FS (IBM Future System) memo 125 by John Sowa

Some suggest that this memo was the beginning of the end of IBM’s Future System. The section of the memo with “security” in the heading, concerns keeping the architecture secret, from most of those working on the project. Quote:

Tight security prevents a potential thief from stealing a system design. But good communication is necessary to design a system that is worth stealing. The recent version of the RIPON architecture has been issued in 15 separate, registered confidential documents. A programmer who gets authorization to learn about the addressing structure has to demonstrate a separate need to know to learn the instruction set. The avowed aim of all this red tape is to prevent anyone from understanding the whole system; this goal has certainly been achieved. I wonder if they planned to keep it secret after customer ship. After I left IBM I saw a public document describing a binary machine oriented language for system 38 called ‘machine interface’ which was not quite ready to be directly executed by any reasonable CPU, even with conventional microcode. The language was composed mainly of units somewhat like computer instructions but not really suitable for any realistic computer. It would be translated into the instructions of some real machine before execution. This translation was less frequent than ‘load time’ but at least as frequent as machine upgrades.

I think that IBM planned that a customer would have one trusted employee who understood the legitimate requirements within the customer’s organization for access to data of the various application programs that ran in the customer’s data center. That employee would also be expert in the various tools provided by the operating system to provide and limit this access. That employee was also responsible for gross allocation of hardware resources. Assuming this it is easy to see why such OSes, like MVS, were unsuitable for timesharing. A critical element of Keykos was to decentralize these tasks. If two app owners thought it appropriate to communicate, they did not need to inform a third person. If FS had anything new to contribute to this, it has not escaped into the wild as far as I know.

System 38, aka AS/400, aka Series i, aka IBM i, is known to customers as a black box which runs a fairly small set of applications written by a very small set of developers. Such systems have a reputation of being rock solid and not requiring system wizards that attend to the machine, except on those rare occasions where they are indeed required. In such cases IBM supplies such wizards on demand. I have no idea what sorts of magic they wield. I have no idea what has become of the 16 byte pointers mentioned in passing in the memo—were they, are they protected, by hardware or by safe intermediate languages?

I believe that IBM has never sold these systems on any bases of solving novel security problems, but only in support of reliability and availability.

Other Future System pointers:

Lynn Wheeler’s Nexus
A management theory view of IBM & FS (Same author & subject: GRANDEUR ET DÉCLIN D'IBM) (Thanks to “École de Paris du management” and the Web Archive)
Sowa’s recent notes