PSOS. Now that was something I never expected to see again.

I'd worked on the previous system, KSOS, mentioned in the article. I wrote the file system and all of the drivers, while at an aerospace company. We'd used formal specifications in SPECIAL. Nobody could prove anything about SPECIAL yet, but I wrote a compiler-like syntax and type checker, so it was at least type valid. It was a good language for writing down invariants. I used it to describe file system consistency and recovery. Another group started work on PSOS, but never got past the design stage. I managed to avoid getting sucked into that, because it looked like a death march.

SRI, which was a think tank, just did abstract designs. It was extreme waterfall. One group wrote a spec, and a contractor implemented it. This did not work too well. They did have Boyer and Moore, and those two made real progress on proof systems. I used their prover for another project, and talked to them a lot. But they were not closely associated with PSOS. Specifications in SPECIAL, which is quantifier-oriented were not compatible with Boyer-Moore theory, which uses constructive mathematics and recursive functions.

The big problem in that era was that the hardware wasn't ready for secure operating systems. KSOS was for the 16-bit PDP-11 line, and it took a cram job to make it fit. The Modula I compiler wasn't very space-efficient. Optimizations had to come out to make it fit, and the result was too slow.

Microprocessors weren't quite ready yet. Neither Intel nor Motorola had a decent MMU. The suitable target machines were all minicomputers, which were on the way out. PSOS never got far enough to pick an implementation target.

Capability-based systems work, but they create a new problem - ticket management. You have lots of tickets which let some piece of software do something, and now you have to track and manage them. It's like physical key control. It's the same reason that Windows access control lists are little used. You also still have the delegation problem - A can't do X, but A can talk to B, which can do X. Most modern attacks involve that approach.

Most of the early secure OS work was funded by NSA. NSA had an internal division in those Cold War days - the important stuff was at Fort Meade, and the less-important stuff was some distance away at FANX, an annex out by Friendship (now BWI) Airport. FANX had personnel ("HR" today), training (including the cryptographic school), safe and lock testing and evaluation, networking, and computer security. Being exiled to FANX was bad for careers. This set back the computer security work.

There was also industry pushback. The operating system testing criteria were borrowed from the safe and lock people. Something submitted for testing got two tries. First try, the evaluators told the vendor what was wrong. Second try was pass/fail with no feedback. That's how locks for vaults were evaluated. Computer vendors (there was not much of a separate OS industry yet) hated this. They eventually got a testing system where "certified labs" did the testing, and a vendor could have as many tries as they were willing to pay for.

Some good secure OSs came out of that, and passed testing. But they were obscure, and for obscure hardware - Prime, Honeywell, etc. If you dig, you can find the approved products list from the 1980s.

What really killed all that was the growth of the computer industry. In the 1960s and 1970s, the government was the biggest purchaser of computers and electronics. As the industry grew, the government became a minor purchaser with a slow update cycle, and could not get design-level attention from major vendors. There was much grumbling about this from military people, especially the USAF, as they were sidelined during the 1980s.