Capsicum: practical capabilities for UNIX

August 12th, 2010 at 02:57 UTC by Robert N. M. Watson

Today, Jonathan Anderson, Ben Laurie, Kris Kennaway, and I presented Capsicum: practical capabilities for UNIX at the 19th USENIX Security Symposium in Washington, DC; the slides can be found on the Capsicum web site. We argue that capability design principles fill a gap left by discretionary access control (DAC) and mandatory access control (MAC) in operating systems when supporting security-critical and security-aware applications.

Capsicum responds to the trend of application compartmentalisation (sometimes called privilege separation) by providing strong and well-defined isolation primitives, and by facilitating rights delegation driven by the application (and eventually, user). These facilities prove invaluable, not just for traditional security-critical programs such as tcpdump and OpenSSH, but also complex security-aware applications that map distributed security policies into local primitives, such as Google’s Chromium web browser, which implement the same-origin policy when sandboxing JavaScript execution.

Capsicum extends POSIX with a new capability mode for processes, and capability file descriptor type, as well as supporting primitives such as process descriptors. Capability mode denies access to global operating system namespaces, such as the file system and IPC namespaces: only delegated rights (typically via file descriptors or more refined capabilities) are available to sandboxes. We prototyped Capsicum on FreeBSD 9.x, and have extended a variety of applications, including Google’s Chromium web browser, to use Capsicum for sandboxing. Our paper discusses design trade-offs, both in Capsicum and in applications, as well as a performance analysis. Capsicum is available under a BSD license.

Capsicum is collaborative research between the University of Cambridge and Google, and has been sponsored by Google, and will be a foundation for future work on application security, sandboxing, and security usability at Cambridge and Google. Capsicum has also been backported to FreeBSD 8.x, and Heradon Douglas at Google has an in-progress port to Linux.

We’re also pleased to report the Capsicum paper won Best Student Paper award at the conference!

Entry filed under: Academic papers, Awards, Operating systems

3 comments Add your own

  • 1. Saar Drimer  |  August 12th, 2010 at 09:41 UTC

    Congratulations for the award!

  • 2. Toby Murray  |  August 13th, 2010 at 04:34 UTC

    Congratulations! This work deserves to be more widely known. Looking forward to reading the paper.

    Was surprised you didn’t cite Krohn et al. from USENIX HotOS 2005 http://portal.acm.org/citation.cfm?id=1251144

    Also of relevance would be Langley’s 2005 thesis work (of almost the same name as your paper) http://www.imperialviolet.org/binary/pucs.pdf

  • 3. Robert N. M. Watson  |  August 13th, 2010 at 04:52 UTC

    Hi Toby:

    Thanks for the congratulations and comments! Indeed, not including a citation to Asbestos was a significant oversight; another paper relevant to the topic is Wang et al on Gazelle, which considers the web browser itself as an OS in exploring browser security. In a space-constrained conference paper, there are limits on how much prior work can be reported on, especially in the field of OS access control where so much work has been done, though! We are in the process of preparing a longer technical report version of the paper and will be able to include a larger related work section in that format, as well as explore further aspects of the Capsicum design and implementation. We also have slides from our ASA-4 talk which begins to explore the application of formal methods (in this case, model checking) to portions of the Capsicum design.

    Thanks,

    Robert

Leave a Comment

Required

Required, hidden

Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Subscribe to the comments via RSS Feed


Calendar

August 2010
M T W T F S S
« Jul   Sep »
 1
2345678
9101112131415
16171819202122
23242526272829
3031