In responding to a recent security problem I had to consider the idea of intent in computer software, so I looked to see what Margaret Hamilton ↗ has to say. Hamilton proved her ideas spectacularly during the first Apollo moon landing in 1969. A hardware failure generated unexpected errors ↗ , but the software coped by running the highest-priority tasks despite the barrage of errors and prevented an abort just seconds before landing on the surfae. I eventually found an article in a 1994 copy of Electronic Design magazine which explains her Development Before the Fact philosophy. After discussion with the current magazine editor, I was able to clean up the scanned text and document Hamilton’s precience.

Margaret Hamilton at the Apollo command module simulator
Margaret Hamilton at the Apollo command module simulator. Image courtesy MIT Museum (GCP-00009683).
Cover of Electronic Design Software Engineering Supplement, 4 April 1994
Electronic Design Software Engineering Supplement, 4 April 1994. Click to read the reconstructed PDF.

Hamilton’s vision

In the article, Hamilton describes a system design language built around behaviour in time and space. The piece reads to 2026 eyes as though it describes:

  • algebraic data types, what we call generics in Rust, Haskell, OCaml and TypeScript.
  • constraints as first-class citizens of the language, with niche implementations in Liquid Haskell, F* and a few others.
  • named domain patterns with attached rules, which Rust calls typestate and which appear in the literature as session-types.
  • runtime instances typed by static structure, which seems to be prety close to formal verification methods now used by many organisations ↗ but few overall
  • end-to-end object traceability, where any specification, bug or feature can be followed through its implementation and execution

In the decades since we have seen slow progress in implementing parts of this vision here and there, but nothing integrated in the way she advocated. Hamilton’s 1990s software tools are described in a companion article I have yet to clean up.

Different kinds of intent

If we divide intent into two kinds, we can see Hamilton and just about everyone else focusses on only one of them:

Horizontal intent is the question Margaret Hamilton asked: “does what we say in code match what we actually wanted?” This is the realm of requirements engineering, or what is now called AI alignment and specification gaming.

Vertical intent is the question that very few focus on, that of whether what we say in code is faithfully transmitted by the toolchain down to the running silicon. This is Ken Thompson’s Reflections on Trusting Trust ↗ , and the xz supply chain incident ↗ .

Vertical intent checking is missing

Hamilton has nothing to say about vertical intent, although some aspects of reproducible builds, diverse double-compiling and a few niche technologies do address it. The idea of the Trusted Computing Base (TCB) is an important starting point, where we establish the correctness of the set of hardware, firmware, compilers, libraries etc before we can make any promises about how a piece of software will run. But the community that works on these topics seem quite far removed from the everyday tools that need to be made reliable. Most engineers have little idea what is in their own toolchain’s TCB, and do not have integrity checking in place in this vertical sense. Reproducible builds are becoming more common and that helps, but it seems ‘intent’ in this sense is not well-addressed.

And so I discovered that even Maragret Hamilton couldn’t help with this particular kind of software integrity.

Margaret Hamilton at the Intrepid Museum, 2019
Margaret Hamilton at the Intrepid Museum, 2019.