Capsicum -- 9.x merge in sight
Robert Watson
rwatson at FreeBSD.org
Sat Jan 22 15:25:54 UTC 2011
Dear all:
As many of you will now have heard, the Computer Laboratory at the University
of Cambridge and Google have been collaborating for the last few years on a
security research project called Capsicum. It consists of a set of extensions
to the POSIX API adding a new "capability mode", "capabilities", "process
descriptors", and several other additions required to implement a
capability-oriented sandbox model in UNIX. These features are targeted at
application compartmentalisation, in which applications are separated into
mutually untrusting components in order to improve robustness. Such
applications often span multiple security domains (such as web browsers),
mapping a non-UNIX policy (such as the same origin policy) into local OS
primitives (such as sandboxed processes).
Jon Anderson, Ben Laurie, Kris Kennaway, and I implemented our research
prototype on FreeBSD 9-CURRENT, with a backport to 8-STABLE, and first
publicaly presented the work at the USENIX Security Symposium in 2010.
Google also has an in-flight port to Linux underway, with a goal of
demonstrating its use with ChromeOS and the Chromium web browser (which is
able to use Capsicum to sandbox HTML rendering and Javascript execution on
FreeBSD already); there's also discussion of adopting Capsicum in the NetBSD
community. We've modified a number of base FreeBSD components to use
Capsicum, including tcpdump, sshd, and dhclient -- sometimes reinforcing
existing privilege separation, and sometimes adding it. There are also
in-progress investigations of adding Capsicum sandboxing to third-party
network applications such as BIND and Apache.
Those attending FreeBSD developer summits in Ottawa/Cambridge will by now
likely have seen a couple of different talks on Capsicum, and it was also
featured in USENIX's most recent ;login magazine, as well as having been
discussed on the mailing lists on and off for a while. It seems that in those
venues, there's a strong consensus among attending developers that this is
something that both developers and users of FreeBSD would like to see in the
base system, and this e-mail is an attempt to make sure everyone knows before
it turns up -- no surprises! :-)
Jon and my current plan is to merge, over the next few months, various kernel
features required to support Capscium sandboxing for FreeBSD 9.0: first
capability mode support (this week), then capabilities themselves (which are a
form of file descriptor in Capsicum), followed by process descriptors (a file
descriptor alternative to process IDs that may be used by supporting
applications). The current plan is *not* to merge libcapsicum, a userspace
library used by certain applications to construct sandboxes, as we feel the
API remains insufficiently mature at this point. However, the Capsicum system
calls can still be used directly by applications, including Chromium. We
would distribute libcapsicum as a package alongside 9.0, just not as a
supported OS API for the time being.
For those who want to learn more, you can read our USENIX Security paper, or
watch the video of the USENIX Security talk, find reference material,
information on our mailing list, etc, on the Capsicum web site at Cambridge:
http://www.cl.cam.ac.uk/research/security/capsicum/
A number of organisations are contributing to continuing improvements in
Capsicum and its applications, including Cambridge (supported by Google and
DARPA), Google, and SRI (supported by DARPA). There also appear to be a
number of folks inside and outside the FreeBSD community who are eager to get
started -- once it's in the tree! Please feel free to join our mailing list,
and get involved.
Thanks,
Robert N M Watson
Computer Laboratory
University of Cambridge
More information about the freebsd-arch
mailing list