[cap-talk] On the Spread of the Capability Approach

Bill Tulloh btulloh at gmail.com
Wed Aug 2 02:14:18 EDT 2006

Ever since reading a draft of the "Capability Myths Demolished" paper,
I became interested in how these ideas have evolved and have been
gathering information from time to time on the various systems and
people involved. My interest is more from the sociology of the spread
of ideas and technologies than just the evolution of system
architecture, but given the questions that Jed has been raising lately
on this list it seems like a good time to share some of what I've

My intent has been to try to pull this information together and write
it up for the erights website or something when time allowed, but
since I haven't found that time yet I'll give an outline here. I want
to be clear that this is preliminary and therefore incomplete and
likely to contain inaccuracies. I should also note that I have no
personal knowledge of these people and systems unlike some on the
list. I mostly have gathered this information from various published
sources I have found on the web or printed on dead trees.

Early capability systems and the year the project started (as best I can tell).

1966: Dennis & Van Horn paper - MIT
1967: PDP-1 Supervisor - MIT
1967: Magic Number Machine - University of Chicago
1968: CAL-TSS - Berkeley
1969: System 250 - Plessey Corporation
1970: CAP - Cambridge University
1971: Project SUE - University of Toronto
1971: Hydra - Carnegie Mellon
1972: RATS - Lawrence Livermore
1973: Actors - MIT
1973: PSOS - SRI
1975: StarOS - Carnegie Mellon
1975: GNOSIS/KeyKOS - Tymshare
1976: Monads - Monash University
1978: System/38 - IBM
1978: NLTSS - Lawrence Livermore
1980: SWARD - IBM
1980: PDP 11 operating system - University of Texas
1981: Amoeba - Free University Amsterdam
1982: iAPX 432 - Intel
1982: Password-Capability System - Monash University

If we date the origins of capabilities from the Dennis and Van Horn
work, ignoring related earlier work by Burroughs and Iliffe, then it
raises the interesting question that Jed has been asking, namely how
does this relate to the Multics design that was occurring at the same
place and roughly the same time. The mystery being why Multics emerged
as an ACL system and not a capability system. Unfortunately, I don't
have much to contribute to this question.

The first direct follow-on work to the DVH paper seems to be the PDP-1
Supervisor talked about in the Ackerman and Plummer paper, and the
design for the Chicago Magic Number machine at the University of
Chicago. There is not much published information on the Chicago system
that I know of except in the Levy book. Robert Fabry is the key
person. He had been at MIT where he may have had direct exposure to
these ideas, although the capability work was done at University of
Chicago while he was getting his PhD under Victor Yngve a
computational linguist and early machine translation proponent, who
had also been at MIT until 1965. This system was never built and the
only descriptions are in some working papers from the Institute for
Computer Research at the University of Chicago, which are often cited
but which I haven't found. The system did get written up by Maurice
Wilkes in his book on Time-Sharing Computer Systems published in 1968.

In fact if there was a "Mr. Capability" in these early days it would
seem to be Fabry. Wilkes met Yngve at a conference in 1967 which got
him interested in capabilities. He then went to visit with Fabry at
Chicago several times. Wilkes became enthusiastic and convinced
Plessey Corporation, where he was a consultant, to implement the Fabry
design in their new system. He also convinced Roger Needham to make
capabilities the new focus of their research at Cambridge leading to
the CAP project.

After getting his PhD, Fabry became a professor at Berkeley where he
became part of the active capability research that was occurring
there. It does not appear that he was directly involved in the CAL-TSS
system started by Lampson and continued by Sturgis but he had a lot of
indirect influence not least of which by serving as Dave Redell's
thesis supervisor, the thesis which presented the caretaker pattern
for revocation.

Another early system that Fabry influenced was the PSOS system
developed by Peter Neumann at SRI -- Fabry is thanked by Neumann for
his consultation on the early design of the system. Peter Neumann had
previously been involved in the Multics design at MIT.

I'm not sure how Lampson became interested in capabilities but he was
also an early adopter. He started the CAL-TSS project and was one of
the key designers. His involvement didn't last too long however
because he left to form the Berkeley Computer Corporation, later to
join Xerox PARC when BCC failed. I'm not sure if BCC's system was
capability-based or not. Howard Sturgis was the other key designer of
CAL TSS and wrote his dissertation on the experience. Others invovled
included Jim Gray, Dave Redell, Bruce Lindsay, Paul McJones, Vance
Vaughn, and Charles Simonyi. Paul McJones has an archive of most of
the CAL-TSS documentation and source code online.

Project SUE was a capability-based operating system project at the
University of Toronto, which involved James Horning and Dennis
Tsichritzis among others. I don't know too much about this project but
it seems to have kicked off in 1971.

