Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!uunet!mcsun!ukc!dcl-cs!aber-cs!odin!pcg
From: pcg@odin.cs.aber.ac.uk (Piercarlo Grandi)
Newsgroups: comp.arch
Subject: Re: Capabilities and Object Oriented Programming
Message-ID: <PCG.90Apr9130943@odin.cs.aber.ac.uk>
Date: 9 Apr 90 12:09:43 GMT
References: <:> <45425@ames.arc.nasa.gov>
	<MOSS.90Mar20095459@ibis.cs.umass.edu> <1990Mar24.173903.6532@sics.se>
	<211J02bX98zF01@amdahl.uts.amdahl.com> <1990Apr5.125058.2928@sics.se>
	<c2LT02E099Yi01@amdahl.uts.amdahl.com>
Sender: pcg@aber-cs.UUCP
Organization: Coleg Prifysgol Cymru
Lines: 17
In-reply-to: terry@uts.amdahl.com's message of 5 Apr 90 18:00:57 GMT

In article <c2LT02E099Yi01@amdahl.uts.amdahl.com> terry@uts.amdahl.com (Lewis T. Flynn) writes:

   This is called the "principle of least privilege in security circles. We
   followed it religiously when designing KeyKOS ojects and it proved to be
   really useful for several reasons. [ ... ] Super user is a
   meaningless concept in such a system.

Just as a funny note, there was an IBM capability machine that was so
religios on this issue that it did not require user programs to trust
the operating system; you could create an object that the operating
system could not access nor did know about. If you lost your capability
to this object, space used by it could only be reclaimed by a CE loading
special microcode... :-).
--
Piercarlo "Peter" Grandi           | ARPA: pcg%cs.aber.ac.uk@nsfnet-relay.ac.uk
Dept of CS, UCW Aberystwyth        | UUCP: ...!mcvax!ukc!aber-cs!pcg
Penglais, Aberystwyth SY23 3BZ, UK | INET: pcg@cs.aber.ac.uk