On Sun, Sep 26, 2010 at 01:34:54PM -0400, Perry E. Metzger wrote: > On Fri, 24 Sep 2010 14:46:10 -0500 David Young <[email protected]> > wrote: > > A couple of weeks ago I read a paper on Capsicum, a > > "lightweight OS capability and sandbox framework," > > <http://www.cl.cam.ac.uk/research/security/capsicum/>. > > It won best paper at Usenix Security, and the creators have lots of > experience with previous systems that fed in to how they designed > Capsicum. > > > Capsicum > > looks like a giant step in the right direction for UNIX security > > research. I'd like to see a similar function in NetBSD. What are > > others' impressions of Capcisum? Is anybody working on a port? > > A port would be good -- superior to a reinvention. I'm reasonably > convinced that Robert Watson, Ben Laurie, etc. know what they're doing > here.
Suffice it to say, it's a good idea. The persons involved are beside the point. > > I have a couple of concerns about Capsicum at its current level of > > development. First, I'm wary of "self-compartmentalization" of > > programs and libraries. It seems like it could be a lot of work to > > add self-compartmentalization to just the programs in NetBSD's base > > system, and when it was finished, I doubt that so many changes > > would be both trustworthy and consistent. > > Actually, the amount of work for any given subsystem is pretty small, > but I don't think the intent of the architecture is to go through > libraries doing this. For a program like ntp or bozo-httpd or what > have you, it is worthwhile, and not a very large effort. How about this: it's a larger effort than appears to be necessary. As you say, I don't think that the intent is to go through libraries (or programs) doing that. I'm not sure what you mean by "subsystem." > > The second concern is > > related to the first: a Capsicum sandbox doesn't simulate access to > > the global namespace for the purpose of unmodified programs > > calling, e.g., open(2)---can it? > > The whole point of a capability system is to remove access to such > namespaces -- you eliminate the security properties if you do. If the > desire is a system based on more global policies, you want a MAC > system of some sort (systrace was a sort of MAC system), not a > capability architecture. I think you have misunderstood what I mean by "*simulate* access to the global namespace". > I suggest reading Jonathan Shapiro's introduction to capability > systems, found here: > > http://www.eros-os.org/essays/capintro.html Thanks, but I read that a long time ago. You could say that I'm down with the concept. Dave -- David Young OJC Technologies [email protected] Urbana, IL * (217) 278-3933
