Norman Hardy — KeyKOS and the Persistent Capability Operating System
<!-- hierarchy:nav -->
Path: OIP › Thinker Reference › Thinkers › Norman Hardy — KeyKOS and the Persistent Capability Operating System
Shelf: Thinkers · Traversal: self-explaining · hierarchical · voxel-ready
Machine root: OIP tree · Registry
Norman Hardy — KeyKOS and the Persistent Capability Operating System
§SELF — thinker-norman-hardy
What this page is: A profile of the computer scientist who built the first commercially deployed capability-based operating system. What it explains: Norman Hardy's KeyKOS system and its core innovations in persistent object-capability architecture. Why read it: To understand how capability-based security works in practice and why it matters for modern system design.
What Norman Hardy Did
Norman Hardy (born 1933) is a computer scientist who led the development of KeyKOS at Key Logic in the 1980s. KeyKOS was the first capability-based operating system deployed commercially.
A capability (in operating systems) is an unforgeable reference that carries authority. It is a token proving that the holder has permission to access a specific object (a file, a process, a device, or any system resource). Capabilities are first-class objects: they can be passed between processes, stored in files, and sent across networks.
Why It Matters
Before KeyKOS, operating systems used access control lists (ACLs) — lists attached to resources specifying which users could access them. ACLs have a problem: they grant authority based on identity, not on need. A process running with root or administrator privileges can access everything, even when it only needs one file. This is the confused deputy problem: a program (the deputy) acts on behalf of a user and uses its own authority instead of authority delegated for a specific task. KeyKOS solved this by making capabilities the only access mechanism.
The Key Idea
KeyKOS is a persistent object-capability operating system. Every object in the system is accessed through a capability. There are four defining properties:
- Every object is persistent. The system's state is checkpointed to disk at regular intervals. You can turn off the machine and turn it back on, and everything resumes exactly where it was. Processes, files, and open connections are preserved.
- Capabilities are the only access mechanism. There are no passwords, no access control lists, and no root account. If you do not hold a capability for an object, you cannot access it. The capability itself is the proof of permission.
- The confused deputy problem is impossible. Authority is in the capability, not in the process. A process can only use the capabilities it holds. It cannot escalate its own authority.
- Factory pattern. Objects are created by factory objects — pre-configured templates that produce new objects with a specific set of capabilities. A factory object creates a new object and hands back a capability to it. The creator controls what the new object can do by deciding which capabilities the factory includes.
What He Got Right
- Proved that a capability-based operating system can be practical and commercially viable.
- Demonstrated that persistence at the OS level is achievable: checkpointing the entire system state to disk eliminates the distinction between memory and storage.
- Showed that removing the root account and ACLs does not make administration harder — it makes security violations harder.
- Invented the factory pattern for capability creation, which is still used in capability-secure systems today.
What He Got Wrong or Left Unfinished
- KeyKOS required specialized hardware (the IBM System/38), limiting adoption.
- Network-transparent capabilities were not fully solved: passing capabilities across machines requires cryptographic proof of unforgeability, which KeyKOS did not implement.
- The checkpointing system caused performance overhead that was acceptable in the 1980s but would not scale to modern workloads without optimization.
- No formal verification: KeyKOS was not mathematically proven correct, though it was extensively tested.
How It Connects to Other Ideas
EROS and CapROS. EROS (Extremely Reliable Operating System), developed by Jonathan Shapiro in the 1990s, was a direct successor to KeyKOS. EROS added formal verification — mathematical proofs that the system's security properties hold. CapROS continued this lineage.
Capability-based security in modern systems. The seL4 microkernel, Fuchsia's Zircon kernel, and the Object Invocation Protocol (OIP) all use capability-based access control derived from the KeyKOS model.
Factory pattern in OIP. OIP's directory rows function as object factories: each row describes an object and the capabilities needed to invoke it. The OIP capability token follows the KeyKOS model directly — it is unforgeable, scoped to specific objects, and delegable.
Persistence model. OIP's append-only ledger serves the same function as KeyKOS checkpoints: it is a persistent, tamper-evident record of system state.
Sources
- Hardy, Norman, et al. "KeyKOS: A Commercially Successful, Capability-Based, Persistent Operating System." Proceedings of the 12th ACM Symposium on Operating Systems Principles, 1989.
- Shapiro, Jonathan S., et al. "EROS: A Fast Capability System." Proceedings of the 17th ACM Symposium on Operating Systems Principles, 1999.
---
Up the tree
- OIP root — protocol root, zero-context entry
- Thinker Reference hub — full hierarchy map
- Thinkers shelf — siblings on this shelf
- Voxel graph article — how pages link as voxels
- Self-describing protocol
Related on this shelf
- Alan Kay — The Big Idea Is Messaging
- Alfred North Whitehead — Process and Reality
- J.L. Austin and John Searle — Speech Acts
- Barbara Liskov — Abstract Data Types and Distributed Consensus
- Bram Cohen — BitTorrent and Content-Addressed Protocol Design
- Butler Lampson — Protection and Access Control
- Carl Hewitt — The Actor Model
- Charles Sanders Peirce — Signs, Abduction, and Pragmatism
Machine surfaces
- Public page:
https://miscsubjects.com/a/thinker-norman-hardy - JSON article:
https://miscsubjects.com/api/articles/thinker-norman-hardy - OIP ask:
https://miscsubjects.com/api/dispatch?ask=Norman%20Hardy%20%E2%80%94%20KeyKOS%20and%20the%20Persistent%20Capability%20Operating%20System
Ask this article · 2 suggested prompts
Text the build (+14245134626) or WhatsApp — slug|question creates a question node. Paste evidence with ingest slug|q:NODE_ID|your paste.