The Hydra project at Carnegie Mellon was a very influential project
that started around the same time under the leadership of William
Wulf. Others involved included Anita Jones, Ellis Cohen, Roy Levin,
Bill Corwin and Fred Pollack. One could argue that this was the first
true object capability system. Their work influenced a number of
subsequent projects including KeyKOS, StarOS, IBM System/38, and the
Intel 432, not to mention the whole take-grant approach to modeling

Charlie and Jed can do a better job of explaining the RATS, DCCS, and
NLTSS work done at Lawrence Livermore than I can.

The Actors work of Hewitt is a bit of an outlier in that it is a
programming language and not an operating system, but it was
influenced by the capabilities work and recognized the granovetter
property. I'm not sure the direct source of influence but Henry Baker
was apparently part of Dennis' Computational Structure Group at MIT.

My apologies to the Australian's on the list because I haven't sorted
through the rich capabilities tradition that emerged from there. J.
Leslie Keedy's work on the Monads project begun in 1976 seems to have
been a major source. This continued in numerous projects in Australia
and elsewhere such as the Password-Capability system of Anderson, Pose
and Wallace, the Mungi system, Opal, and SpeedOS.

The Amoeba Distributed Operating System was another (albeit different)
password capability system that seems to have gotten started around
1981. Andrew Tannenbaum is the main player.

IBM may also have been an early adopter of capability design with
their FS (Future System) design that was supposed to replace the 360
system. This project began in 1971 and was cancelled in 1975 because
it was seen as too complex and the 360 had already become a standard
that could not be easily abandoned. Emerson Pugh in his book, Building
IBM, refers to the FS design as an object-oriented system and notes
that the System 38 incorporated many of its advanced features. The
Sward project occurred later and built on the System 38 design.

There are some other systems that came later than 1982 such as
Rashid's Mach kernel that are capability based but this seems like a
good place to stop.

If I were to give a high-level overview of the history of capabilities
it would go something like this:

1966: capability design first articulated, at roughly the same time
the ACL paradigm emerged in Multics. Numerous capability-based system
design projects were started; much progress made in working out the

1976: represents something of a high water mark for capabilities:
where capabilities were, if not necessarily the dominant design, at
least a widely proposed one. See for example the articles by Peter
Denning on "Fault Tolerant Computing" and by Theodore Linden on
"Operating System Structures to Support Security and Reliable
Software" that appeared in the same issue of Computing Surveys that

1986: represents something of a low water mark for capabilities. By
this time much of the work on capability had stopped or as in the case
of KeyKOS was struggling for survival. One can look at the articles
published in Operating Systems Review as one example where as late as
the October  1985 issue there were several articles on capabilities,
including one on KeyKOS. However after that issue, one is hard-pressed
to find such articles.

1996: one starts to see a renewed interest in capability ideas. In
addition to the work evolving from KeyKOS (EROS and E). There is
Jonathan Ree's thesis on W7, the work at Cornel on J-Kernel, and work
on capabilities at the University of Oveida in Spain. All of which
started to appear in the second half of the 1990s.

2006 -  perhaps this is the decade when real progress is finally made :-)

If I had to account for the decline in fortunes from 1976 to 1986, I
would attribute to it to three things: the success of Unix, the view
that capabilities couldn't solve the military requirements for
multi-level security, and the rise of the PC. The first two are both
direct legacies of the Multics path. Unix, of course, was a direct
descendant of Multics. What may be less well known is that it was
Robert Fabry who was responsible for bringing it to Berkeley leading
to BSD Unix. This marked an end of the capability research at
Berkeley. One suspects the adoption had more to do with the unique
open source licensing and flexibility that Unix offered rather than
Unix's security properties.

Multics also had a major influence on the DOD approach to security.
Roger Schell, an air force Major at the time, got his Ph.D. at MIT
working on the Multics project. He was influential in defining the
resource monitor/security kernel view of security that appeared in the
Ware report. His group at the Air Force was later instrumental in
implementing those ideas, all with a heavy Multics flavor. He led the
tiger team that successfully attacked Multics, directed the Bell and
La Padula work at Mitre, and supported the efforts to build a secure
kernel for Multics. Besides Schell there is Boebert who was head of
the Multics project at Honeywell. All of this fed into a Multics
influenced view of trusted systems enshrined in the Orange Book. This
thread remained sceptical/hostile to the capabilities approach.

Probably the most important factor however was the rise of the
personal computer around this time. PC's, like the early batch
processing systems, were too resource constrained and disconnected to
pose much of a security issue. Their rapid adoption also put the nail
in the coffin of the time-sharing industry, depriving us of KeyKOS. It
wasn't until the issues that KeyKOS was designed to solve started
reemerging in wake of the web explosion that people started becoming
interested in capability approaches again.

Well that is more than enough for now. Perhaps it would be worthwhile
to create a wiki or blog where I can post more of this information and
others can contribute.


More information about the cap-talk mailing list