Several of us have been remarking on the influence of Butler Lampson’s papers on current understanding of capability discipline. I have decided to reread some of those after a number of years. Here are my comments on Protection (too) which appeared first in 1971 in the Proceedings of the 5th Princeton Conference on Information Sciences and Systems.

The purpose of this note is to try to adapt Butler’s model to Keykos in particular, for he seems to be principally concerned with OS design. There may be more than one map from the model to Keykos. We shall see.

I find Butler’s introductory definitions convenient for my purposes until he gets to message.

Messages are sent and received by processes and each process has a unique system imposed number. The message is addressed by such a number and the number of the originator is delivered securely to the recipient. It may be significant that this definition precludes capabilities in messages, or he may be deferring that issue. His model evolves thruout the paper.

He says of a process that it has different powers that depend on which context it finds itself in. This is presumably left over from Multics terminology where process identity was considered constant during calls and returns to inner rings. This is in his lead-up to the introduction of domain which he defines for the purposes of the paper. He introduces domain as an area of uniform authority and eventually explicitly conflates domains and processes. This conflicts with his introductory comment about processes having varying authority depending on context, but I will assume that idea is out now. Domain’s can increase their authority and can abdicate authority, and a given authority can decay, but a capability platform should not assume that it can decrease a domain’s authority; it can only rescind a specific capability which is an operation on a capability, not a domain.

I understand how he overcomes the more obvious disadvantages of broadcast ability. He assumes that programs can easily ignore messages with unrecognized IDs. That means that a server must be somehow introduced to each of its legitimate clients unless we are to to say that any server must serve all. So far his processes have private property and that is all that he seems to protect. He has not yet addressed the protection of processes proper and it is not clear that they are in a practical position to protect themselves. It also seems clear at this point that his model does not allow confinement since, for A to send to B, it seems to suffice that A wishes to send to B and B wishes to receive. But we shall see. Granovetter is not in sight, yet.

This is clearly an ambient authority platform.

I have finished the paper now and I shall have to think about it a bit. I may want to modify the above. I would describe the paper now as an attempt to find a neutral model (the access matrix) with which to examine several protection mechanisms. His references to capabilities seem positive here; pointing out how they solve some problems that the raw system seemed unable to solve. He does not mention confinement here, implicitly presuming perhaps, that any two willing processes can find a connection somehow.