From owner-freebsd-arch@FreeBSD.ORG Sat Jan 22 15:25:54 2011 Return-Path: Delivered-To: arch@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3A52F106566C for ; Sat, 22 Jan 2011 15:25:54 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [65.122.17.42]) by mx1.freebsd.org (Postfix) with ESMTP id EF8578FC12 for ; Sat, 22 Jan 2011 15:25:53 +0000 (UTC) Received: from fledge.watson.org (fledge.watson.org [65.122.17.41]) by cyrus.watson.org (Postfix) with ESMTPS id 5660646B0C; Sat, 22 Jan 2011 10:25:53 -0500 (EST) Date: Sat, 22 Jan 2011 15:25:53 +0000 (GMT) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: arch@FreeBSD.org Message-ID: User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII Cc: cl-capsicum-discuss@cl.cam.ac.uk Subject: Capsicum -- 9.x merge in sight X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Jan 2011 15:25:54 -0000 Dear all: As many of you will now have heard, the Computer Laboratory at the University of Cambridge and Google have been collaborating for the last few years on a security research project called Capsicum. It consists of a set of extensions to the POSIX API adding a new "capability mode", "capabilities", "process descriptors", and several other additions required to implement a capability-oriented sandbox model in UNIX. These features are targeted at application compartmentalisation, in which applications are separated into mutually untrusting components in order to improve robustness. Such applications often span multiple security domains (such as web browsers), mapping a non-UNIX policy (such as the same origin policy) into local OS primitives (such as sandboxed processes). Jon Anderson, Ben Laurie, Kris Kennaway, and I implemented our research prototype on FreeBSD 9-CURRENT, with a backport to 8-STABLE, and first publicaly presented the work at the USENIX Security Symposium in 2010. Google also has an in-flight port to Linux underway, with a goal of demonstrating its use with ChromeOS and the Chromium web browser (which is able to use Capsicum to sandbox HTML rendering and Javascript execution on FreeBSD already); there's also discussion of adopting Capsicum in the NetBSD community. We've modified a number of base FreeBSD components to use Capsicum, including tcpdump, sshd, and dhclient -- sometimes reinforcing existing privilege separation, and sometimes adding it. There are also in-progress investigations of adding Capsicum sandboxing to third-party network applications such as BIND and Apache. Those attending FreeBSD developer summits in Ottawa/Cambridge will by now likely have seen a couple of different talks on Capsicum, and it was also featured in USENIX's most recent ;login magazine, as well as having been discussed on the mailing lists on and off for a while. It seems that in those venues, there's a strong consensus among attending developers that this is something that both developers and users of FreeBSD would like to see in the base system, and this e-mail is an attempt to make sure everyone knows before it turns up -- no surprises! :-) Jon and my current plan is to merge, over the next few months, various kernel features required to support Capscium sandboxing for FreeBSD 9.0: first capability mode support (this week), then capabilities themselves (which are a form of file descriptor in Capsicum), followed by process descriptors (a file descriptor alternative to process IDs that may be used by supporting applications). The current plan is *not* to merge libcapsicum, a userspace library used by certain applications to construct sandboxes, as we feel the API remains insufficiently mature at this point. However, the Capsicum system calls can still be used directly by applications, including Chromium. We would distribute libcapsicum as a package alongside 9.0, just not as a supported OS API for the time being. For those who want to learn more, you can read our USENIX Security paper, or watch the video of the USENIX Security talk, find reference material, information on our mailing list, etc, on the Capsicum web site at Cambridge: http://www.cl.cam.ac.uk/research/security/capsicum/ A number of organisations are contributing to continuing improvements in Capsicum and its applications, including Cambridge (supported by Google and DARPA), Google, and SRI (supported by DARPA). There also appear to be a number of folks inside and outside the FreeBSD community who are eager to get started -- once it's in the tree! Please feel free to join our mailing list, and get involved. Thanks, Robert N M Watson Computer Laboratory University of Cambridge