Abstract
Capsicum is a lightweight operating system (OS) capability and sandbox framework planned for inclusion in FreeBSD 9. Capsicum extends, rather than replaces, UNIX APIs, providing new kernel primitives (sandboxed capability mode and capabilities) and a userspace sandbox API. These tools support decomposition of monolithic UNIX applications into compartmentalized logical applications, an increasingly common goal that is supported poorly by existing OS access control primitives. We demonstrate our approach by adapting core FreeBSD utilities and Google's Chromium Web browser to use Capsicum primitives, and compare the complexity and robustness of Capsicum with other sandboxing techniques.
- Accetta, M., Baron, R., Golub, D., Rashid, R., Tevanian, A., Young, M. Mach: A New Kernel Foundation for UNIX Development. Technical report, Computer Science Department, Carnegie Mellon University, Pittsburgh, PA, Aug. 1986.Google Scholar
- Bittau, A., Marchenko, P., Handley, M., Karp, B. Wedge: Splitting applications into reduced-privilege compartments. In Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation (2008), USENIX Association, 309--322. Google ScholarDigital Library
- Cohen, E., Jefferson, D. Protection in the Hydra operating system. In SOSP'75: Proceedings of the Fifth ACM Symposium on Operating Systems Principles (1975), ACM, NY, 141--160. Google ScholarDigital Library
- Garfinkel, T., Pfa, B., Rosenblum, M. Ostia: A delegating architecture for secure system call interposition. In Proceedings of the Internet Society (2003).Google Scholar
- Google, Inc. The Chromium Project: Design Documents: OS X Sandboxing Design. http://dev.chromium.org/developers/design-documents/sandbox/osx-sandboxing-design, Oct. 2010.Google Scholar
- Hardy, N. KeyKos architecture. SIGOPS Oper. Syst. Rev. 19, 4 (1985), 8--25. Google ScholarDigital Library
- Kilpatrick, D. Privman: A library for partitioning applications. In Proceedings of USENIX Annual Technical Conference (2003), USENIX Association, 273--284.Google Scholar
- Liedtke, J. On microkernel construction. In SOSP'95: Proceedings of the 15th ACM Symposium on Operating System, Principles (Copper Mountain resort, CO, Dec. 1995). Google ScholarDigital Library
- Loscocco, P.A., Smalley, S.D. Integrating flexible support for security policies into the Linux operating system. In Proceedings of the USENIX Annual Technical Conference (June 2001), USENIX Association, 29--42. Google ScholarDigital Library
- Murray, D.G., Hand, S. Privilege separation made easy. In Proceedings of the ACM SIGOPS European Workshop on System, Security (EUROSEC) (2008), ACM, 40--46. Google ScholarDigital Library
- Neumann, P.G., Boyer, R.S., Feiertag, R.J., Levitt, K.N., Robinson, L. A Provably Secure Operating System: The System, Its Applications, and Proofs, Second Edition. Technical Report CSL-116, Computer Science Laboratory, SRI International, Menlo Park, CA, May 1980.Google Scholar
- Provos, N., Friedl, M., Honeyman, P. Preventing privilege escalation. In Proceedings of the 12th USENIX Security Symposium (2003), USENIX Association. Google ScholarDigital Library
- Reis, C., Gribble, S.D. Isolating web programs in modern browser architectures. In EuroSys'09: Proceedings of the 4th ACM European Conference on Computer Systems (2009), ACM, NY, 219--232. Google ScholarDigital Library
- Saltzer, J.H., Schroeder, M.D. The protection of information in computer systems. In Proceedings of the IEEE 63, 9 (Sep. 1975), 1278--1308.Google ScholarCross Ref
- Sami Saydjari, O. Lock: An historical perspective. In Proceedings of the 18th Annual Computer Security Applications Conference (2002), IEEE Computer Society. Google ScholarDigital Library
- Seaborn, M. Plash: Tools for practical least privilege, 2007. http://plash.beasts.org/Google Scholar
- Shapiro, J., Smith, J., Farber, D. EROS: A fast capability system. In SOSP'99: Proceedings of the Seventeenth ACM Symposium on Operating Systems Principles, Dec. 1999. Google ScholarDigital Library
- Watson, R.N.M., Anderson, J., Laurie, B., Kennaway, K. Capsicum: Practical capabilities for UNIX. In Proceedings of the 19th USENIX Security Symposium (2010), USENIX Association, Berkeley, CA. Google ScholarDigital Library
- Watson, R.N.M., Feldman, B., Migus, A., Vance, C. Design and implementation of the TrustedBSD MAC framework. In Proceedings of the Third DARPA Information Survivability Conference and Exhibition (DISCEX) (April 2003), IEEE.Google Scholar
- Wilkes, M.V., Needham, R.M. The Cambridge CAP Computer and Its Operating System (Operating and Programming Systems Series). Elsevier North-Holland, Inc., Amsterdam, the Netherlands, 1979. Google ScholarDigital Library
Index Terms
- A taste of Capsicum: practical capabilities for UNIX
Recommendations
Capsicum: practical capabilities for UNIX
USENIX Security'10: Proceedings of the 19th USENIX conference on SecurityCapsicum is a lightweight operating system capability and sandbox framework planned for inclusion in FreeBSD 9. Capsicum extends, rather than replaces, UNIX APIs, providing new kernel primitives (sandboxed capability mode and capabilities) and a ...
Comments