Capsicum: Practical Capabilities for UNIX

Capsicum is a lightweight operating system capability and sandbox framework planned for inclusion in FreeBSD 9. Capsicum extends, rather than replaces, UNIX APIs, providing new kernel primitives (sandboxed capability mode and capabilities) and a userspace sandbox API. These tools support compartmentalisation of monolithic UNIX applications into logical applications, an increasingly common goal supported poorly by discretionary and mandatory access control. We demonstrate our approach by adapting core FreeBSD utilities and Google's Chromium web browser to use Capsicum primitives, and compare the complexity and robustness of Capsicum with other sandboxing techniques.

[1]  Steven Hand,et al.  Privilege separation made easy: trusting small libraries not big processes , 2008, EUROSEC '08.

[2]  Lawrence Robinson,et al.  A Provably Secure Operating System. , 1975 .

[3]  Niels Provos,et al.  Preventing Privilege Escalation , 2003, USENIX Security Symposium.

[4]  L.,et al.  SECURE COMPUTER SYSTEMS : MATHEMATICAL FOUNDATIONS , 2022 .

[5]  H. Singer An Historical Perspective , 1995 .

[6]  Douglas Kilpatrick,et al.  Privman: A Library for Partitioning Applications , 2003, USENIX Annual Technical Conference, FREENIX Track.

[7]  Jochen Liedtke,et al.  On micro-kernel construction , 1995, SOSP.

[8]  Norman Hardy,et al.  KeyKOS architecture , 1985, OPSR.

[9]  Steven Hand,et al.  Privilege separation made easy , 2008 .

[10]  William J. Bolosky,et al.  Mach: A New Kernel Foundation for UNIX Development , 1986, USENIX Summer.

[11]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[12]  Jonathan M. Smith,et al.  EROS: a fast capability system , 1999, SOSP.

[13]  Stephen Smalley,et al.  Integrating Flexible Support for Security Policies into the Linux Operating System , 2001, USENIX Annual Technical Conference, FREENIX Track.

[14]  Mark Handley,et al.  Wedge: Splitting Applications into Reduced-Privilege Compartments , 2008, NSDI.

[15]  Maurice V. Wilkes,et al.  The Cambridge CAP computer and its operating system (Operating and programming systems series) , 1979 .

[16]  M. Branstad,et al.  Assurance for the Trusted Mach operating system , 1989, Proceedings of the Fourth Annual Conference on Computer Assurance, 'Systems Integrity, Software Safety and Process Security.

[17]  Tal Garfinkel,et al.  Ostia: A Delegating Architecture for Secure System Call Interposition , 2004, NDSS.

[18]  Mike Hibler,et al.  The Flask Security Architecture: System Support for Diverse Security Policies , 1999, USENIX Security Symposium.

[19]  Robert N. M. Watson,et al.  Design and Implementation of the TrustedBSD MAC Framework , 2003 .

[20]  Hemma Prafullchandra,et al.  Going Beyond the Sandbox: An Overview of the New Security Architecture in the Java Development Kit 1.2 , 1997, USENIX Symposium on Internet Technologies and Systems.

[21]  O. Sami Saydjari LOCK : An Historical Perspective , 2002, ACSAC.

[22]  Jerome H. Saltier,et al.  Protection of information in computer systems , 1975, IEEE CSIT Newsletter.

[23]  Charles Reis,et al.  Isolating web programs in modern browser architectures , 2009, EuroSys '09.

[24]  David A. Wagner,et al.  A Security Analysis of the Combex DarpaBrowser Architecture , 2002 .

[25]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.