Module 3.2 — Operating Systems, Networks, and Distributed Systems

final lecture: stacked law, power, and shared reality

← Home Stage 3 Canon Index

Stacked constitutions → stacked control → stacked failure

Treat firmware, hypervisors, kernels, runtimes, protocols, and consensus algorithms as nested jurisdictions. Each layer defines authority, visibility, identity, and time. Shared reality emerges only where the system can survive partitions, faults, and adversaries.

Named scaffold

Tanenbaum (layered thinking) · Cerf/Kahn (TCP/IP minimal constitution) · Berners-Lee (web commons) · Brewer (CAP constraint) · Lamport (time/order/consensus) · Lampson (capabilities + hints) · Gray (logs/transactions/recovery)

OS process · memory · concurrency · filesystem Net routing · naming · chokepoints DS consensus · CAP · logs

Minimal “start with 10” spine

If you read/build nothing else, anchor on these:

  1. MIT 6.1810 / 6.S081 (OS Engineering)
  2. OSTEP (Operating Systems: Three Easy Pieces)
  3. Lampson — Hints for Computer System Design
  4. Gray — Why Do Computers Stop…
  5. seL4 verification (paper PDF)
  6. End-to-End Arguments (Saltzer/Reed/Clark)
  7. MIT 6.824 (Distributed Systems)
  8. Lamport — Time, Clocks, Ordering (PDF)
  9. Raft paper (PDF)
  10. PBFT (Castro/Liskov) (PDF)

0. The Stack as Constitutions of Power

Treat the whole computing stack as nested constitutions: each layer defines what is permitted, what is visible, what is attributable, and what can be rolled back or rewritten.

Hardware / firmware / microcode
Physical substrate + hidden law. Root keys, measured boot, device configuration, silent persistence.
Hypervisor
Ruler of guest OSes. Snapshot/restore, memory inspection, virtual networking/storage.
OS kernel
Local constitution: scheduling, memory, devices, permissions, syscall boundary.
Containers / runtime
Sub-constitutions: namespaces + cgroups; isolate views and resource budgets.
Processes / threads
Local agents subject to upstream law; concurrency makes “local distributed systems.”
Network protocols
Treaties between machines: addressing, routing, reliability, naming, identity.
Distributed protocols
Regimes of shared reality: time/order, consensus, logs, partition behavior.
Stack axiom: sovereignty is nested, never absolute. “Your” application inherits every upstream jurisdiction: firmware → cloud hypervisor → kernel → runtime → network → consensus.
Resource pack: Layered thinking (the mental model) Tanenbaum → stacks; Lampson → design maxims; Gray → failure reality +

1. Stacked Sovereignty Inside a Machine: Operating Systems

1.1 Root of Trust: Firmware → Hypervisor → OS → Containers → Processes

The practical hierarchy is real power: firmware and hypervisors can silently override “your OS.” In clouds, provider identity sits above your kernel.

Resource pack: Build the kernel mental model Read/modify a small Unix-like OS; tie concepts to code +

1.2 Processes and Threads: Local Agents, Scheduling Law

  • Process: address space + descriptors + identity (uid/gid/caps) + kernel metadata.
  • Thread: execution context inside a process; shares memory/resources; owns registers/stack/PC.
  • Scheduler: the allocator of CPU time; policy = law; cgroups = enforceable budgets.
Local microeconomics: CPU time is scarce; scheduling policy is allocation; priority classes are privilege; starvation is political failure.
Resource pack: Processes, threads, scheduling Concepts (OSTEP) + implementation (xv6 / MIT 6.1810) +

1.3 Memory: Virtual Territory vs Microarchitectural Reality

  • Virtual memory: page tables map virtual→physical + permissions; isolation at the OS boundary.
  • Microarchitecture: caches/TLB/speculation can leak across boundaries; “logical privacy” ≠ “practical secrecy.”
  • Runtime layer: sandbox VMs (JVM/WASM) add additional isolation contracts above the OS.
Resource pack: Isolation and high-assurance kernels What it takes to prove the trusted core +

1.4 Concurrency: Local Distributed Systems

Threads are nodes; shared memory is the “network”; caches + reordering create partial views and delay. Race conditions, deadlock, and memory models are shared-reality failure modes.

Resource pack: Concurrency (the real pain) Locks, deadlocks, atomicity; tie to production failure modes +

1.5 Filesystems: Persistent Property and History

  • Filesystems are a node’s property registry + historical archive: naming, metadata, consistency, recovery.
  • Journals/logs are “append-only reality”; derived state is cache.
  • Distributed filesystems immediately collide with partitions + coherence (CAP surfaces).
Resource pack: Persistence + logs Crash consistency, journaling, recovery; logs as spine +

2. Networks: Inter-Sovereign Treaties, Routes, and Middleboxes

2.1 TCP/IP and the End-to-End Principle

  • Internet layering: Link → IP → TCP/UDP → Application.
  • End-to-end: correctness, reliability, encryption belong at endpoints; the network stays minimal.
  • TCP/IP is architectural federalism: local autonomy inside networks, minimal law at interconnect.
Resource pack: Internet as designed (before adversary) TCP reliability, congestion, sockets; original architectural goals +

2.2 Middleboxes, NAT, and IPv6

  • NAT breaks strict end-to-end, creates chokepoints and policy engines; CGN makes users outbound-only by default.
  • Overlays (VPNs, Tor, meshes) rebuild logical topology above hostile middleboxes.
  • IPv6 restores addressability in theory; operational realities keep NAT alive.
Network sovereignty axiom: “global reachability” is policy, not physics. Without overlays, addressability is delegated permission.

