Cambridge's Capsicum Framework Promises Efficient Security For UNIX/ChromeOS

An anonymous reader writes "Communications of the ACM is carrying two articles promoting the Capsicum security model developed by Robert Watson (FreeBSD — Cambridge) and Ben Laurie (Apache/OpenSSL, ChromeOS — Google) for thin-client operating systems such as ChromeOS. They demonstrate how Chrome web browser sandboxing using Capsicum is not only stronger, but also requires only 100 lines of code, vs 22,000 lines of code on Windows! FreeBSD 9.0 shipped with experimental Capsicum support, OpenBSD has patches, and Google has developed a Linux prototype." While the ACM's stories are both paywalled, the Capsicum project itself has quite a bit of information online in the form of various papers and a video, as well as links to (BSD-licensed) code and to various subprojects.

our first solid metric

[Xtifr]

So, we have our first solid metric: it's 220 times as hard to make Windows secure as it is for BSD or Linux.

(Xtifr runs and hides before the angry crowd of humorless astroturfers with mod points arrives.) :)

Re:spicy!

[gstrickler]

Did you know that you're incorrect? Capsicum is the genus of the plants, capsaicin is the chemical.

Re:Android?

[TheRaven64]

Disclaimer: I am a FreeBSD developer, and was visiting cl.cam.uk last week.

Capsicum is very much under active development. It's being used in Cambridge in several projects, funded by DARPA and Google. It is no longer developed on github because it is now merged upstream into FreeBSD. As TFS said, it is part of FreeBSD 9, and the core FreeBSD utilities are slowly being modified to use it (it's easy to incrementally deploy capsicum). If you want up to date documentation, check the man pages.