abstract ;;Quote: for extensible systems, separate access control into an enforcement manager and policy manager; inspects extensions for protected types and operations; protection domain transfers and audits

37 ;;Quote: extensible systems run core system services and dynamically composed extensions in the same address space using low-latency, type-safe interfaces

43 ;;Quote: assign security IDs to threads, extensions, and other objects; operations require permission; access mode is a 64-bit vector of permissions and permission objects

55 ;;Quote: call-by-reference creates shared memory between caller and callee; if multi-threaded, information can transfer at any time

55+;;Quote: do not use shared memory or call-by-reference for extensible systems; use multiple return results and call-by-value/result

55 ;;Quote: SPIN uses Modula-3 to guarantee that an extension's interface is obeyed; compiler is part of trusted computing base

58 ;;Quote: protection domain transfers take 200 instructions compared to 50 for the event dispatcher; need to limit use, e.g., separate web server from NFS and file cache operations