In 1966 Tymshare started offering time sharing services on the SDS 940. That computer was a careful copy by SDS (Scientific Data Systems) of the SDS 930 as modified by Mel Pirtle at project Genie at Berkeley to add virtual memory. We started from the operating system built there by Butler Lampson, L. Peter Deutsch, Wayne Lichtenberger and several colleagues. Ann Hardy made extensive necessary modifications to the software, such as swapping to drum instead of to magnetic tape, but the architecture of the Berkeley system was maintained throughout the lifetime of the SDS 940 at Tymshare.
Butler Lampson wrote about the modifications that Berkeley had made to the SDS 930. The 940 had 64K 24 bit words and supported at most about 20 users via Teletype connections. We needed bigger machines and SDS (to whom we owed a great deal of money) urged us to use their Sigma 7. That machine had virtual memory, but SDS had not understood the special charms of the Berkeley timesharing software and provided software that patched timesharing on top of a traditional batch processing system. The combination seemed unsuitable to our business primarily because the Sigma 7 software/OS was significantly less secure than the 940 system.
In 1970 three of us, Bill Weiher, Dale Jordan and myself (Norm Hardy) began to meet regularly, Thursday afternoons, to discuss what a suitable software architecture would be. We were each aware of the history of the earlier capability systems. We had talked with Tymshare customers who saw networked computers, such as ours, as a platform for schemes, some of which are now blooming with Internet. Some of these schemes required interactions between mutually suspicious software agents—representing different enterprises—at a frequency that was too great to put those agents on separate machines. Current timesharing software (ours and others) were good at separating users, but not at allowing controlled interactions. It seemed that capabilities solved each of the specific security problems that we had seen.
We also had many plans for cleverer operating system functionality such as native interfaces to networks (Tymnet was emerging) and copy on write functions. Extant OS architectures required that such function be integrated with the privileged code, but that privileged code was already top heavy. Multics had proven many other grand schemes that seemed critical to a good system.
We conceived that elements of the hardware, such as pages, units of processor time and I/O devices, could be named by capabilities and the details of their allocation removed from the privileged code. Dale Jordan wrote a paper that describes a fairly detailed architecture. It departs in many details from current Keykos but does convey the perspective that I present here.
I recall now (2017) that we were then committed to capabilities but not yet convinced that they were a universal solvent that “solved all interaction problems”. This was not evident to us. We sought solutions to forms of interaction not evidently available via caps. Alas it is still not evident. We, however, never came across such a problem capabilities could not solve. We gradually came to realize that if there were non capability like relationships, we would loose some styles of security arguments that pure capabilities allowed.
About that time the 940 had become profitable and we were free to pursue the Digital Equipment PDP-10 system that had a powerful classic timesharing system from the MIT school of design. It lacked many features of the 940 but did alleviate the severe size and speed constraints of the 940. It had a whole 256K of 36 bit words! Some of those machines are running still today (~2000) after a few technology translations. The kernel of that system was not limited by addressing constraints and we plugged in some of our favorite features despite the size of the privileged code.
I went off and spent more time on Tymnet, Bill Weiher went back to enhancing the PDP-10 kernel, with which he was already familiar, and Dale Jordan began to develop Magnum, a data base system for the PDP-10. The capability plans were put on hold.
In 1974(?) IBM announced 370’s with virtual memory. Those machines seemed to meet our technical requirements and also matched a perceived marketing advantage of providing IBM compatible service. IBM’s VM/370 operating system seemed to be a good place to start. IBM provided source to VM/370 and we were thus able to adapt the machine to Tymnet and make various other enhancements and bug fixes. We managed to get some of the bug fixes back to IBM but IBM was unaccustomed to that channel. Tymshare began to deploy 370-158’s, running VM/370.
VM/370 provided a deluxe platform for developers of privileged code, especially when an interesting machine still cost about a million dollars. It seemed strategic to revive the capability option.
Sometime in 1975 Bill Frantz and Charlie Landau joined me and we began to work full time on Keykos, with timeout for various emergencies. It was still called “Gnosis” then.
About that time Tymshare acquired the NLS group from Stanford Research Institute. That is the much fabled Engelbart hypertext system. That system was quickly adapted to Tymnet. Doug Engelbart came with the deal. Our design group seemed to be typical of the sort of collaboration that Augment (new name for NLS) was designed for. We got access to Augment and quickly converted our design documentation to Augment. (It had been in a markup language from IBM called Script.) We were never sorry. The petrified form of the Augment work product is the definition of Keykos, but here is a dense technical description.
In 1984 McDonnell Douglas bought Tymshare. After about a year they decided that Keykos was not in their strategic direction. Key Logic was spun off and the software was purchased with financial support of investors.