions from which it is developed, certain words and phrases appear, of necessity, earlier in this publication than the principle discussions explaining them. The information in this publication is ordered with the intent that a reader will need to assume as little as possible about as-yet-unexplained topics. Words or terms important to the architecture are printed in this format.

KeyKOS is currently implemented on the Motorola 88000, where it supports UNIX, and the IBM System/370 [2], where it supports UNIX, VM/CMS, and a high performance transaction processor. A description of the C language interface to the KeyKOS functions is provided in Key Logic’s publication KeyKOS C Programmer’s Reference (KL113).

A description of the IBM System/370 implementation of KeyKOS at a level sufficient to implement assembly-level programs is provided in Key Logic’s publication KeyKOS/370 Principles of Operation (KL002). Other Key Logic publications about KeyKOS and its facilities are available at various introductory and programming levels.

If you would like further information about Key Logic or its products, please contact us at (415) 941-8224.


This publication introduces the architecture of KeyKOS, a capability-based system written in software for implementation on a wide variety of hardware platforms. KeyKOS consists of a microkernel, which executes in privileged-mode, plus additional facilities necessary to support operating systems and applications. The KeyKOS functionality combined with the hardware can be thought of as a “machine” to which one can port operating systems or on which one can write applications. The operating systems which have been ported to KeyKOS include UNIX and, on the System/370, VM/CMS.

This paper attempts to tell enough so that certain arguments and conclusions about the KeyKOS properties can be formed. The description of the microkernel functions is essentially complete. Only the more important additional facilities are described.

KeyKOS was originally designed to solve the security, data sharing, pricing, reliability, and extensibility requirements of a commercial computer service in a network environment. By using the microkernel approach to preserve operating system compatibility, KeyKOS functions equally well on a range of hardware, from workstations to mainframes. Because it was developed in a commercial environment its performance consistently meets or exceeds that of the “native” operating systems while remaining semantically identical.

KeyKOS for the System/370 began supporting production applications on an IBM 4341 in January 1983. It has run on Amdahl 470V/8, IBM 3090/200 (in uni-processor System/370 mode), IBM 158, and NAS 8023 processors. KeyKOS also executes on the Omron LUNA/88K.

KeyKOS is in the tradition of message-based systems. Messages are the primary interaction between components of the system.

For brevity we use “key ” where most literature uses “capability”.

KeyKOS supports object-style programming. Indeed, nearly all of the code written so far for KeyKOS serves to define some particular type of object. Objects call upon the services of other objects by sending key-addressed messages to request a service, and accepting a key-addressed message in return. This is within the paradigm of “remote procedure calls,” and is also similar to the Smalltalk mechanism.

In object-style programming, objects are implemented by some combination of “ordinary programming” and use of more primitive objects. In KeyKOS the microkernel terminates this recursion by implementing several types of primitive objects. The code that defines such objects is in the microkernel.

A fundamental concept in KeyKOS is that a program “module” should obey the “principle of least privilege” [1]. To that end, the design of KeyKOS gives objects no intrinsic authority, and relies totally upon their keys to convey what authority they have. Using these facilities, the system is conveniently divided into small modules each structured to observe the principle of least privilege.