Re: Capsicum: practical capabilities for UNIX

To: David Young <dyoung%pobox.com@localhost>
Subject: Re: Capsicum: practical capabilities for UNIX
From: "Perry E. Metzger" <perry%piermont.com@localhost>
Date: Sun, 26 Sep 2010 13:34:54 -0400

On Fri, 24 Sep 2010 14:46:10 -0500 David Young <dyoung%pobox.com@localhost>
wrote:
> A couple of weeks ago I read a paper on Capsicum, a
> "lightweight OS capability and sandbox framework,"
> <http://www.cl.cam.ac.uk/research/security/capsicum/>.

It won best paper at Usenix Security, and the creators have lots of
experience with previous systems that fed in to how they designed
Capsicum.

> Capsicum
> looks like a giant step in the right direction for UNIX security
> research. I'd like to see a similar function in NetBSD.  What are
> others' impressions of Capcisum?  Is anybody working on a port?

A port would be good -- superior to a reinvention. I'm reasonably
convinced that Robert Watson, Ben Laurie, etc. know what they're doing
here.

> I have a couple of concerns about Capsicum at its current level of
> development.  First, I'm wary of "self-compartmentalization" of
> programs and libraries.  It seems like it could be a lot of work to
> add self-compartmentalization to just the programs in NetBSD's base
> system, and when it was finished, I doubt that so many changes
> would be both trustworthy and consistent.

Actually, the amount of work for any given subsystem is pretty small,
but I don't think the intent of the architecture is to go through
libraries doing this. For a program like ntp or bozo-httpd or what
have you, it is worthwhile, and not a very large effort.

> The second concern is
> related to the first: a Capsicum sandbox doesn't simulate access to
> the global namespace for the purpose of unmodified programs
> calling, e.g., open(2)---can it?

The whole point of a capability system is to remove access to such
namespaces -- you eliminate the security properties if you do. If the
desire is a system based on more global policies, you want a MAC
system of some sort (systrace was a sort of MAC system), not a
capability architecture.

I suggest reading Jonathan Shapiro's introduction to capability
systems, found here:

http://www.eros-os.org/essays/capintro.html

One of the interesting features of Capsicum is that it allows a nice
hybrid of the capability architecture with a normal Unix environment
for most programs. However, once you're really living in capability
world, you don't want global namespaces, they destroy the security of
the architecture.

Perry
-- 
Perry E. Metzger                perry%piermont.com@localhost

Follow-Ups:
- Re: Capsicum: practical capabilities for UNIX
  - From: David Young

References:
- Capsicum: practical capabilities for UNIX
  - From: David Young

Prev by Date: Re: Fixes for kern/40018 -- any chance of getting these pulled into the -current and 5.x trees?
Next by Date: Re: Capsicum: practical capabilities for UNIX
Previous by Thread: Re: Capsicum: practical capabilities for UNIX
Next by Thread: Re: Capsicum: practical capabilities for UNIX
Indexes:

Home | Main Index | Thread Index | Old Index