Capsicum: practical capabilities for UNIX (fwd)

Robert Watson robert.watson at cl.cam.ac.uk
Sat Aug 14 19:19:49 UTC 2010


On Fri, 13 Aug 2010, Hugo Silva wrote:

>> For those following security and access control in FreeBSD, this may be of 
>> interest.  We'll have updated patches for Capsicum available for FreeBSD 
>> 8.1 in the next week or so.  Feedback on the approach would be most 
>> welcome!
>
> Very nice. I am looking forward to play with this ;-)

Thanks!

Right now our prototype is against a month or so old 9-CURRENT, with a 
somewhat more recent 8.x snapshot.  Several of us are on travel now but with 
any luck we can do a set of patches against a vanilla 8.1 later in the month. 
The merge plan for 9.x isn't determined yet, we have a number of issues that 
need to be worked through, including a few missing features and more extensive 
test suites.

For those that are interested in lending a hand as early adopters, we have a 
Capsicum mailing list which can be subscribed to via our web page:

   http://www.cl.cam.ac.uk/research/security/capsicum/

This work is increasingly ready to get attention from folks other than us!

Robert

>
>> 
>> ---------- Forwarded message ----------
>> Date: Thu, 12 Aug 2010 03:00:03 -0000
>> From: Light Blue Touchpaper <notify+lbt-admin at cl.cam.ac.uk>
>> Reply-To: cl-security-research at lists.cam.ac.uk
>> To: cl-security-research at lists.cam.ac.uk
>> Subject: Capsicum: practical capabilities for UNIX
>> 
>> URL: 
>> http://www.lightbluetouchpaper.org/2010/08/12/capsicum-practical-capabilities-for-unix/ 
>> by Robert N. M. Watson
>> 
>> Today, Jonathan Anderson, Ben Laurie, Kris Kennaway, and I presented 
>> [Capsicum:
>> practical capabilities for UNIX][1] at the [19th USENIX Security 
>> Symposium][2]
>> in Washington, DC; the [slides][3] can be found on the [Capsicum web 
>> site][4].
>> We argue that capability design principles fill a gap left by discretionary
>> access control (DAC) and mandatory access control (MAC) in operating 
>> systems
>> when supporting security-critical and security-aware applications.
>> 
>> Capsicum responds to the trend of application compartmentalisation 
>> (sometimes
>> called privilege separation) by providing strong and well-defined isolation
>> primitives, and by facilitating rights delegation driven by the application 
>> (and
>> eventually, user). These facilities prove invaluable, not just for 
>> traditional
>> security-critical programs such as tcpdump and OpenSSH, but also complex
>> security-aware applications that map distributed security policies into 
>> local
>> primitives, such as Google's Chromium web browser, which implement the 
>> same-
>> origin policy when sandboxing JavaScript execution.
>> 
>> Capsicum extends POSIX with a new _capability mode_ for processes, and
>> _capability_ file descriptor type, as well as supporting primitives such as
>> _process descriptors_. Capability mode denies access to global operating 
>> system
>> namespaces, such as the file system and IPC namespaces: only delegated 
>> rights
>> (typically via file descriptors or more refined capabilities) are available 
>> to
>> sandboxes. We prototyped Capsicum on FreeBSD 9.x, and have extended a 
>> variety of
>> applications, including Google's Chromium web browser, to use Capsicum for
>> sandboxing. Our paper discusses design trade-offs, both in Capsicum and in
>> applications, as well as a performance analysis. Capsicum is available 
>> under a
>> BSD license.
>> 
>> Capsicum is collaborative research between the University of Cambridge and
>> Google, and has been sponsored by Google, and will be a foundation for 
>> future
>> work on application security, sandboxing, and usability security at 
>> Cambridge
>> and Google. Capsicum has also been backported to FreeBSD 8.x, and Heradon
>> Douglas at Google has an in-progress port to Linux.
>> 
>> We're also pleased to report the Capsicum paper won Best Student Paper 
>> award at
>> the conference!
>>
>>    [1]: 
>> http://www.cl.cam.ac.uk/research/security/capsicum/papers/2010usenix-
>> security-capsicum-website.pdf
>>
>>    [2]: http://www.usenix.org/events/sec10/
>>
>>    [3]: http://www.cl.cam.ac.uk/research/security/capsicum/slides/20100811
>> -usenix-capsicum.pdf
>>
>>    [4]: http://www.cl.cam.ac.uk/research/security/capsicum/
>> 
>> _______________________________________________
>> freebsd-security at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-security
>> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
>


More information about the freebsd-security mailing list