I was pleased to contribute to a recent blog article by Ben Laurie, a frequent collaborator with the Cambridge security group, on the Google Open Source Programs Office blog. We describe open-source security work OSPO has sponsored over the last couple of years, including our joint work on Capsicum, and its followup projects funded jointly by Google and the FreeBSD Foundation. He also talks about Google support for Certificate Transparency, OpenSSL, Tor, and Libpurple — projects focussed not just on communications security, but also communications privacy on the Internet.
Over the last decade or so, it has become increasingly (and painfully) apparent that ACLs and MAC, which were originally designed to protect expensive mainframes from their users, and the users from each other, are failing to secure modern cheap machines with single users who need protecting from the software they run.
Instead, we need fine-grained access control and strong sandboxing.
My Cambridge colleague, Dr. Robert Watson says:
In August 2010, the University of Cambridge and Google published the Capsicum security model at the USENIX Security Symposium. Initially funded by a Google Faculty Research Award, Capsicum combines security ideas from historic research capability systems with contemporary operating-system design to allow robust, fine-grained, flexible, and application-centred sandboxing. Since 2012, Google Open Source Programs Office and the FreeBSD Foundation have been jointly funding continuing open source development to transition Capsicum from research to practice; Google also has summer students working on Capsicum through Google Summer of Code under the FreeBSD organization.
The project has been led by FreeBSD developer Pawel Dawidek, who has refined the Capsicum model as our experience has grown, updating existing privilege-separated applications to use Capsicum (e.g., OpenSSH and dhclient). Pawel has also adapted new applications to use Capsicum compartmentalisation “out-of-the-box”, including system tools services (e.g., tcpdump, kdump,the high-availability storage daemon [hastd], the security audit-trail distribution daemon [auditdistd]), and UNIX pipeline components (e.g., grep, uniq). The goal is to move gradually towards ubiquitous sandboxing: since it is cheap (and often easy), explore what happens when you try to do it everywhere, mitigating as-yet unknown future vulnerabilities.
A key contribution of this work is the Casper application framework. Casper manages the creation of sandboxes, launching them on demand with only the rights they require to operate (Saltzer and Schroeder’s 1975 Principle of Least Privilege). Existing applications can be linked against Casper to make use of a growing suite of Casper components, including sandboxed DNS resolution, delegation of file-system subsets, cryptographic random number generation, network services (such as sockets), system monitoring interfaces (via sysctl), and system databases such as the user and password files.
Pawel’s current work is due to wrap up later in 2013. FreeBSD 10.0 will ship with Capsicum enabled by default and a suite of sandboxed applications.