Capsicum: practical capabilities for UNIX (fwd)
Robert Watson
robert.watson at cl.cam.ac.uk
Sat Aug 14 19:19:49 UTC 2010
On Fri, 13 Aug 2010, Hugo Silva wrote:
>> For those following security and access control in FreeBSD, this may be of
>> interest. We'll have updated patches for Capsicum available for FreeBSD
>> 8.1 in the next week or so. Feedback on the approach would be most
>> welcome!
>
> Very nice. I am looking forward to play with this ;-)
Thanks!
Right now our prototype is against a month or so old 9-CURRENT, with a
somewhat more recent 8.x snapshot. Several of us are on travel now but with
any luck we can do a set of patches against a vanilla 8.1 later in the month.
The merge plan for 9.x isn't determined yet, we have a number of issues that
need to be worked through, including a few missing features and more extensive
test suites.
For those that are interested in lending a hand as early adopters, we have a
Capsicum mailing list which can be subscribed to via our web page:
http://www.cl.cam.ac.uk/research/security/capsicum/
This work is increasingly ready to get attention from folks other than us!
Robert
>
>>
>> ---------- Forwarded message ----------
>> Date: Thu, 12 Aug 2010 03:00:03 -0000
>> From: Light Blue Touchpaper <notify+lbt-admin at cl.cam.ac.uk>
>> Reply-To: cl-security-research at lists.cam.ac.uk
>> To: cl-security-research at lists.cam.ac.uk
>> Subject: Capsicum: practical capabilities for UNIX
>>
>> URL:
>> http://www.lightbluetouchpaper.org/2010/08/12/capsicum-practical-capabilities-for-unix/
>> by Robert N. M. Watson
>>
>> Today, Jonathan Anderson, Ben Laurie, Kris Kennaway, and I presented
>> [Capsicum:
>> practical capabilities for UNIX][1] at the [19th USENIX Security
>> Symposium][2]
>> in Washington, DC; the [slides][3] can be found on the [Capsicum web
>> site][4].
>> We argue that capability design principles fill a gap left by discretionary
>> access control (DAC) and mandatory access control (MAC) in operating
>> systems
>> when supporting security-critical and security-aware applications.
>>
>> Capsicum responds to the trend of application compartmentalisation
>> (sometimes
>> called privilege separation) by providing strong and well-defined isolation
>> primitives, and by facilitating rights delegation driven by the application
>> (and
>> eventually, user). These facilities prove invaluable, not just for
>> traditional
>> security-critical programs such as tcpdump and OpenSSH, but also complex
>> security-aware applications that map distributed security policies into
>> local
>> primitives, such as Google's Chromium web browser, which implement the
>> same-
>> origin policy when sandboxing JavaScript execution.
>>
>> Capsicum extends POSIX with a new _capability mode_ for processes, and
>> _capability_ file descriptor type, as well as supporting primitives such as
>> _process descriptors_. Capability mode denies access to global operating
>> system
>> namespaces, such as the file system and IPC namespaces: only delegated
>> rights
>> (typically via file descriptors or more refined capabilities) are available
>> to
>> sandboxes. We prototyped Capsicum on FreeBSD 9.x, and have extended a
>> variety of
>> applications, including Google's Chromium web browser, to use Capsicum for
>> sandboxing. Our paper discusses design trade-offs, both in Capsicum and in
>> applications, as well as a performance analysis. Capsicum is available
>> under a
>> BSD license.
>>
>> Capsicum is collaborative research between the University of Cambridge and
>> Google, and has been sponsored by Google, and will be a foundation for
>> future
>> work on application security, sandboxing, and usability security at
>> Cambridge
>> and Google. Capsicum has also been backported to FreeBSD 8.x, and Heradon
>> Douglas at Google has an in-progress port to Linux.
>>
>> We're also pleased to report the Capsicum paper won Best Student Paper
>> award at
>> the conference!
>>
>> [1]:
>> http://www.cl.cam.ac.uk/research/security/capsicum/papers/2010usenix-
>> security-capsicum-website.pdf
>>
>> [2]: http://www.usenix.org/events/sec10/
>>
>> [3]: http://www.cl.cam.ac.uk/research/security/capsicum/slides/20100811
>> -usenix-capsicum.pdf
>>
>> [4]: http://www.cl.cam.ac.uk/research/security/capsicum/
>>
>> _______________________________________________
>> freebsd-security at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-security
>> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
>
More information about the freebsd-security
mailing list