Extremely Reliable Operating System

EROS (The Extremely Reliable Operating System) is an operating system developed beginning in 1991 by The EROS Group, LLC., the Johns Hopkins University, and the University of Pennsylvania. Features include automatic data and process persistence, some preliminary real-time support, and capability-based security. EROS is purely a research operating system, and was never deployed in real world use. As of 2005^[update], development has stopped in favor of two successor systems, CapROS and Coyotos.

The overriding goal of the EROS system (and its relatives) is to provide strong support at the operating system level for the efficient restructuring of critical applications into small communicating components. Each component can communicate with the others only through protected interfaces, and is isolated from the rest of the system. A "protected interface", in this context, is one that is enforced by the lowest level part of the operating system (the kernel). The kernel is the only portion of the system that can move information from one process to another. It also has complete control of the machine and (if properly constructed) cannot be bypassed. In EROS, the kernel-provided mechanism by which one component names and invokes the services of another is capabilities using inter-process communication (IPC). By enforcing capability-protected interfaces, the kernel ensures that all communications to a process arrive via an intentionally exported interface. It also ensures that no invocation is possible unless the invoking component holds a valid capability to the invokee. Protection in capability systems is achieved by restricting the propagation of capabilities from one component to another, often through a security policy known as confinement.

...
Wikipedia