“Middleware” has not achieved a single meaning yet. I use it here to refer to code that provides functions needed by many applications yet not a necessarily part of a security kernel. Middleware is between application code and the OS, or at least the kernel. (Some definitions of the OS would include midddleware. I adhere to the terminology that nothing in the application’s address space is part of the OS.) Tymshare’s 940 OS
Mach provides a protection domain for each of the several main OS functionalities and also for some functions conventionally provided by shared libraries. Mach, as generally used, provides one protection domain for the file system. If I discover an exploitable flaw in that code I can use it to destroy your files. This is bad if I am a virus.
By contrast Keykos uses a protection domain per client per function. If I discover a flaw I can corrupt only my own files. I cannot corrupt your files (as I can in Mach) and I may not corrupt even my own access to the network (as with shared libraries). If I am a virus I can corrupt only those few files, if any, to which the narrow task at hand requires access. In Keykos very little code in the entire system needs or has access to all of a single user’s files. Even less has access to all files.
Crossing protection domains is expensive. Keykos encourages a design where user interface code runs in another address space than either the application code or the kernel. Keykos has paid extra attention, however, to minimizing this cost while maintaining the separation of authorities necessary for true security benefits.
A tradeoff between cost and security