new operating system concepts, and was implemented in a high-level programming
language rather than assembly code.
What prompted the move to sri? i
gather bell labs stopped supporting
multics shortly before you left; was
that what inspired you to search for a
Actually, my mother had died in
early 1970 (my father nine years before), and I suddenly had some new
mobility. Also, the corporate culture
of Bell Labs was beginning to change,
although the UNICS/UNIX work of
Ken Thompson, Dennis Ritchie, (and)
Brian Kernighan certainly kept some
of the old feeling of fabulous research
and development. About then, Lotfi
Zadeh invited me to teach at Berkeley
for the academic year 1970–1971. At
the time, I had three children aged 3,
5, and 8 (Fibonacci numbers, which
made them easy to remember), whom
I wound up raising more or less by myself for 17 years. In the spring of 1971,
Jack Goldberg was the long-time head
of the computer science lab at what
was then Stanford Research Institute,
whom I had known since David Huff-man invited me to teach at Stanford in
the spring of 1964. Jack invited me to
consult for a week and help set up the
CSL research agenda. That led to an offer to join what later became SRI International. The kids and I really enjoyed
California, so we decided to stay.
Can you tell me a bit about your work
on Ctsrd and the clean-slate project?
if i understand correctly, you have
explored tagged architectures and
hardware specifications that are formally verifiable. What are the latest
The history of this goes back to the
Provably Secure Operating System
that we did at SRI beginning in 1973.
That was a tagged capability clean-
slate hardware-software co-design
effort where every module was speci-
fied in a formal specification language
that Larry Robinson and Karl Levitt
created, with a formal basis evolving
from Bob Boyer’s work, with the ar-
chitecture later really cleaned up with
Rich Feiertag. The current joint proj-
ects between SRI and the University of
Cambridge draw heavily on the experi-
ences from Multics and PSOS.
In the 1970s, formal methods were
impractical unless everything was
formally specified (as it was in PSOS).
Today, we have built the SRI formal
analysis tools into the hardware speci-fication/development tools so that we
can indeed, rather straightforwardly,
prove properties about the hardware,
and then use the Robinson-Levitt theorem from the PSOS project to prove
properties of the low-layer software
that use proofs of properties about
the hardware, giving much greater assurance than you can get otherwise.
you have moderated the aCm group
on risk for years. thanks to that work,
and to your book on computer-related
risks, it has become apparent that
most technology failures follow one of
a small, set number of patterns. do you
have a favorite failure?
Actually, I have many favorites.
What is fascinating is the huge diversity of causes and effects. Causes are
often attributable to a combination
of problems relating to inadequate
requirements, inaccurate specifications, flawed system architectures,
weak hardware, poor software engineering practices, human foibles,
and malicious actions (for example).
Effects span all fields of endeavor. So,
I really do not think there are just a
you are known for advocating a holis-
tic view of computers and taking, for
instance, human error and human
behavior in general into account. are
people growing more receptive to this
Yes and no. People who have been
reading the Risks Forum are repeatedly exposed to that holistic view,
partly by my editorial comments and
partly by the intrinsic nature of the
ongoing discussions of what demonstrably turn out to be holistic problems. On the other hand, the old adage seems to prevail among folks who
have not been so exposed: To a person
with a hammer, everything looks like
a nail. That adage applies equally to
other artifacts and other disciplines.
Examples include people who see everything as a hardware problem, or
a software problem, or an algorithm
problem, or a network problem, or a
security problem, or a human safety
problem. The holistic view is that
those concepts are often interrelated.
One of my very favorite quotes is one
that Butler Lampson attributes to
Roger Needham and Roger attributed
to Butler: If you believe that cryptography is the answer to your problem,
then you do not understand cryptography, and you do not understand your
problem. That, of course, also applies
to many other disciplines.
When you were still a student at harvard, you discussed simplicity with
albert einstein over breakfast, and
you have mentioned that he told you
he thought brahms was “burning the
midnight oil trying to be complicated.”
What do you make of brahms?
I love Brahms’ music, because of
its carefully integrated complexity, but
also its harmonic and aesthetic beauty
and the innovations it introduced at
the time he was composing.
Leah hoffmann is a technology writer based in Piermont,
© 2013 aCm 0001-0782/13/12 $15.00
[CoNtiNued From P. 128]
“the old adage
seems to prevail
among folks who
have not been
to a person with a
looks like a nail.”