Protection is related to system structure and can not not be discussed sensibly out of context. I propose to to use IBM OS360 and EMAS2900 for examples as I am not sufficiently familiar with VMS. Early uni-programming operating systems had user and supervisor co-resident in separate worlds protected by base and limit registers. This simple approach worked well although it was difficult to locate user parameters to operating system calls without adddress computation. IBM elected to put parameters in code after the SVC, an insanitary method that has cost them dear. These techniques were extended to multi tasking and then further distorted to handle virtual memory (with the operating system remaining in real addresses). The price of the IBM technique of passing parameters to the system increased sharply. The code was impure and could not be shared; also code pages were made dirty by writing in the parameters and had to be paged out. Further the supervisor had to cope with page boundaries within and between parameters. Now that systems have become larger and more complex it is deirable to use virtual addressing within the operating system and the simple model fails to cope. The IBM-XA manual has pages of description of instructions designed to overcome the deficiences of dual address spaces. Five special instructions (move to primary, move to secondary, program call, program transfer and load real address) are provided! They are all complex and mean that parameter passing to the operating system is quite different from parameter passing between unprivileged procedures. An alternative stategy is to put the system into the users virtual memeory. This enables parameter passing to be unified with normal procedure calls and enables a hierarchical structure to be imposed. Each layer can see the next more privileged layer only as a set of procedures which can be called normally. Page faults on the parameters are handled transparently (except possible on calls to the innermost layer). The EMAS structure is:- a) (Innermost). The Global Controller. This allocates real resources primarily store & cpus. b) The Local Controller. This supervises one user process handling errors interrupts and page faults. c) The Director. This provides sytem facilities particularly a file system. d) (Outermost). The Subsystem. This module is user specified and provides a command language, compilers and user facilities. Ideally the subsystem itself should have a hierarchical structure. The advantage of the more structured approach is that it easier to write and debug. Communication between the levels is restricted to calling with parameters so the complex interconnections that make a system complicated and bug prone are reduced. Protection requirements depend on the structure. The IBM strucure assumes and evolved out of a simple binary system. Adding rings to this would be easy, but pointless. In the hierarchical structure rings are useful. They prevent any level from seeing or damaging any of the tables or data of more privileged layers. Ideally, one would also like to prevent also the supervisor damaging less privileged layers except via parameters but the ring does not do this. However the ring structure is cheap, and in spite of the reservations described in my earlier note, it has speeded the debugging, testing and integrity of EMAS2900. Particularly valuable is the common procedure call. Without any of the complications or overheads of the IBM VM approach it has proved possible to modify and test large parts of the system concurrently with service. We are about to transport the 2900 system back to IBM hardware and I am sure this will provide new insights. I will report on progress in due course.