[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Capsicum: practical capabilities for UNIX
On Sun, Sep 26, 2010 at 01:34:54PM -0400, Perry E. Metzger wrote:
> On Fri, 24 Sep 2010 14:46:10 -0500 David Young <dyoung%pobox.com@localhost>
> > A couple of weeks ago I read a paper on Capsicum, a
> > "lightweight OS capability and sandbox framework,"
> > <http://www.cl.cam.ac.uk/research/security/capsicum/>.
> It won best paper at Usenix Security, and the creators have lots of
> experience with previous systems that fed in to how they designed
> > Capsicum
> > looks like a giant step in the right direction for UNIX security
> > research. I'd like to see a similar function in NetBSD. What are
> > others' impressions of Capcisum? Is anybody working on a port?
> A port would be good -- superior to a reinvention. I'm reasonably
> convinced that Robert Watson, Ben Laurie, etc. know what they're doing
Suffice it to say, it's a good idea. The persons involved are beside
> > I have a couple of concerns about Capsicum at its current level of
> > development. First, I'm wary of "self-compartmentalization" of
> > programs and libraries. It seems like it could be a lot of work to
> > add self-compartmentalization to just the programs in NetBSD's base
> > system, and when it was finished, I doubt that so many changes
> > would be both trustworthy and consistent.
> Actually, the amount of work for any given subsystem is pretty small,
> but I don't think the intent of the architecture is to go through
> libraries doing this. For a program like ntp or bozo-httpd or what
> have you, it is worthwhile, and not a very large effort.
How about this: it's a larger effort than appears to be necessary. As
you say, I don't think that the intent is to go through libraries (or
programs) doing that. I'm not sure what you mean by "subsystem."
> > The second concern is
> > related to the first: a Capsicum sandbox doesn't simulate access to
> > the global namespace for the purpose of unmodified programs
> > calling, e.g., open(2)---can it?
> The whole point of a capability system is to remove access to such
> namespaces -- you eliminate the security properties if you do. If the
> desire is a system based on more global policies, you want a MAC
> system of some sort (systrace was a sort of MAC system), not a
> capability architecture.
I think you have misunderstood what I mean by "*simulate* access to the
> I suggest reading Jonathan Shapiro's introduction to capability
> systems, found here:
Thanks, but I read that a long time ago. You could say that I'm down
with the concept.
David Young OJC Technologies
dyoung%ojctech.com@localhost Urbana, IL * (217) 278-3933
Main Index |
Thread Index |