The problem of security in multi-function computer systems arises because the software in such systems is too complex to be proven to be correct. Multilevel secure operating systems attempt to deal with this problem by dividing the applications software into separate "tasks" and controlling the ways in which these tasks interact. While the internal behavior of each task still cannot be guaranteed, the security of the system as a whole can be demonstrated, provided the restrictions on task interaction can be enforced.To control the interaction of tasks, it must be possible to isolate each task from undesired examination or interference by other tasks. This isolation is usually accomplished by providing each untrusted task with its own "virtual" environment. The trusted system software and the hardware are responsible for making sure that an untrusted program cannot operate outside its own environment and that the physical resources allocated to establish the virtual environment do not violate the isolation requirements. Communication between these virtual environments is then controlled by the trusted system software.Ultimately, the realization of such an operating system structure produces a quantity of "trusted system software" that still must be verified to insure the security of the system. To practically realize such a system, careful design of the software and hardware is required to minimize the amount of verified code and isolate it from corruption by the unverified system software.The Nebula computer architecture includes a set of mechanisms that are designed to provide the isolation necessary to establish a secure system. Of more practical importance is the fact that these mechanisms will allow valid operations to be identified with minimal overhead and to proceed with minimal interference. These mechanisms are described below under the general headings of virtual addressing, protection states, secure user I/0 and task execution control.