Capsicum -- 9.x merge in sight

Robert Watson rwatson at FreeBSD.org
Sat Jan 22 15:25:54 UTC 2011


Dear all:

As many of you will now have heard, the Computer Laboratory at the University 
of Cambridge and Google have been collaborating for the last few years on a 
security research project called Capsicum.  It consists of a set of extensions 
to the POSIX API adding a new "capability mode", "capabilities", "process 
descriptors", and several other additions required to implement a 
capability-oriented sandbox model in UNIX.  These features are targeted at 
application compartmentalisation, in which applications are separated into 
mutually untrusting components in order to improve robustness.  Such 
applications often span multiple security domains (such as web browsers), 
mapping a non-UNIX policy (such as the same origin policy) into local OS 
primitives (such as sandboxed processes).

Jon Anderson, Ben Laurie, Kris Kennaway, and I implemented our research 
prototype on FreeBSD 9-CURRENT, with a backport to 8-STABLE, and first 
publicaly presented the work at the USENIX Security Symposium in 2010. 
Google also has an in-flight port to Linux underway, with a goal of 
demonstrating its use with ChromeOS and the Chromium web browser (which is 
able to use Capsicum to sandbox HTML rendering and Javascript execution on 
FreeBSD already); there's also discussion of adopting Capsicum in the NetBSD 
community.  We've modified a number of base FreeBSD components to use 
Capsicum, including tcpdump, sshd, and dhclient -- sometimes reinforcing 
existing privilege separation, and sometimes adding it.  There are also 
in-progress investigations of adding Capsicum sandboxing to third-party 
network applications such as BIND and Apache.

Those attending FreeBSD developer summits in Ottawa/Cambridge will by now 
likely have seen a couple of different talks on Capsicum, and it was also 
featured in USENIX's most recent ;login magazine, as well as having been 
discussed on the mailing lists on and off for a while.  It seems that in those 
venues, there's a strong consensus among attending developers that this is 
something that both developers and users of FreeBSD would like to see in the 
base system, and this e-mail is an attempt to make sure everyone knows before 
it turns up -- no surprises!  :-)

Jon and my current plan is to merge, over the next few months, various kernel 
features required to support Capscium sandboxing for FreeBSD 9.0: first 
capability mode support (this week), then capabilities themselves (which are a 
form of file descriptor in Capsicum), followed by process descriptors (a file 
descriptor alternative to process IDs that may be used by supporting 
applications).  The current plan is *not* to merge libcapsicum, a userspace 
library used by certain applications to construct sandboxes, as we feel the 
API remains insufficiently mature at this point.  However, the Capsicum system 
calls can still be used directly by applications, including Chromium.  We 
would distribute libcapsicum as a package alongside 9.0, just not as a 
supported OS API for the time being.

For those who want to learn more, you can read our USENIX Security paper, or 
watch the video of the USENIX Security talk, find reference material, 
information on our mailing list, etc, on the Capsicum web site at Cambridge:

   http://www.cl.cam.ac.uk/research/security/capsicum/

A number of organisations are contributing to continuing improvements in 
Capsicum and its applications, including Cambridge (supported by Google and 
DARPA), Google, and SRI (supported by DARPA).  There also appear to be a 
number of folks inside and outside the FreeBSD community who are eager to get 
started -- once it's in the tree!  Please feel free to join our mailing list, 
and get involved.

Thanks,

Robert N M Watson
Computer Laboratory
University of Cambridge


More information about the freebsd-arch mailing list