From owner-freebsd-security@FreeBSD.ORG Sat Aug 14 19:19:49 2010 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9AFE410656D7 for ; Sat, 14 Aug 2010 19:19:49 +0000 (UTC) (envelope-from robert.watson@cl.cam.ac.uk) Received: from cyrus.watson.org (cyrus.watson.org [65.122.17.42]) by mx1.freebsd.org (Postfix) with ESMTP id 552C88FC1A for ; Sat, 14 Aug 2010 19:19:49 +0000 (UTC) Received: from fledge.watson.org (fledge.watson.org [65.122.17.41]) by cyrus.watson.org (Postfix) with ESMTPS id CA51346B86; Sat, 14 Aug 2010 15:19:48 -0400 (EDT) Date: Sat, 14 Aug 2010 20:19:48 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Hugo Silva In-Reply-To: <4C650A01.5070002@barafranca.com> Message-ID: References: <4C650A01.5070002@barafranca.com> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Mailman-Approved-At: Sat, 14 Aug 2010 21:16:36 +0000 Cc: freebsd-security@FreeBSD.org Subject: Re: Capsicum: practical capabilities for UNIX (fwd) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Aug 2010 19:19:49 -0000 On Fri, 13 Aug 2010, Hugo Silva wrote: >> For those following security and access control in FreeBSD, this may be of >> interest. We'll have updated patches for Capsicum available for FreeBSD >> 8.1 in the next week or so. Feedback on the approach would be most >> welcome! > > Very nice. I am looking forward to play with this ;-) Thanks! Right now our prototype is against a month or so old 9-CURRENT, with a somewhat more recent 8.x snapshot. Several of us are on travel now but with any luck we can do a set of patches against a vanilla 8.1 later in the month. The merge plan for 9.x isn't determined yet, we have a number of issues that need to be worked through, including a few missing features and more extensive test suites. For those that are interested in lending a hand as early adopters, we have a Capsicum mailing list which can be subscribed to via our web page: http://www.cl.cam.ac.uk/research/security/capsicum/ This work is increasingly ready to get attention from folks other than us! Robert > >> >> ---------- Forwarded message ---------- >> Date: Thu, 12 Aug 2010 03:00:03 -0000 >> From: Light Blue Touchpaper >> Reply-To: cl-security-research@lists.cam.ac.uk >> To: cl-security-research@lists.cam.ac.uk >> Subject: Capsicum: practical capabilities for UNIX >> >> URL: >> http://www.lightbluetouchpaper.org/2010/08/12/capsicum-practical-capabilities-for-unix/ >> by Robert N. M. Watson >> >> Today, Jonathan Anderson, Ben Laurie, Kris Kennaway, and I presented >> [Capsicum: >> practical capabilities for UNIX][1] at the [19th USENIX Security >> Symposium][2] >> in Washington, DC; the [slides][3] can be found on the [Capsicum web >> site][4]. >> We argue that capability design principles fill a gap left by discretionary >> access control (DAC) and mandatory access control (MAC) in operating >> systems >> when supporting security-critical and security-aware applications. >> >> Capsicum responds to the trend of application compartmentalisation >> (sometimes >> called privilege separation) by providing strong and well-defined isolation >> primitives, and by facilitating rights delegation driven by the application >> (and >> eventually, user). These facilities prove invaluable, not just for >> traditional >> security-critical programs such as tcpdump and OpenSSH, but also complex >> security-aware applications that map distributed security policies into >> local >> primitives, such as Google's Chromium web browser, which implement the >> same- >> origin policy when sandboxing JavaScript execution. >> >> Capsicum extends POSIX with a new _capability mode_ for processes, and >> _capability_ file descriptor type, as well as supporting primitives such as >> _process descriptors_. Capability mode denies access to global operating >> system >> namespaces, such as the file system and IPC namespaces: only delegated >> rights >> (typically via file descriptors or more refined capabilities) are available >> to >> sandboxes. We prototyped Capsicum on FreeBSD 9.x, and have extended a >> variety of >> applications, including Google's Chromium web browser, to use Capsicum for >> sandboxing. Our paper discusses design trade-offs, both in Capsicum and in >> applications, as well as a performance analysis. Capsicum is available >> under a >> BSD license. >> >> Capsicum is collaborative research between the University of Cambridge and >> Google, and has been sponsored by Google, and will be a foundation for >> future >> work on application security, sandboxing, and usability security at >> Cambridge >> and Google. Capsicum has also been backported to FreeBSD 8.x, and Heradon >> Douglas at Google has an in-progress port to Linux. >> >> We're also pleased to report the Capsicum paper won Best Student Paper >> award at >> the conference! >> >> [1]: >> http://www.cl.cam.ac.uk/research/security/capsicum/papers/2010usenix- >> security-capsicum-website.pdf >> >> [2]: http://www.usenix.org/events/sec10/ >> >> [3]: http://www.cl.cam.ac.uk/research/security/capsicum/slides/20100811 >> -usenix-capsicum.pdf >> >> [4]: http://www.cl.cam.ac.uk/research/security/capsicum/ >> >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >