AI helps you reading Science
AI generates interpretation videos
AI extracts and analyses the key points of the paper to generate videos automatically
AI parses the academic lineage of this thesis
AI extracts a summary of this paper
Capsicum lends itself to adoption by blending immediate security improvements to current applications with the long-term prospects of a more capability-oriented future. We illustrate this through adaptations of widely-used applications, from the simple gzip to Google’s highly-com...
Capsicum: practical capabilities for UNIX
USENIX Security Symposium, pp.3-3, (2010)
Capsicum is a lightweight operating system capability and sandbox framework planned for inclusion in FreeBSD 9. Capsicum extends, rather than replaces, UNIX APIs, providing new kernel primitives (sandboxed capability mode and capabilities) and a userspace sandbox API. These tools support compartmentalisation of monolithic UNIX application...More
PPT (Upload PPT)
- Capsicum is an API that brings capabilities to UNIX.
- UNIX systems have less fine-grained access control than capability systems, but are very widely deployed.
- By adding capability primitives to standard UNIX APIs, Capsicum gives application authors a realistic adoption path for one of the ideals of OS security: least-privilege operation.
- Privilege separation , or compartmentalisation, is a pattern that has been adopted for applications such as OpenSSH, Apple’s SecurityServer, and, more recently, Google’s Chromium web browser.
- Compartmentalisation is enforced using various access control techniques, but only with significant programmer effort and significant technical limitations: current OS facilities are not designed for this purpose
- Capsicum is an API that brings capabilities to UNIX
- Privilege separation , or compartmentalisation, is a pattern that has been adopted for applications such as OpenSSH, Apple’s SecurityServer, and, more recently, Google’s Chromium web browser
- We have described Capsicum, a practical capabilities extension to the POSIX API, and a prototype based on FreeBSD, planned for inclusion in FreeBSD 9.0
- Our goal has been to address the needs of application authors who are already experimenting with sandboxing, but find themselves building on sand when it comes to effective containment techniques
- Capsicum lends itself to adoption by blending immediate security improvements to current applications with the long-term prospects of a more capability-oriented future. We illustrate this through adaptations of widely-used applications, from the simple gzip to Google’s highly-complex Chromium web browser, showing how firm OS foundations make the job of application writers easier
- Security and performance analyses show that improved security is not without cost, but that the point we have selected on a spectrum of possible designs improves on the state of the art
- The authors have described Capsicum, a practical capabilities extension to the POSIX API, and a prototype based on FreeBSD, planned for inclusion in FreeBSD 9.0.
- Capsicum lends itself to adoption by blending immediate security improvements to current applications with the long-term prospects of a more capability-oriented future.
- The authors illustrate this through adaptations of widely-used applications, from the simple gzip to Google’s highly-complex Chromium web browser, showing how firm OS foundations make the job of application writers easier.
- Security and performance analyses show that improved security is not without cost, but that the point the authors have selected on a spectrum of possible designs improves on the state of the art
- In 1975, Saltzer and Schroeder documented a vocabulary for operating system security based on on-going work on MULTICS . They described the concepts of capabilities and access control lists, and observed that in practice, systems combine the two approaches in order to offer a blend of control and performance. Thirty-five years of research have explored these and other security concepts, but the themes remain topical.
8.1 Discretionary and Mandatory Access Control
The principle of discretionary access control (DAC) is that users control protections on objects they own. While DAC remains relevant in multi-user server environments, the advent of personal computers and mobile phones has revealed its weakness: on a single-user computer, all eggs are in one basket. Section 5.1 demonstrates the difficulty of using DAC for malicious code containment.
Mandatory access control systemically enforce policies representing the interests of system implementers and administrators. Information flow policies tag subjects and objects in the system with confidentiality and integrity labels—fixed rules prevent reads or writes that allowing information leakage. Multi-Level Security (MLS), formalised as Bell-LaPadula (BLP), protects confidential information from unauthorised release . MLS’s logical dual, the Biba integrity policy, implements a similar scheme protecting integrity, and can be used to protect Trusted Computing Bases (TCBs) .
- The Chromium Project: Design Documents: OS X http://dev.chromium.org/
- ACETTA, M. J., BARON, R., BOLOWSKY, W., GOLUB, D., RASHID, R., TEVANIAN, A., AND YOUNG, M. Mach: a new kernel foundation for unix development. In Proceedings of the USENIX 1986 Summer Conference (July 1986), pp. 93–112.
- BELL, D. E., AND LAPADULA, L. J. Secure computer systems: Mathematical foundations. Tech. Rep. 2547, MITRE Corp., March 1973.
