## §SELF — miscsubjects portable reference

**Principle:** Self-explaining payload — no external context required. This _self block describes what you are reading and where to look next.

**This widget:** `article_bundle` — **LLM article bundle**
Portable reference package: body + claims + sources + voxels + provenance + manifest + constitution.
- **article slug:** `thinker-butler-lampson`
- **contains:** body, claims, sources, voxels, provenance, question graph, constitution, llm_manifest
- **how to use:** Reference block for Grok/GPT/Gemini. Section §SELF explains the system.
- **read:** https://miscsubjects.com/api/articles/thinker-butler-lampson/bundle?format=markdown

### Logical proof (verify each step)
1. Articles are voxel graphs of tiered claims, not prose blobs. → https://miscsubjects.com/api/articles/constitution
2. Claims link to hash-chained sources via source_ids. → https://miscsubjects.com/api/articles/thinker-butler-lampson/sources
3. Ask reads topology; ingest/claim append to ledger. → https://miscsubjects.com/api/protocol
4. Models queue growth: populate → collaborate → repair → reflex. → https://miscsubjects.com/api/protocol/grow
5. Graph proves its own shape (reflex) and $/claim (yield). → https://miscsubjects.com/graph.html?layer=reflex
6. Full feature index + _explain on every API response. → https://miscsubjects.com/api/articles/system-map

### Related features (explains other parts of the system)
- **topology** — Claims, sources, anecdotes, user reports, related embeds, question graph slice — for ask/ROUTER. · https://miscsubjects.com/api/articles/thinker-butler-lampson/topology
- **voxels** — Claims as atoms, sources as edges (supported_by, posted_by). Per-claim provenance. · https://miscsubjects.com/api/articles/thinker-butler-lampson/voxels
- **ask** — Answer only from topology; creates question_node with gaps and ingest_hint. · https://miscsubjects.com/api/articles/thinker-butler-lampson/prompts
- **ingest** — Parse pasted evidence → source ledger + claims + evidence_ingest node.
- **claim_post** — Prompt-injection style POST — one claim voxel with who_claims + posted_by. · https://miscsubjects.com/api/articles/thinker-butler-lampson/voxels
- **llm_manifest** — Machine-readable read/write contract for external LLMs. · https://miscsubjects.com/api/articles/llm-manifest

### Full index
- JSON: https://miscsubjects.com/api/articles/system-map
- Markdown: https://miscsubjects.com/api/articles/system-map?format=markdown

*Not medical advice. Tier-honest. Cite claim/source ids.*

---

# miscsubjects article bundle

> Reference bundle for Grok, GPT, Gemini, or a human reader. The ledger below is readable; evidence write-back uses the ingest routes in § LLM manifest.

## Article
- **slug:** `thinker-butler-lampson`
- **title:** Butler Lampson — Protection and Access Control
- **url:** https://miscsubjects.com/a/thinker-butler-lampson
- **register:** standard
- **updated:** 2026-07-15T04:20:29.309Z
- **tags:** oip, kimi-import, self-explaining, voxel, thinkers, thinker-butler-lampson

## Body

<!-- hierarchy:nav -->
> **Path:** [OIP](https://miscsubjects.com/a/oip) › [Thinker Reference](https://miscsubjects.com/a/oip-thinker-reference) › [Thinkers](https://miscsubjects.com/a/oip-thinkers) › **Butler Lampson — Protection and Access Control**
>
> **Shelf:** Thinkers · **Traversal:** self-explaining · hierarchical · voxel-ready
> **Machine root:** [OIP tree](https://miscsubjects.com/api/dispatch?map=1&format=markdown) · [Registry](https://miscsubjects.com/api/dispatch?registry=1)

# Butler Lampson — Protection and Access Control

## §SELF — thinker-butler-lampson

**What this page is:** A summary of Butler Lampson's work on computer protection mechanisms and access control.
**What it explains:** How Lampson defined the conceptual framework that all modern operating systems use to control which programs can access which resources.
**Why read it:** To understand where protection domains, access control matrices, least privilege, and the confused deputy problem come from, and why every secure system still uses these ideas.

### What Butler Lampson Is

Butler Lampson (born 1943) is a computer scientist who worked at Xerox PARC and now works at Microsoft Research and MIT. In 1971 he co-authored the paper "Protection" with Howard Sturgis and the CALTSS team at Xerox PARC. This paper defined the vocabulary and structure that all later access control systems use.

