On Fri, 24 Sep 2010 14:46:10 -0500 David Young <[email protected]> wrote: > A couple of weeks ago I read a paper on Capsicum, a > "lightweight OS capability and sandbox framework," > <http://www.cl.cam.ac.uk/research/security/capsicum/>.
It won best paper at Usenix Security, and the creators have lots of experience with previous systems that fed in to how they designed Capsicum. > Capsicum > looks like a giant step in the right direction for UNIX security > research. I'd like to see a similar function in NetBSD. What are > others' impressions of Capcisum? Is anybody working on a port? A port would be good -- superior to a reinvention. I'm reasonably convinced that Robert Watson, Ben Laurie, etc. know what they're doing here. > I have a couple of concerns about Capsicum at its current level of > development. First, I'm wary of "self-compartmentalization" of > programs and libraries. It seems like it could be a lot of work to > add self-compartmentalization to just the programs in NetBSD's base > system, and when it was finished, I doubt that so many changes > would be both trustworthy and consistent. Actually, the amount of work for any given subsystem is pretty small, but I don't think the intent of the architecture is to go through libraries doing this. For a program like ntp or bozo-httpd or what have you, it is worthwhile, and not a very large effort. > The second concern is > related to the first: a Capsicum sandbox doesn't simulate access to > the global namespace for the purpose of unmodified programs > calling, e.g., open(2)---can it? The whole point of a capability system is to remove access to such namespaces -- you eliminate the security properties if you do. If the desire is a system based on more global policies, you want a MAC system of some sort (systrace was a sort of MAC system), not a capability architecture. I suggest reading Jonathan Shapiro's introduction to capability systems, found here: http://www.eros-os.org/essays/capintro.html One of the interesting features of Capsicum is that it allows a nice hybrid of the capability architecture with a normal Unix environment for most programs. However, once you're really living in capability world, you don't want global namespaces, they destroy the security of the architecture. Perry -- Perry E. Metzger [email protected]
