On reliable and extendible operating systems

Butler Lampson


Citation: Proc. 2nd NATO Conf. on Techniques in Software Engineering, Rome, 1969. Reprinted in The Fourth Generation, Infotech State of the Art Report 1, 1971, pp 421-444.

Links: Abstract, Acrobat (InfoTech version), Word, Web page, Acrobat

Email: blampson@microsoft.com. This paper is at http://www.research.microsoft.com.



Bitter experience in the design of operating systems leads to the conclusion that radical changes must be made, both the way we think about functions of operating systems and in the way they are implemented. This paper describes an effort to create more flexible and more reliable operating systems built around a very powerful and general protection mechanism. The mechanism is introduced at a low level and is then used to construct the rest of the system, which thus derives the same advantages from its existence as do user programs. The entire design is based on two central ideas:

1.      An operating system should be constructed in layers, each one of which creates a different and hopefully more convenient environment in which the next higher layer can function.

2.      At the lower levels the operations provided should be as primitive as possible, because simple operations are more likely to work than complex ones and, if failures are to occur, it is very much preferable that they should hurt only one user rather than an entire community.