Communications - March 2012

performance. 14 Neumann et al.’s Provably Secure Operating System (PSOS), 11 and successor LOCK, propose a tight integration of MAC and capabilities; TE is extended in LOCK to address perceived shortcomings in the capability model, 15 and later appears in systems such as SELinux. 9 We adopt a similar philosophy in Capsicum, supporting DAC, MAC, and capabilities.

Despite experimental hardware such as Wilkes’ CAP computer, 20 the eventual dominance of page-oriented virtual memory over hardware capabilities led to exploration of microkernel object-capability systems. Hydra, 3 Mach, 1 and later L48 epitomize this approach, exploring successively greater extraction of historic kernel components into separate tasks, and integrating message passing-based capability security throughout their designs. Microkernels have, however, been largely rejected by commodity OS vendors in favor of higher-performance monolithic kernels. Microkernel capability research has continued in the form of systems such as EROS, 17 inspired by KEYKOS. 6 Capsicum is a hybrid capability system, observably not a microkernel, and retains support for global namespaces (outside of capability mode), emphasizing compatibility over capability purism.

Provos’s OpenSSH privilege separation12 and Kilpatrick’s Privman7 in the early 2000s rekindled interest in micro-kernel-like compartmentalization projects, such as the Chromium Web browser13 and Capsicum’s logical applications. In fact, large application suites compare formidably with the size and complexity of monolithic kernels: the FreeBSD kernel is composed of 3. 8 million lines of C, whereas Chromium and WebKit come to a total of 4. 1 million lines of C++. How best to decompose monolithic applications remains an open research question; Bittau’s Wedge offers a promising avenue through automated identification of software boundaries. 2

Seaborn and Hand have explored application compartmentalization on UNIX through capability-centric Plash, 16 and Xen, 10 respectively. Plash offers an intriguing layering of capability security over UNIX semantics by providing POSIX APIs over capabilities, but is forced to rely on the same weak UNIX primitives analyzed in Section 5. Hand’s approach suffers from similar issues to seccomp, in that the runtime environment for Xen-based sandboxes is functionality-poor. Garfinkel’s Ostia4 proposes a delegation-centric UNIX approach, but focuses on providing sandboxing as an extension, rather than a core OS facility.

9. concLusion

We have described Capsicum, a capability security extension to the POSIX API to appear in FreeBSD 9.0 (with ports to other systems, including Linux, under way). Capsicum’s capability mode and capabilities appear a more natural fit to application compartmentalization than widely deployed discretionary and mandatory schemes. Adaptations of real-world applications, from tcpdump to the Chromium Web browser, suggest that Capsicum improves the effectiveness of OS sandboxing. Unlike research capability systems, Capsicum implements a hybrid capability model that supports commodity applications. Security and performance analyses show that improved security is not without cost, but

that Capsicum improves on the state of the art. Capsicum blends immediate security improvements to current applications with long-term prospects of a more capability-oriented future. More information is available at: http://www. cl.cam.ac.uk/research/security/capsicum/

acknowledgments

We thank Mark Seaborn, Andrew Moore, Joseph Bonneau, Saar Drimer, Bjoern Zeeb, Andrew Lewis, Heradon Douglas, Steve Bellovin, Peter Neumann, Jon Crowcroft, Mark Handley, and the anonymous reviewers for their help.

References

1. accetta, M., baron, r., Golub, D., rashid, r., tevanian, a., young, M. Mach: a new Kernel Foundation for unIX Development. technical report, Computer science Department, Carnegie Mellon university, Pittsburgh, Pa, aug. 1986.

2. bittau, a., Marchenko, P., handley, M., Karp, b. Wedge: splitting applications into reduced-privilege compartments. In Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation (2008), usenIX association, 309–322.

3. Cohen, e., Jefferson, D. Protection in the hydra operating system. In SOSP’75: Proceedings of the Fifth ACM Symposium on Operating Systems Principles (1975), aCM, ny, 141–160.

4. Garfinkel, t., Pfa, b., rosenblum, M. ostia: a delegating architecture for secure system call interposition. In Proceedings of the Internet Society (2003).

5. Google, Inc. the Chromium Project: Design Documents: os X sandboxing Design. http://dev.chromium.org/ developers/design-documents/ sandbox/osx-sandboxing-design, oct. 2010.

6. hardy, n. KeyKos architecture. SIGOPS Oper. Syst. Rev. 19, 4 (1985), 8–25.

7. Kilpatrick, D. Privman: a library for partitioning applications. In Proceedings of USENIX Annual Technical Conference (2003), usenIX association, 273–284.

8. liedtke, J. on microkernel construction. In SOSP’95: Proceedings of the 15th ACM Symposium on Operating System, Principles (Copper Mountain resort, Co, Dec. 1995).

9. loscocco, P.a., smalley, s.D. Integrating flexible support for security policies into the linux operating system. In Proceedings of the USENIX Annual Technical Conference (June 2001), usenIX association, 29–42.

10. Murray, D.G., hand, s. Privilege separation made easy. In Proceedings of the ACM SIGOPS European Workshop on System, Security (EUROSEC) (2008), aCM, 40–46.

11. neumann, P.G., boyer, r.s.,
Feiertag, r. J., levitt, K.n., robinson, l.
A Provably Secure Operating System:
The System, Its Applications, and
Proofs, second edition. technical
report Csl- 116, Computer science
laboratory, srI International, Menlo
Park, Ca, May 1980.