- BIBA, K. J. Integrity considerations for secure computer systems. Tech. rep., MITRE Corp., April 1977.
- BITTAU, A., MARCHENKO, P., HANDLEY, M., AND KARP, B. Wedge: Splitting Applications into Reduced-Privilege Compartments. In Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation (2008), pp. 309– 322.
- BRANSTAD, M., AND LANDAUER, J. Assurance for the Trusted Mach operating system. Computer Assurance, 1989. COMPASS ’89, ’Systems Integrity, Software Safety and Process Security’, Proceedings of the Fourth Annual Conference on (1989), 103– 108.
- GARFINKEL, T., PFA, B., AND ROSENBLUM, M. Ostia: A delegating architecture for secure system call interposition. In Proc. Internet Society 2003 (2003).
- GONG, L., MUELLER, M., PRAFULLCHANDRA, H., AND SCHEMERS, R. Going Beyond the Sandbox: An Overview of the New Security Architecture in the Java Development Kit 1.2. In Proceedings of the USENIX Symposium on Internet Technologies and Systems.
- HARDY, N. KeyKOS architecture. SIGOPS Operating Systems Review 19, 4 (Oct 1985).
- KILPATRICK, D. Privman: A Library for Partitioning Applications. In Proceedings of USENIX Annual Technical Conference (2003), pp. 273–284.
- LIEDTKE, J. On microkernel construction. In Proceedings of the 15th ACM Symposium on Operating System Principles (SOSP15) (Copper Mountain Resort, CO, Dec. 1995).
- LOSCOCCO, P., AND SMALLEY, S. Integrating flexible support for security policies into the Linux operating system. Proceedings of the FREENIX Track: 2001 USENIX Annual Technical Conference table of contents (2001), 29–42.
- MILLER, M. S. The e language. http://www.erights.org/.
- MURRAY, D. G., AND HAND, S. Privilege Separation Made Easy. In Proceedings of the ACM SIGOPS European Workshop on System Security (EUROSEC) (2008), pp. 40–46.
- NEUMANN, P. G., BOYER, R. S., GEIERTAG, R. J., LEVITT, K. N., AND ROBINSON, L. A provably secure operating system: The system, its applications, and proofs, second edition. Tech. Rep. Report CSL-116, Computer Science Laboratory, SRI International, May 1980.
- PROVOS, N., FRIEDL, M., AND HONEYMAN, P. Preventing Privilege Escalation. In Proceedings of the 12th USENIX Security Symposium (2003).
- REIS, C., AND GRIBBLE, S. D. Isolating web programs in modern browser architectures. In EuroSys ’09: Proceedings of the 4th ACM European conference on Computer systems (New York, NY, USA, 2009), ACM, pp. 219–232.
- SALTZER, J. H., AND SCHROEDER, M. D. The protection of information in computer systems. In Communications of the ACM (July 1974), vol. 17.
- SAMI SAYDJARI, O. Lock: an historical perspective. In Proceeedings of the 18th Annual Computer Security Applications Conference (2002), IEEE Computer Society.
- SEABORN, M. Plash: tools for practical least privilege, 2010. http://plash.beasts.org/.
- SEBES, E. J. Overview of the architecture of Distributed Trusted Mach. Proceedings of the USENIX Mach Symposium: November (1991), 20–22.
- SHAPIRO, J., SMITH, J., AND FARBER, D. EROS: a fast capability system. SOSP ’99: Proceedings of the seventeenth ACM symposium on Operating systems principles (Dec 1999).
- SPENCER, R., SMALLEY, S., LOSCOCCO, P., HIBLER, M., ANDERSON, D., AND LEPREAU, J. The Flask Security Architecture: System Support for Diverse Security Policies. In Proc. 8th USENIX Security Symposium (August 1999).
- VANCE, C., AND WATSON, R. Security Enhanced BSD. Network Associates Laboratories (2003).
- WAGNER, D., AND TRIBBLE, D. A security analysis of the combex darpabrowser architecture, March 2002. http://www.combex.com/papers/darpa-review/security-review.pdf.
- WATSON, R., FELDMAN, B., MIGUS, A., AND VANCE, C. Design and Implementation of the TrustedBSD MAC Framework. In Proc. Third DARPA Information Survivability Conference and Exhibition (DISCEX), IEEE (April 2003).
- WILKES, M. V., AND NEEDHAM, R. M. The Cambridge CAP computer and its operating system (Operating and programming systems series). Elsevier North-Holland, Inc., Amsterdam, The Netherlands, 1979.