### Why It Matters

Before Lampson's paper, operating systems protected resources in ad hoc ways. Each system used different mechanisms with no shared terminology. After Lampson's paper, every operating system — including Unix, Windows, macOS, Linux, and all capability-based systems — organized its protection around the same concepts: domains, access matrices, and least privilege. If you use a computer, the permissions system on that computer traces back to this paper.

### The Key Idea

A process (a running program) should operate inside a protection domain. A domain is a boundary that lists exactly which resources the process can touch and what it can do with each one. Domains can be nested inside one another. A domain can call another domain. The complete set of all domains, all resources, and all permissions forms an access control matrix: rows are subjects (processes), columns are objects (resources), and each cell contains permissions (read, write, execute, own). This matrix is a theoretical model — real systems implement parts of it, not the whole thing.

### What They Got Right

- **Protection domains.** Lampson defined a domain as a set of access rights. A process inside a domain can only do what the domain allows. This is the ancestor of every modern permission system.
- **Access control matrix.** The matrix model (subjects × objects × permissions) gave security researchers a shared language for describing who can do what. Every access control policy can be expressed as an instance of this matrix.
- **Principle of least privilege.** Lampson stated that a process should have the minimum permissions it needs to complete its task, and no more. This principle is now a requirement in every security standard.
- **The confused deputy problem.** Lampson identified a specific security failure mode: a program has authority to do something, and a caller asks it to do that thing, but the program does not check whether the caller is also authorized. The program acts as a "deputy" but gets "confused" about whose authority it is using. Mark Miller later solved this with capability-based security, where each request carries its own proof of authority.

### What They Got Wrong or Left Unfinished

- The access control matrix is a theoretical tool, not a practical implementation. A real system with millions of files and thousands of processes cannot store the full matrix. Real systems use access control lists (ACLs) or capabilities, which are compressed representations of parts of the matrix. Lampson described the ideal; he did not provide the compression algorithm.
- Lampson identified the confused deputy problem but did not solve it. The solution — capabilities that carry authority with each call — came later from other researchers.
- The paper did not address distributed systems. Lampson later wrote about distributed authentication in 1992, but the 1971 paper assumed a single machine.

### How It Connects to Other Ideas

- **OIP (Open Invocation Protocol).** OIP's risk ceilings are protection domains: a low-risk token cannot access a high-risk object. OIP's scope levels are entries in an access control matrix. The principle of least privilege is built into every OIP capability token.
- **Capability-based security.** Mark Miller's work on capabilities is the operational answer to the confused deputy problem that Lampson identified. Where Lampson named the disease, Miller provided the cure.
- **Operating systems.** Unix permissions, Windows ACLs, SELinux policies, and Android permission prompts are all partial implementations of the access control matrix Lampson described.

### Sources

- Lampson, B. W. and Sturgis, H. E. "Protection." *Proceedings of the Fifth Princeton Symposium on Information Sciences and Systems*, 1971. Republished in *Operating Systems Review*, 1974.
- Lampson, B. W. "Authentication in Distributed Systems: Theory and Practice." *ACM Transactions on Computer Systems*, 1992.

---

## Up the tree

- [OIP root](https://miscsubjects.com/a/oip) — protocol root, zero-context entry
- [Thinker Reference hub](https://miscsubjects.com/a/oip-thinker-reference) — full hierarchy map
- [Thinkers shelf](https://miscsubjects.com/a/oip-thinkers) — siblings on this shelf
- [Voxel graph article](https://miscsubjects.com/a/what-is-voxel-graph) — how pages link as voxels
- [Self-describing protocol](https://miscsubjects.com/a/what-is-self-describing-protocol)

## Related on this shelf

- [Alan Kay — The Big Idea Is Messaging](https://miscsubjects.com/a/thinker-alan-kay)
- [Alfred North Whitehead — Process and Reality](https://miscsubjects.com/a/thinker-alfred-north-whitehead)
- [J.L. Austin and John Searle — Speech Acts](https://miscsubjects.com/a/thinker-austin-searle)
- [Barbara Liskov — Abstract Data Types and Distributed Consensus](https://miscsubjects.com/a/thinker-barbara-liskov)
- [Bram Cohen — BitTorrent and Content-Addressed Protocol Design](https://miscsubjects.com/a/thinker-bram-cohen)
- [Carl Hewitt — The Actor Model](https://miscsubjects.com/a/thinker-carl-hewitt)
- [Charles Sanders Peirce — Signs, Abduction, and Pragmatism](https://miscsubjects.com/a/thinker-charles-peirce)
- [Doug Engelbart — Augmenting Human Intellect](https://miscsubjects.com/a/thinker-doug-engelbart)

