Capsicum: practical capabilities for UNIX (fwd)

Hugo Silva hugo at barafranca.com
Fri Aug 13 09:15:45 UTC 2010


Robert Watson wrote:
> 
> For those following security and access control in FreeBSD, this may be 
> of interest.  We'll have updated patches for Capsicum available for 
> FreeBSD 8.1 in the next week or so.  Feedback on the approach would be 
> most welcome!
> 
> Robert N M Watson
> Computer Laboratory
> University of Cambridge

Very nice. I am looking forward to play with this ;-)

> 
> ---------- Forwarded message ----------
> Date: Thu, 12 Aug 2010 03:00:03 -0000
> From: Light Blue Touchpaper <notify+lbt-admin at cl.cam.ac.uk>
> Reply-To: cl-security-research at lists.cam.ac.uk
> To: cl-security-research at lists.cam.ac.uk
> Subject: Capsicum: practical capabilities for UNIX
> 
> URL: 
> http://www.lightbluetouchpaper.org/2010/08/12/capsicum-practical-capabilities-for-unix/ 
> 
> by Robert N. M. Watson
> 
> Today, Jonathan Anderson, Ben Laurie, Kris Kennaway, and I presented 
> [Capsicum:
> practical capabilities for UNIX][1] at the [19th USENIX Security 
> Symposium][2]
> in Washington, DC; the [slides][3] can be found on the [Capsicum web 
> site][4].
> We argue that capability design principles fill a gap left by discretionary
> access control (DAC) and mandatory access control (MAC) in operating 
> systems
> when supporting security-critical and security-aware applications.
> 
> Capsicum responds to the trend of application compartmentalisation 
> (sometimes
> called privilege separation) by providing strong and well-defined isolation
> primitives, and by facilitating rights delegation driven by the 
> application (and
> eventually, user). These facilities prove invaluable, not just for 
> traditional
> security-critical programs such as tcpdump and OpenSSH, but also complex
> security-aware applications that map distributed security policies into 
> local
> primitives, such as Google's Chromium web browser, which implement the 
> same-
> origin policy when sandboxing JavaScript execution.
> 
> Capsicum extends POSIX with a new _capability mode_ for processes, and
> _capability_ file descriptor type, as well as supporting primitives such as
> _process descriptors_. Capability mode denies access to global operating 
> system
> namespaces, such as the file system and IPC namespaces: only delegated 
> rights
> (typically via file descriptors or more refined capabilities) are 
> available to
> sandboxes. We prototyped Capsicum on FreeBSD 9.x, and have extended a 
> variety of
> applications, including Google's Chromium web browser, to use Capsicum for
> sandboxing. Our paper discusses design trade-offs, both in Capsicum and in
> applications, as well as a performance analysis. Capsicum is available 
> under a
> BSD license.
> 
> Capsicum is collaborative research between the University of Cambridge and
> Google, and has been sponsored by Google, and will be a foundation for 
> future
> work on application security, sandboxing, and usability security at 
> Cambridge
> and Google. Capsicum has also been backported to FreeBSD 8.x, and Heradon
> Douglas at Google has an in-progress port to Linux.
> 
> We're also pleased to report the Capsicum paper won Best Student Paper 
> award at
> the conference!
> 
>    [1]: 
> http://www.cl.cam.ac.uk/research/security/capsicum/papers/2010usenix-
> security-capsicum-website.pdf
> 
>    [2]: http://www.usenix.org/events/sec10/
> 
>    [3]: http://www.cl.cam.ac.uk/research/security/capsicum/slides/20100811
> -usenix-capsicum.pdf
> 
>    [4]: http://www.cl.cam.ac.uk/research/security/capsicum/
> 
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"


More information about the freebsd-security mailing list