Earlier version
Links to geeky digressions are green.

“Middleware” has not achieved a single meaning yet. I use it here to refer to code that provides functions needed by many applications but not a necessarily part of a security kernel. Middleware is between application code and the OS, or at least the kernel. (Some definitions of the OS would include midddleware. I adhere to the terminology that nothing in the application’s address space is part of the OS.) Tymshare’s 940 OS

Mach provides a protection domain for each of the several main OS functionalities and also for some functions conventionally provided by shared libraries. Mach, as generally used, provides one protection domain for the file system. If I discover an exploitable flaw in that code I can use it to destroy your files. This is bad if I am a virus.

By contrast Keykos uses a protection domain per client per function. If I discover a flaw I can corrupt only my own files. I cannot corrupt your files (as in Mach) and I may not corrupt even my own access to network (as with shared libraries). If I am a virus I can corrupt only those few files, if any, to which the narrow task at hand requires access. In Keykos very little code in the entire system needs or has access to all of a single user’s files. Even less has access to all files.

Crossing protection domains is expensive. Keykos encourages a design where user interface code runs in another address space than either the application code or the kernel. Keykos has paid extra attention, however, to minimizing this cost while maintaining the separation of authorities necessary for true security benefits.

A tradeoff between cost and security

The Keykos domain models rather well the C++ instance. Keykos refers to the object as implemented by the code that the domain obeys, as contrasted to the C++ object which is embodied by the block of storage referenced by a C++ object reference. C++ provides no language safety and thus no insulation between objects of the same type or even of different types. Java provides much protection between instances of the same type (class) and provides good protection between objects of different classes. Java and .NET provide no protection from denial of service by programs that abuse space or time resources. Keykos provides such protection.

Keykos protection domain crossings are somewhat more expensive than method invocations in C++ or Java and so there will be fewer Keykos objects in a balanced system than in the same system implemented purely in language constructs. A language such as C++ or Java iv very suitable for defining user code for Keykos.

An interesting note on shared code in the Palm OS (version 5, I suspect).