671 ;;Quote: many operating systems will crash and require a complete restart; often due to incorrect coordination of concurrent activity; better now

677 ;;Quote: avoid timing-dependent behavior if all processes are data driven by messages received from one sender and processed in order

677 ;;Quote: if resources are consumable, then deadlock avoidance is intractable; algorithms exist for reusable resources

677 ;;Quote: can avoid deadlocks by eliminating circular waits with ordered resources

677 ;;Quote: can avoid deadlocks with a hierarchical process organization; subordinates must reply and can't fill up queues

678 ;;Quote: can avoid deadlocks with a data-driven network; every message includes work to be done, a process must reduce the work remaining

679 ;;Quote: a monitor manages a resource with mutual-exclusion; users simply execute allocate and release procedures

679 ;;Quote: a data-driven program is like a data-flow network with processing elements and data queues

680 ;;Quote: data-driven programs simplify correctness proofs, use data streams instead of elements; queuing-network analysis, and microcomputer networks

690 ;;Quote: Multics treats files as segments in virtual memory; avoids file copies and overlay management, needs 'attach' mechanism

690 ;;Quote: Multics automatically attaches files to a computation on first reference; need explicit 'attach' to emphasize its high cost

693 ;;Quote: the access matrix model concerns a set of uniquely named objects and an access domain for each process

694 ;;Quote: an entry in the access control matrix gives a list of permissions for processes in domain d to an object x; a bit vector access code

694 ;;Quote: permissions for changing the access control matrix are included in the matrix; e.g., add process to a domain and change permissions

695 ;;Quote: a process may pass a subset of its permissions to other domains if it has 'copy' permission

695 ;;Quote: a capability is the unique name of an object plus an associated access code; each domain has a list of capabilities

695 ;;Quote: principle of least privilege--capabilities allow a procedure to only have the privileges it needs; highly fault-tolerant

695 ;;Quote: can associate an access list with each object that gives access codes for each domain; widely used for file systems

695 ;;Quote: capabilities are more efficient for exercising permissions but access lists are better for managing permissions; should have a mix of methods

696 ;;Quote: capabilities are good for managing access-control information; only a few procedures have these capabilities

698 ;;Quote: can circumvent a security system by out-of-channel signaling, e.g., by toggling use of a file

699 ;;Quote: a flow relation is a partial order on security classes; e.g., military security from highest to lowest

700 ;;Quote: can use statistical methods to violate security of access-control systems

710 ;;Quote: a queuing network can predict device utilization and throughput to 5% error