freebsd security - Aug 2010 - Capsicum: practical capabilities for UNIX (fwd)

For those following security and access control in FreeBSD, this may be of 
interest.  We'll have updated patches for Capsicum available for FreeBSD 8.1
in the next week or so.  Feedback on the approach would be most welcome!

Robert N M Watson
Computer Laboratory
University of Cambridge

---------- Forwarded message ----------
Date: Thu, 12 Aug 2010 03:00:03 -0000
From: Light Blue Touchpaper <notify+lbt-admin@cl.cam.ac.uk>
Reply-To: cl-security-research@lists.cam.ac.uk
To: cl-security-research@lists.cam.ac.uk
Subject: Capsicum: practical capabilities for UNIX

URL:
http://www.lightbluetouchpaper.org/2010/08/12/capsicum-practical-capabilities-for-unix/
by Robert N. M. Watson

Today, Jonathan Anderson, Ben Laurie, Kris Kennaway, and I presented [Capsicum:
practical capabilities for UNIX][1] at the [19th USENIX Security Symposium][2]
in Washington, DC; the [slides][3] can be found on the [Capsicum web site][4].
We argue that capability design principles fill a gap left by discretionary
access control (DAC) and mandatory access control (MAC) in operating systems
when supporting security-critical and security-aware applications.

Capsicum responds to the trend of application compartmentalisation (sometimes
called privilege separation) by providing strong and well-defined isolation
primitives, and by facilitating rights delegation driven by the application (and
eventually, user). These facilities prove invaluable, not just for traditional
security-critical programs such as tcpdump and OpenSSH, but also complex
security-aware applications that map distributed security policies into local
primitives, such as Google's Chromium web browser, which implement the same-
origin policy when sandboxing JavaScript execution.

Capsicum extends POSIX with a new _capability mode_ for processes, and
_capability_ file descriptor type, as well as supporting primitives such as
_process descriptors_. Capability mode denies access to global operating system
namespaces, such as the file system and IPC namespaces: only delegated rights
(typically via file descriptors or more refined capabilities) are available to
sandboxes. We prototyped Capsicum on FreeBSD 9.x, and have extended a variety of
applications, including Google's Chromium web browser, to use Capsicum for
sandboxing. Our paper discusses design trade-offs, both in Capsicum and in
applications, as well as a performance analysis. Capsicum is available under a
BSD license.

Capsicum is collaborative research between the University of Cambridge and
Google, and has been sponsored by Google, and will be a foundation for future
work on application security, sandboxing, and usability security at Cambridge
and Google. Capsicum has also been backported to FreeBSD 8.x, and Heradon
Douglas at Google has an in-progress port to Linux.

We're also pleased to report the Capsicum paper won Best Student Paper award
at
the conference!

    [1]: http://www.cl.cam.ac.uk/research/security/capsicum/papers/2010usenix-
security-capsicum-website.pdf

    [2]: http://www.usenix.org/events/sec10/

    [3]: http://www.cl.cam.ac.uk/research/security/capsicum/slides/20100811
-usenix-capsicum.pdf

    [4]: http://www.cl.cam.ac.uk/research/security/capsicum/

Robert Watson wrote:
> 
> For those following security and access control in FreeBSD, this may be 
> of interest.  We'll have updated patches for Capsicum available for 
> FreeBSD 8.1 in the next week or so.  Feedback on the approach would be 
> most welcome!
> 
> Robert N M Watson
> Computer Laboratory
> University of Cambridge
Very nice. I am looking forward to play with this ;-)
> 
> ---------- Forwarded message ----------
> Date: Thu, 12 Aug 2010 03:00:03 -0000
> From: Light Blue Touchpaper <notify+lbt-admin@cl.cam.ac.uk>
> Reply-To: cl-security-research@lists.cam.ac.uk
> To: cl-security-research@lists.cam.ac.uk
> Subject: Capsicum: practical capabilities for UNIX
> 
> URL: 
>
http://www.lightbluetouchpaper.org/2010/08/12/capsicum-practical-capabilities-for-unix/
> 
> by Robert N. M. Watson
> 
> Today, Jonathan Anderson, Ben Laurie, Kris Kennaway, and I presented 
> [Capsicum:
> practical capabilities for UNIX][1] at the [19th USENIX Security 
> Symposium][2]
> in Washington, DC; the [slides][3] can be found on the [Capsicum web 
> site][4].
> We argue that capability design principles fill a gap left by discretionary
> access control (DAC) and mandatory access control (MAC) in operating 
> systems
> when supporting security-critical and security-aware applications.
> 
> Capsicum responds to the trend of application compartmentalisation 
> (sometimes
> called privilege separation) by providing strong and well-defined isolation
> primitives, and by facilitating rights delegation driven by the 
> application (and
> eventually, user). These facilities prove invaluable, not just for 
> traditional
> security-critical programs such as tcpdump and OpenSSH, but also complex
> security-aware applications that map distributed security policies into 
> local
> primitives, such as Google's Chromium web browser, which implement the 
> same-
> origin policy when sandboxing JavaScript execution.
> 
> Capsicum extends POSIX with a new _capability mode_ for processes, and
> _capability_ file descriptor type, as well as supporting primitives such as
> _process descriptors_. Capability mode denies access to global operating 
> system
> namespaces, such as the file system and IPC namespaces: only delegated 
> rights
> (typically via file descriptors or more refined capabilities) are 
> available to
> sandboxes. We prototyped Capsicum on FreeBSD 9.x, and have extended a 
> variety of
> applications, including Google's Chromium web browser, to use Capsicum
for
> sandboxing. Our paper discusses design trade-offs, both in Capsicum and in
> applications, as well as a performance analysis. Capsicum is available 
> under a
> BSD license.
> 
> Capsicum is collaborative research between the University of Cambridge and
> Google, and has been sponsored by Google, and will be a foundation for 
> future
> work on application security, sandboxing, and usability security at 
> Cambridge
> and Google. Capsicum has also been backported to FreeBSD 8.x, and Heradon
> Douglas at Google has an in-progress port to Linux.
> 
> We're also pleased to report the Capsicum paper won Best Student Paper 
> award at
> the conference!
> 
>    [1]: 
> http://www.cl.cam.ac.uk/research/security/capsicum/papers/2010usenix-
> security-capsicum-website.pdf
> 
>    [2]: http://www.usenix.org/events/sec10/
> 
>    [3]: http://www.cl.cam.ac.uk/research/security/capsicum/slides/20100811
> -usenix-capsicum.pdf
> 
>    [4]: http://www.cl.cam.ac.uk/research/security/capsicum/
> 
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to
"freebsd-security-unsubscribe@freebsd.org"