The orange book gave no credit for virus resistance although some techniques, like capabilities, for meeting its requirements might be instrumental in thwarting such malware. The Mach kernel, and especially the software designed for it, uses one protection domain per software function. Different clients of that function are mutually vulnerable to each other. By contrast Keykos uses a protection domain per client per function.

Another comparison is with the shared library common in Unix, Windows and Mac OS. In such systems the protection domain is per user but not per function. The application code runs in the same domain and same address space as complex and obscure library code. Aside from vulnerabilities to bugs in library code, there is a great expense in debugging misunderstandings in the coding of call sites to such code. With Keykos abstraction between application code and the middleware is strong which helps find such bugs.

In Mach if I discover a flaw in the file system I can exploit it to modify your files. Not so in Keykos.