This is excerpted from "Capability Based Computer Systems" QA 76.9 A73 L48. 3.3 The MIT PDP-1 Timesharing System The first computer system to include Dennis and Van Horn's capability operations was a timeshared operating system constructed at MIT from Dennis' design. The system ran on a modified 12K-word Digital Equipment Corporation PDP-1 computer, the first minicomputer. The timesharing system supported five "typewriters" and used capabilities only to reference a few relatively high- level system resources, such as terminals, tapes, and drums. However, the operating system allowed users to extend this set of resources by creating new protected subsystems. It is the protected subsystem mechanism that is briefly examined here. Each process running on the PDP-1 timesharing system has a C-list (also called the program reference list, after the Burroughs B5000), in which capabilities are held. The C-list is actually maintained in locations 0-77 of process address space. These locations are protected against program examination or modification and can only be manipulated by the operating system. Each capability is addresed by its index in the list. Capabilities are created by special supervisor instructions. Each capability represents a resource object owned by the process. The supervisor supports a small number of resource types: I/O device, inferior process, file, directory, queue, and entry. When the process wishes to perform an operation on a resource object, it the object's capability through an INVOKE instruction. The INVOKE instruction specifies: (1) the C-list index of the capability to be invoked and (2) an operation to perform on the object represented by the capability. The INVOKE is similar to the ENTER instruction in the Dennis and Van Horn design. Dennis and Van Horn's supervisor allows a process to create protected procedures that execute in private spheres of protection to protect local data from access by their callers. The PDP-1 system goes a step further. It allows creation of controlled subsystems that maintain different protected data objects on behalf of different processes, just as the operating system maintains files, for example on behalf of different processes. To do this, the subsystem must be able to verify that a process is permitted access to an invoked object. A subsystem is accessed through entry capabilities in the same way that protected procedures are accessed in the Dennis and Van Horn supervisor. To identify different susbsystem resource objects, however, the PDP-1 system allows a subsystem to create different versions of its entry capabilities. The entry capabilities for a given subsystem are equivalent except for a field that can be specified by the subsystem when the entry is created. In this way, the subsystem can maintain protected data structures on behalf of many processes. When a process calls the subsystem to create a new resource, the subsystem returns an entry capability with a transmitted word uniquely identifying that resource. Subsequently, when the user invokes an operation on that resource through the entry capability, the subsystm interrogates the transmitted word to determine which data structures to access. The transmitted word field is 6 bits in size, allowing a subsystem to support only 64 different objects; however, the PDP-1 supports a small user community. The system was in operation for student use until the mid-1970s. It was distinguished not only by its capability supervisor but also by its space war game that ran on the PDP-1 video display. Following the MIT PDP-1 system, a major step in capability systems design took place a the University of Chicago. This work was significant because it used capabilities as a hardware protection mechanism.