1979 SRI paper lays out hardware-capability-based OS architecture designed to make privilege escalation structurally impossible.
Key Takeaways
PSOS anchors security in hardware-tagged capabilities rather than software ACLs, targeting provable security guarantees at the OS level.
The SRI Hierarchical Development Methodology (HDM) was used to formally specify and verify the system design.
Architecture predates the modern object-capability (ocap) model but is considered a direct precursor to it.
Capability systems restrict resource access by passing handles explicitly, unlike ambient-authority systems where any process can reference global resources.
Hacker News Comment Review
Commenters note that 1979-era capability thinking conflated ACLs and capabilities as duals; PSOS is cited as the first paper to break from that framing toward true ocap.
Strong consensus that ambient-authority OSes (Linux, Windows) remain entrenched despite capability architectures being a better fit for networked, untrusted-code environments.
One commenter proposes rebuilding from scratch using AI agents with formal proof verification, treating PSOS as a design north star.
Notable Comments
@Veserv: frames ambient vs. capability systems as global variables vs. scoped function parameters – a sharp analogy for systems programmers.
@jdougan: argues PSOS is arguably the first paper to introduce the ocap framing, distinct from the ACL/capability duality taught in earlier OS texts.
