Keykos as City

People live in cities despite being more expensive. It isn’t merely Grosch’s ex-law that drives people to cities. Likewise many programs need to live in cities for the quick access it gives them to other programs. If we consider enterprises instead of individuals the analogy is even stronger. Still there remains considerable privacy within a city. One need not forgo secrets, nor private property to live in a city.

It seems that every administrator of an important application thinks that he must have root privilege. Too often he is right. It is often suggested that computer security can be achieved by separating applications from each other in different machines to protect them from each other. It seems, however, that much current system design is devoted to eliminating the ramifications of being on distinct computers. These efforts usually eliminate concomitant protections as well.

These are problems that stem from the coarse grained security design of Unix. They need not plague capability designs.


The Motorola 88K did a minimal gate jump in about machine 500 cycles. Perhaps a typical jump was about 1000. This was a signal across trust boundaries. I hesitate to estimate how many cycles such a signal requires when Internet Protocol is required. I suspect a few orders of magnitude more. Latency is a similar issue that even cheap cycles do not solve. Keykos jump latency in a modern system would be rather less than one µs.