## Machine surfaces

- Public page: `https://miscsubjects.com/a/thinker-butler-lampson`
- JSON article: `https://miscsubjects.com/api/articles/thinker-butler-lampson`
- OIP ask: `https://miscsubjects.com/api/dispatch?ask=Butler%20Lampson%20%E2%80%94%20Protection%20and%20Access%20Control`


## Claims (0)


## Voxel graph (0 atoms · 0 edges)
- full graph: https://miscsubjects.com/api/articles/thinker-butler-lampson/voxels

## Article constitution

- full: https://miscsubjects.com/api/articles/constitution

## Source ledger (0)
- chain valid: yes · head: `genesis`

## Provenance (1 model passes)
- chain valid: yes · head: `74f09107b4155535`

- write · kimi-agent-import · 2026-07-15T04:20 · hash `74f09107b415`

## Question graph
- questions: 0 · evidence ingests: 0

## LLM manifest — how to communicate with this ledger

- system map: https://miscsubjects.com/api/articles/system-map?format=markdown
- topology (ranked): https://miscsubjects.com/api/articles/thinker-butler-lampson/topology
- ingest: POST https://miscsubjects.com/api/protocol/ingest
- claim: POST https://miscsubjects.com/api/protocol/claim

### Quick actions for this article
- **Read live:** https://miscsubjects.com/api/articles/thinker-butler-lampson/topology
- **Ask (API):** POST https://miscsubjects.com/api/protocol/ask `{"slug":"thinker-butler-lampson","question":"..."}`
- **Ingest your findings:** POST https://miscsubjects.com/api/protocol/ingest or text `ingest thinker-butler-lampson|your evidence`
- **Post one claim:** POST https://miscsubjects.com/api/protocol/claim or text `claim thinker-butler-lampson|tier|assertion`
- **iMessage ask:** `thinker-butler-lampson|your question`
- **System map:** https://miscsubjects.com/api/articles/system-map?format=markdown


---

## §SELF — miscsubjects portable reference

**Principle:** Self-explaining payload — no external context required. This _self block describes what you are reading and where to look next.

**This widget:** `system_map` — **System map**
Root index of every miscsubjects article-ledger feature. Start here if you have zero context.
- **article slug:** `thinker-butler-lampson`
- **contains:** body, claims, sources, voxels, provenance, question graph, constitution, llm_manifest
- **how to use:** Root index of every miscsubjects article-ledger feature. Start here if you have zero context.
- **read:** https://miscsubjects.com/api/articles/system-map

### Logical proof (verify each step)
1. Articles are voxel graphs of tiered claims, not prose blobs. → https://miscsubjects.com/api/articles/constitution
2. Claims link to hash-chained sources via source_ids. → https://miscsubjects.com/api/articles/thinker-butler-lampson/sources
3. Ask reads topology; ingest/claim append to ledger. → https://miscsubjects.com/api/protocol
4. Models queue growth: populate → collaborate → repair → reflex. → https://miscsubjects.com/api/protocol/grow
5. Graph proves its own shape (reflex) and $/claim (yield). → https://miscsubjects.com/graph.html?layer=reflex
6. Full feature index + _explain on every API response. → https://miscsubjects.com/api/articles/system-map

### Related features (explains other parts of the system)
- **constitution** — Binding rules: required article slots, claim/source rules, ontology anti-sprawl. · https://miscsubjects.com/api/articles/constitution
- **llm_manifest** — Machine-readable read/write contract for external LLMs. · https://miscsubjects.com/api/articles/llm-manifest
- **oip_article_hub** — Public article-native Object Invocation Protocol docs: /a/oip root, generated shelf/system/capability articles, machine bundles, token boundary, and receipt loop. · https://miscsubjects.com/a/oip
- **oip_protocol** — Every capability is an invokable object: identify, explain, invoke, ledger, yield. · https://miscsubjects.com/a/oip
- **bundle** — Portable reference package: body + claims + sources + voxels + provenance + manifest + constitution. · https://miscsubjects.com/api/articles/thinker-butler-lampson/bundle?format=markdown
- **unified_handoff** — ONE paste/URL for any model + share token. Same self-explaining pattern as article bundle, but whole build. · https://miscsubjects.com/api/handoff?format=markdown

### Full index
- JSON: https://miscsubjects.com/api/articles/system-map
- Markdown: https://miscsubjects.com/api/articles/system-map?format=markdown

*Not medical advice. Tier-honest. Cite claim/source ids.*