Pilot is cool because it's basically bare metal Mesa. Written in Mesa, runs only Mesa programs, and leverages features of the Mesa language for OS security (e.g. Mesa's capability system).
I'm having a hard time finding documents describing Mesa's capability system, although the term capability system has come up repeatedly in conversation, so I'm intrigued as to what this refers to exactly. Any documents that you can point us to? Thanks.
I'm an author of the Pilot paper (and also a participant in the much earlier capability-oriented CAL TSS for the Control Data 6400: https://www.mcjones.org/CalTSS/). Pilot was a long time ago, but as I recall its capabilities were just Mesa records with some "option" bits plus a unique identifier for the file. So a malicious program could easily fabricate one.
Note that Grant Avery, a fictional character in my book [1] about the Xerox Star, is a manager of Pilot for six months or so. He was very old-school and didn't last. There was a real person like that, but Grant's not modeled after him.
It's amusing that Grant asks the team "will third-party software be able to run on Pilot?" Dave Redell tells me that no one ever asked that, as far as he can recall.
Nearly all the authors are still around, except for Steve Purcell who was killed in a bike accident quite recently.
Also, my book avoids hindsight, but [1] has a section "So what should Xerox have done?"
I read this for a course I’m taking, and found it to be super interesting. Pilot seems to empower the user to take responsibility for the system in a way that is totally foreign to me. I’m in my 20s so it felt like it went against many of the fundamental rules of OS design, and blew me away.
Very elegant and very unimplementable at the time. The make They seem to avoid the under sized address ranges which time and again plague computing.
eg.
-IBM mainframe OSs with below/above the line addressing.
-The 1MB 8086 & Dos Limit and the hacks that followed (EMS,XMS) etc.) for more than a decade. The Disk access size limitations in the same era.
- IPV4 address depletion.
The authors in 1980 seem to be aware the issue would be there but I don't see how the thrashing could have been avoided even if 1980's developers/designers had read the paper when it was published.
"Pilot's protection mechanisms are defensive, rather than absolute [9], since in a single-user system, errors are a more serious problem than maliciousness"
Funnily enough, almost all end user computers are multi-user machines now. A user account for the user, but temporary access for all the JS under the sun, all the time.
Other cool projects like this:
- Cedar was both a PL and an OS: https://www.ics.uci.edu/~andre/ics228s2006/swinehartzellwege...
- The Oberon OS and Oberon PL https://people.inf.ethz.ch/wirth/ProjectOberon1992.pdf
- A Scheme OS called MrEd: https://www2.ccs.neu.edu/racket/pubs/icfp99-ffkf.pdf
You might even throw the JVM and Smalltalk into this category.