Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cambridge's Capsicum Framework Promises Efficient Security For UNIX/ChromeOS

Posted by timothy on from the sounds-spicy dept.

An anonymous reader writes "Communications of the ACM is carrying two articles promoting the Capsicum security model developed by Robert Watson (FreeBSD — Cambridge) and Ben Laurie (Apache/OpenSSL, ChromeOS — Google) for thin-client operating systems such as ChromeOS. They demonstrate how Chrome web browser sandboxing using Capsicum is not only stronger, but also requires only 100 lines of code, vs 22,000 lines of code on Windows! FreeBSD 9.0 shipped with experimental Capsicum support, OpenBSD has patches, and Google has developed a Linux prototype." While the ACM's stories are both paywalled, the Capsicum project itself has quite a bit of information online in the form of various papers and a video, as well as links to (BSD-licensed) code and to various subprojects.

7 of 87 comments (clear)

  1. our first solid metric by Xtifr · · Score: 5, Funny

    So, we have our first solid metric: it's 220 times as hard to make Windows secure as it is for BSD or Linux.

    (Xtifr runs and hides before the angry crowd of humorless astroturfers with mod points arrives.) :)

    1. Re:our first solid metric by TheRaven64 · · Score: 4, Interesting

      So, we have our first solid metric: it's 220 times as hard to make Windows secure as it is for BSD or Linux.

      BSD or Linux? Check the paper. It took 100 lines of code with Capsicum, 200 with SELinux, 605 with Linux-with-chroot, 11,301 with Linux-with-seccomp and 22,350 with Windows. So (with your metric) it is somewhere between 2 and 10 times as hard to make Windows as secure as Linux and between 2 and 10 times as hard to make Linux as secure as FreeBSD. And the best score for Linux - the SELinux sandbox - requires enabling SELinux which is a massive blob of code and has introduced several of its own security holes in the last couple of years, while Capsicum is much simple and easier to audit.

      --
      I am TheRaven on Soylent News
  2. Re:spicy! by gstrickler · · Score: 5, Informative

    Did you know that you're incorrect? Capsicum is the genus of the plants, capsaicin is the chemical.

    --
    make imaginary.friends COUNT=100 VISIBLE=false
  3. Apps hard to secure... by Anonymous Coward · · Score: 4, Interesting

    The paper goes to great length to point out that applications can only be as secure as the operating system lets them. In section 5 of the A Taste of Capsicum: Practical Capabilities for UNIX paper the authors talk about how Chrome has been secured in all the major operating systems. They succulently sum up the great lengths Google has gone to, to make Chrome secure. Then promptly shoot holes in each of the approach's. Windows gets the worst treatment (lack of capabilities), followed by Linux (complicated approach's.) The authors give the best marks to FreeBSD and then to the Mac OS X MAC implementation.

    The point I took away from the paper was, who ever has the most complete and easiest to implement sandbox (MAC, DAC) implementation to take advantage of can have the most secure applications. But at the end of the day its still up to the developer to take advantage of those capabilities.

  4. Re:Android? by Anonymous Coward · · Score: 4, Interesting

    It may sound that way, but it doesn't read that way. Perhaps if you stopped listening to articles and read the written words you'd know what they were about.

    Specifically, Capsicum is a Unix (and therefore heavily C- and process-based) framework for sandboxing applications. Android applications, on the other hand, are written in Java and executed on the Dalvik VM. The "process" model is completely different from that of Unix. C applications and modules in Android can only use and link against the NDK, which doesn't expose any operating system interfaces at all. So, again, Capsicum is useless.

    Capsicum also debuted, like, years ago. I doubt it will pick up steam because the necessary underpinnings will never be adopted in the Linux kernel. For one thing, anything which comes from FreeBSD always has to be re-engineered, and usually poorly. It hardly matters that the Capsicum researchers chose FreeBSD as their test bed for probably arbitrary reasons. What matters is that FreeBSD has now infected it.

    Second, there are two interest groups in the Linux community that dictate security frameworks: the SELinux people and the anti-SELinux people. The anti-SELinux folk are already wedded to a host of alternatives. Capsicum will have a cold reception.

  5. Tear down the paywall by Anonymous Coward · · Score: 4, Informative

    Here you go:

    The Benets of Capability-based Protection
    http://i.minus.com/1330308329/L4NpiCEFGVpDC5cIaD-oaA/dIgD7OB2SWXbD.pdf

    A Taste of Capsicum: Practical Capabilities for UNIX
    http://i.minus.com/1330308331/bOoWdETijD2_Eye5VsAKPQ/dvW7Ri9ZpoDDi.pdf

    -- Not Aaron Swartz

  6. Re:Android? by TheRaven64 · · Score: 5, Informative

    Disclaimer: I am a FreeBSD developer, and was visiting cl.cam.uk last week.

    Capsicum is very much under active development. It's being used in Cambridge in several projects, funded by DARPA and Google. It is no longer developed on github because it is now merged upstream into FreeBSD. As TFS said, it is part of FreeBSD 9, and the core FreeBSD utilities are slowly being modified to use it (it's easy to incrementally deploy capsicum). If you want up to date documentation, check the man pages.

    --
    I am TheRaven on Soylent News