AI helps you reading Science

AI generates interpretation videos

AI extracts and analyses the key points of the paper to generate videos automatically


pub
Go Generating

AI Traceability

AI parses the academic lineage of this thesis


Master Reading Tree
Generate MRT

AI Insight

AI extracts a summary of this paper


Weibo:
Capsicum lends itself to adoption by blending immediate security improvements to current applications with the long-term prospects of a more capability-oriented future. We illustrate this through adaptations of widely-used applications, from the simple gzip to Google’s highly-com...

Capsicum: practical capabilities for UNIX

USENIX Security Symposium, pp.3-3, (2010)

Cited by: 175|Views140
EI
Full Text
Bibtex
Weibo

Abstract

Capsicum is a lightweight operating system capability and sandbox framework planned for inclusion in FreeBSD 9. Capsicum extends, rather than replaces, UNIX APIs, providing new kernel primitives (sandboxed capability mode and capabilities) and a userspace sandbox API. These tools support compartmentalisation of monolithic UNIX application...More

Code:

Data:

0
Introduction
  • Capsicum is an API that brings capabilities to UNIX.
  • UNIX systems have less fine-grained access control than capability systems, but are very widely deployed.
  • By adding capability primitives to standard UNIX APIs, Capsicum gives application authors a realistic adoption path for one of the ideals of OS security: least-privilege operation.
  • Privilege separation [17], or compartmentalisation, is a pattern that has been adopted for applications such as OpenSSH, Apple’s SecurityServer, and, more recently, Google’s Chromium web browser.
  • Compartmentalisation is enforced using various access control techniques, but only with significant programmer effort and significant technical limitations: current OS facilities are not designed for this purpose
Highlights
  • Capsicum is an API that brings capabilities to UNIX
  • Privilege separation [17], or compartmentalisation, is a pattern that has been adopted for applications such as OpenSSH, Apple’s SecurityServer, and, more recently, Google’s Chromium web browser
  • We have described Capsicum, a practical capabilities extension to the POSIX API, and a prototype based on FreeBSD, planned for inclusion in FreeBSD 9.0
  • Our goal has been to address the needs of application authors who are already experimenting with sandboxing, but find themselves building on sand when it comes to effective containment techniques
  • Capsicum lends itself to adoption by blending immediate security improvements to current applications with the long-term prospects of a more capability-oriented future. We illustrate this through adaptations of widely-used applications, from the simple gzip to Google’s highly-complex Chromium web browser, showing how firm OS foundations make the job of application writers easier
  • Security and performance analyses show that improved security is not without cost, but that the point we have selected on a spectrum of possible designs improves on the state of the art
Conclusion
  • The authors have described Capsicum, a practical capabilities extension to the POSIX API, and a prototype based on FreeBSD, planned for inclusion in FreeBSD 9.0.
  • Capsicum lends itself to adoption by blending immediate security improvements to current applications with the long-term prospects of a more capability-oriented future.
  • The authors illustrate this through adaptations of widely-used applications, from the simple gzip to Google’s highly-complex Chromium web browser, showing how firm OS foundations make the job of application writers easier.
  • Security and performance analyses show that improved security is not without cost, but that the point the authors have selected on a spectrum of possible designs improves on the state of the art
Related work
  • In 1975, Saltzer and Schroeder documented a vocabulary for operating system security based on on-going work on MULTICS [19]. They described the concepts of capabilities and access control lists, and observed that in practice, systems combine the two approaches in order to offer a blend of control and performance. Thirty-five years of research have explored these and other security concepts, but the themes remain topical.

    8.1 Discretionary and Mandatory Access Control

    The principle of discretionary access control (DAC) is that users control protections on objects they own. While DAC remains relevant in multi-user server environments, the advent of personal computers and mobile phones has revealed its weakness: on a single-user computer, all eggs are in one basket. Section 5.1 demonstrates the difficulty of using DAC for malicious code containment.

