QuoteRef: robiL9_1975 ;;2 levels of abstract machines which only access one level away. Level either transparent to feature or hides feature

2 ;;Quote: define modules by assertions about state information and state changes; include exception conditions

QuoteRef: robiL9_1975 ;;2 exception conditions have no effect on module

QuoteRef: robiL9_1975 ;;3 global assertions - true at initial state and any sequence of operations afterwards

QuoteRef: robiL9_1975 ;;3 mapping function expression-- specify v function by v functions of lower machine

4 ;;Quote: users should have restricted access that is independent of other users

5 ;;Quote: a secure kernel still may prevent access due to poor scheduling, or communicate implementation via behavior under load

5 ;;Quote: each operating system level manages a particular type of abstract object

QuoteRef: robiL9_1975 ;;6 rights to object only if created by legitimately given rights

QuoteRef: robiL9_1975 ;;6 can create a capability, same or new id, with same or fewer operations

QuoteRef: robiL9_1975 ;;9 derived value access generated from underived values (no initialization) for access protection in operating system