2.3 Routing, BGP, and SDN: Who Controls the Paths

  • BGP between ASes is policy routing: business logic decides paths; hijacks/leaks are route-level power.
  • RPKI hardens origination but introduces new trust anchors (registries/cert chains).
  • SDN centralizes control-plane logic: programmability increases—and so does concentrated leverage.
Resource pack: Routing chokepoints BGP as global steering; RPKI as partial hardening +

2.4 DNS, TLS, Web, CDNs: Application-Layer Sovereignty

  • DNS hierarchy (root/TLD/registrar) is naming authority; seizure/poisoning is identity capture.
  • TLS binds names to keys via CA trust stores; CT logs mitigate (not eliminate) misissuance.
  • Web commons (Berners-Lee) is now mediated by browsers/search/CDNs: an application-layer meta-OS.
Resource pack: Naming + identity roots DNS root authority; TLS trust; web vision +
Resource pack: Internet origin + governance context Cerf/Kahn origin; early network culture; history of enclosure +

Note: the Clark “DARPA Internet Protocols” paper is often mirrored; if you want a stable landing page, pin it in your repo once selected. Common PDF mirror: Clark — Design Philosophy of the DARPA Internet Protocols (PDF mirror).

3. Distributed Systems: Shared Reality Under Failure and Attack

3.1 Failure Models and Adversaries

  • Crash, omission, Byzantine faults; partitions, latency spikes, routing anomalies.
  • Adversarial infra: cloud/ISP/CA/NTP as potential hostile dependencies.
  • Sybil/eclipsing/partitioning: identity and topology are contested resources.
Resource pack: Practical DS foundations Case studies + core papers through MIT 6.824 +

3.2 Time and Causality

  • Clock drift + variable latency → physical time is non-universal.
  • Lamport: happens-before, logical clocks; vector clocks for concurrency detection.
  • External time oracles (NTP/GPS) create centralized trust anchors; protocol-derived time avoids them at cost.
Resource pack: Time as ordering authority Reason about causality without synchronized clocks +

3.3 Consensus: Agreement Under Constraints

  • Safety vs liveness; FLP shows deterministic consensus impossibility in fully asynchronous systems with one crash fault.
  • Practical consensus assumes partial synchrony + timeouts/randomization.
  • Paxos/Raft (crash faults), PBFT (Byzantine faults); each is “shared law for ordered events.”
Resource pack: Consensus core Impossibility → Paxos/Raft → PBFT +

3.4 CAP and the Consistency Spectrum

  • Under partitions, you cannot guarantee both strong consistency and availability in the formal model.
  • CP rejects/delays to preserve single truth; AP serves and reconciles divergent views.
  • Most systems live on a spectrum: linearizable → sequential → causal → eventual.
Resource pack: CAP (formal + spoken) CAP theorem paper + Brewer clarifications +

If the CAP paper mirror above changes, pin the official PDF you choose into your curriculum repo and update the link.

3.5 Transactions, 2PC, and Sagas

  • Distributed ACID semantics require coordination; 2PC is simple but can block under coordinator failure.
  • Sagas: sequence of local commits + compensations; embrace eventual consistency + replayable logs.
  • Gray: transactions/logs as the spine of durable state and recovery.
Resource pack: Transactions + logs Gray’s canonical transaction framing +

3.6 Lampson: Capabilities and Hints

  • Capabilities: authority as possession of unforgeable tokens; natural fit with crypto keys.
  • Hints: performance accelerators that may be wrong; correctness must survive incorrect hints.
  • Keep the trusted core minimal; surround with discardable speculative layers (caches, replicas, indices).
Resource pack: System design maxims Small trusted core + hints everywhere +

4. Cross-Layer Adversarial Surfaces and Governance

Boot / keys / supply chain

Firmware signing, TPM, update keys, CI/CD signing: whoever holds roots governs everything above.

Network control points

BGP, DNS, CA trust, DDoS, DPI: availability + identity + routing become coercion surfaces.

Identity & human governance

Sybil resistance is social + economic + technical. Root keys and policy are part of the protocol.

Resource pack: Compartmentalization + verification Reduce blast radius; prove the kernel core +
Resource pack: Culture / power / enclosure (context films) How the stack got owned: OS + network history +

5. Design Law: Principles for Sovereign, Collapse-Ready Architectures

  1. Model stacked sovereignty explicitly. Firmware, hypervisor, kernel, runtime, protocol, consensus are distinct jurisdictions.
  2. Minimize global consensus surface. Use strong consensus only where a single canonical log is essential.
  3. Design for partitions as the norm. Local-first operation + explicit reconciliation; make CAP choices explicit per subsystem.
  4. Make logs the backbone of reality. Append-only logs authoritative; derived state is cache; guard integrity with hash chains/Merkle trees.
  5. Use capabilities for authority. Possession of cryptographic tokens/keys; least privilege; small auditable check path.
  6. Reclaim end-to-end where possible. Where NAT/middleboxes break it, use overlays and pluggable transports.
  7. Treat time and identity as contested resources. Choose external time vs protocol time; define Sybil resistance in the threat model.
  8. Engineer for diversity and anti-monoculture. Multiple implementations/operators/geographies for critical components.
  9. Model upgrades and configuration as law. Safe rollout/rollback; config as code; version skew as normal.
  10. Include human governance explicitly. Root keys, rotation, revocation, parameter changes, and dispute procedures are part of the system.
Compositional reality: invariants are only as strong as the weakest upstream jurisdiction. Verification and compartmentalization are how you shrink the “trusted core” you must assume.

Canon Index (All Links)

Complete set used above, grouped by layer.

Operating Systems

Networks

Distributed Systems

Films / Documentaries