    Mandatory access control systemically enforce policies representing the interests of system implementers and administrators. Information flow policies tag subjects and objects in the system with confidentiality and integrity labels—fixed rules prevent reads or writes that allowing information leakage. Multi-Level Security (MLS), formalised as Bell-LaPadula (BLP), protects confidential information from unauthorised release [3]. MLS’s logical dual, the Biba integrity policy, implements a similar scheme protecting integrity, and can be used to protect Trusted Computing Bases (TCBs) [4].
Reference
  • The Chromium Project: Design Documents: OS X http://dev.chromium.org/
    Findings
  • ACETTA, M. J., BARON, R., BOLOWSKY, W., GOLUB, D., RASHID, R., TEVANIAN, A., AND YOUNG, M. Mach: a new kernel foundation for unix development. In Proceedings of the USENIX 1986 Summer Conference (July 1986), pp. 93–112.
    Google ScholarLocate open access versionFindings
  • BELL, D. E., AND LAPADULA, L. J. Secure computer systems: Mathematical foundations. Tech. Rep. 2547, MITRE Corp., March 1973.
    Google ScholarFindings
  • BIBA, K. J. Integrity considerations for secure computer systems. Tech. rep., MITRE Corp., April 1977.
    Google ScholarFindings
  • BITTAU, A., MARCHENKO, P., HANDLEY, M., AND KARP, B. Wedge: Splitting Applications into Reduced-Privilege Compartments. In Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation (2008), pp. 309– 322.
    Google ScholarLocate open access versionFindings
  • BRANSTAD, M., AND LANDAUER, J. Assurance for the Trusted Mach operating system. Computer Assurance, 1989. COMPASS ’89, ’Systems Integrity, Software Safety and Process Security’, Proceedings of the Fourth Annual Conference on (1989), 103– 108.
    Google ScholarLocate open access versionFindings
  • GARFINKEL, T., PFA, B., AND ROSENBLUM, M. Ostia: A delegating architecture for secure system call interposition. In Proc. Internet Society 2003 (2003).
    Google ScholarLocate open access versionFindings
  • GONG, L., MUELLER, M., PRAFULLCHANDRA, H., AND SCHEMERS, R. Going Beyond the Sandbox: An Overview of the New Security Architecture in the Java Development Kit 1.2. In Proceedings of the USENIX Symposium on Internet Technologies and Systems.
    Google ScholarLocate open access versionFindings
  • HARDY, N. KeyKOS architecture. SIGOPS Operating Systems Review 19, 4 (Oct 1985).
    Google ScholarLocate open access versionFindings
  • KILPATRICK, D. Privman: A Library for Partitioning Applications. In Proceedings of USENIX Annual Technical Conference (2003), pp. 273–284.
    Google ScholarLocate open access versionFindings
  • LIEDTKE, J. On microkernel construction. In Proceedings of the 15th ACM Symposium on Operating System Principles (SOSP15) (Copper Mountain Resort, CO, Dec. 1995).
    Google ScholarLocate open access versionFindings
  • LOSCOCCO, P., AND SMALLEY, S. Integrating flexible support for security policies into the Linux operating system. Proceedings of the FREENIX Track: 2001 USENIX Annual Technical Conference table of contents (2001), 29–42.
    Google ScholarLocate open access versionFindings
  • MILLER, M. S. The e language. http://www.erights.org/.
    Findings
  • MILLER, M. S., SAMUEL, M., LAURIE, B., AWAD, I., AND STAY, M. Caja: Safe active content in sanitized javascript, May 2008. http://google-caja.googlecode.com/files/caja-spec-2008-06-07.pdf.
    Findings
  • MURRAY, D. G., AND HAND, S. Privilege Separation Made Easy. In Proceedings of the ACM SIGOPS European Workshop on System Security (EUROSEC) (2008), pp. 40–46.
    Google ScholarLocate open access versionFindings
  • NEUMANN, P. G., BOYER, R. S., GEIERTAG, R. J., LEVITT, K. N., AND ROBINSON, L. A provably secure operating system: The system, its applications, and proofs, second edition. Tech. Rep. Report CSL-116, Computer Science Laboratory, SRI International, May 1980.
    Google ScholarFindings
  • PROVOS, N., FRIEDL, M., AND HONEYMAN, P. Preventing Privilege Escalation. In Proceedings of the 12th USENIX Security Symposium (2003).
    Google ScholarLocate open access versionFindings
  • REIS, C., AND GRIBBLE, S. D. Isolating web programs in modern browser architectures. In EuroSys ’09: Proceedings of the 4th ACM European conference on Computer systems (New York, NY, USA, 2009), ACM, pp. 219–232.
    Google ScholarLocate open access versionFindings
  • SALTZER, J. H., AND SCHROEDER, M. D. The protection of information in computer systems. In Communications of the ACM (July 1974), vol. 17.
    Google ScholarLocate open access versionFindings
  • SAMI SAYDJARI, O. Lock: an historical perspective. In Proceeedings of the 18th Annual Computer Security Applications Conference (2002), IEEE Computer Society.
    Google ScholarLocate open access versionFindings
  • SEABORN, M. Plash: tools for practical least privilege, 2010. http://plash.beasts.org/.
    Findings
  • SEBES, E. J. Overview of the architecture of Distributed Trusted Mach. Proceedings of the USENIX Mach Symposium: November (1991), 20–22.
    Google ScholarLocate open access versionFindings
  • SHAPIRO, J., SMITH, J., AND FARBER, D. EROS: a fast capability system. SOSP ’99: Proceedings of the seventeenth ACM symposium on Operating systems principles (Dec 1999).
    Google ScholarLocate open access versionFindings
  • SPENCER, R., SMALLEY, S., LOSCOCCO, P., HIBLER, M., ANDERSON, D., AND LEPREAU, J. The Flask Security Architecture: System Support for Diverse Security Policies. In Proc. 8th USENIX Security Symposium (August 1999).
    Google ScholarLocate open access versionFindings
  • VANCE, C., AND WATSON, R. Security Enhanced BSD. Network Associates Laboratories (2003).
    Google ScholarLocate open access versionFindings
  • WAGNER, D., AND TRIBBLE, D. A security analysis of the combex darpabrowser architecture, March 2002. http://www.combex.com/papers/darpa-review/security-review.pdf.
    Findings
  • WATSON, R., FELDMAN, B., MIGUS, A., AND VANCE, C. Design and Implementation of the TrustedBSD MAC Framework. In Proc. Third DARPA Information Survivability Conference and Exhibition (DISCEX), IEEE (April 2003).
    Google ScholarLocate open access versionFindings
  • WILKES, M. V., AND NEEDHAM, R. M. The Cambridge CAP computer and its operating system (Operating and programming systems series). Elsevier North-Holland, Inc., Amsterdam, The Netherlands, 1979.
    Google ScholarFindings
Your rating :
0

 

Tags
Comments
数据免责声明
页面数据均来自互联网公开来源、合作出版商和通过AI技术自动分析结果,我们不对页面数据的有效性、准确性、正确性、可靠性、完整性和及时性做出任何承诺和保证。若有疑问,可以通过电子邮件方式联系我们:report@aminer.cn
小科