Hacker News new | past | comments | ask | show | jobs | submit login
Pilot: An Operating System for a Personal Computer (1980) [pdf] (washington.edu)
61 points by jakeypakey on Oct 19, 2021 | hide | past | favorite | 21 comments



Pilot is cool because it's basically bare metal Mesa. Written in Mesa, runs only Mesa programs, and leverages features of the Mesa language for OS security (e.g. Mesa's capability system).

Other cool projects like this:

- Cedar was both a PL and an OS: https://www.ics.uci.edu/~andre/ics228s2006/swinehartzellwege...

- The Oberon OS and Oberon PL https://people.inf.ethz.ch/wirth/ProjectOberon1992.pdf

- A Scheme OS called MrEd: https://www2.ccs.neu.edu/racket/pubs/icfp99-ffkf.pdf

You might even throw the JVM and Smalltalk into this category.


Cedar's link is broken.

This is a good one, https://archive.org/details/bitsavers_xeroxparcteCedarProgra...


Thanks!


I'm having a hard time finding documents describing Mesa's capability system, although the term capability system has come up repeatedly in conversation, so I'm intrigued as to what this refers to exactly. Any documents that you can point us to? Thanks.


I'm an author of the Pilot paper (and also a participant in the much earlier capability-oriented CAL TSS for the Control Data 6400: https://www.mcjones.org/CalTSS/). Pilot was a long time ago, but as I recall its capabilities were just Mesa records with some "option" bits plus a unique identifier for the file. So a malicious program could easily fabricate one.



Thanks!


There's a quite nifty and recent demonstration of Cedar on YouTube.

https://www.youtube.com/watch?v=z_dt7NG38V4


IIRC, Oberon used to be available from the Mac App Store.


Note that Grant Avery, a fictional character in my book [1] about the Xerox Star, is a manager of Pilot for six months or so. He was very old-school and didn't last. There was a real person like that, but Grant's not modeled after him.

It's amusing that Grant asks the team "will third-party software be able to run on Pilot?" Dave Redell tells me that no one ever asked that, as far as he can recall.

Nearly all the authors are still around, except for Steve Purcell who was killed in a bike accident quite recently.

Also, my book avoids hindsight, but [1] has a section "So what should Xerox have done?"

[1] https://www.albertcory.io


I read this for a course I’m taking, and found it to be super interesting. Pilot seems to empower the user to take responsibility for the system in a way that is totally foreign to me. I’m in my 20s so it felt like it went against many of the fundamental rules of OS design, and blew me away.


Very elegant and very unimplementable at the time. The make They seem to avoid the under sized address ranges which time and again plague computing. eg. -IBM mainframe OSs with below/above the line addressing. -The 1MB 8086 & Dos Limit and the hacks that followed (EMS,XMS) etc.) for more than a decade. The Disk access size limitations in the same era. - IPV4 address depletion. The authors in 1980 seem to be aware the issue would be there but I don't see how the thrashing could have been avoided even if 1980's developers/designers had read the paper when it was published.


"Pilot's protection mechanisms are defensive, rather than absolute [9], since in a single-user system, errors are a more serious problem than maliciousness"

Oh well... We were so wrong back then...


Well that was true for almost 20 years from the writing of TFA. Yes, there were things like boot-sector viruses, but they were not a huge issue.


I'm certainly guilty of being optimistic in terms of threat models back then.


Well it might not have been optimistic in terms of threat models as much as pessimistic in terms of how long the OS would be around...


With barrel CPUs and bounds-checked arrays I had the expectation we could have near perfect process isolation.

That didn’t work out the way I expected either.


This holds still true for many computers today


Funnily enough, almost all end user computers are multi-user machines now. A user account for the user, but temporary access for all the JS under the sun, all the time.


Is there anything actually still interesting about Pilot? I mean completely aside from historical interest, "it had X before everyone else got it".


Wow, it even includes capabilities. Impressive.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: