Video thumbnail (Frame 0) Video thumbnail (Frame 972) Video thumbnail (Frame 10103) Video thumbnail (Frame 12553) Video thumbnail (Frame 13572)
Video in TIB AV-Portal: Capsicum

Formal Metadata

Title of Series
CC Attribution - NonCommercial - ShareAlike 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal and non-commercial purpose as long as the work is attributed to the author in the manner specified by the author or licensor and the work or content is shared also in adapted form only under the conditions of this license.
Release Date

Content Metadata

Subject Area
Slide rule Group action Bit Data conversion Computer programming
Demon Run time (program lifecycle phase) Code Multiplication sign 1 (number) Set (mathematics) Insertion loss Inverse element Mereology Dimensional analysis Direct numerical simulation Mathematics Strategy game Cuboid Software framework Extension (kinesiology) Position operator Social class Physical system Vulnerability (computing) Area Collaborationism Constructor (object-oriented programming) Sampling (statistics) Flow separation Type theory Proof theory Process (computing) Googol Internet service provider Right angle Reading (process) Point (geometry) Functional (mathematics) Mobile app Game controller Service (economics) Computer file Patch (Unix) Transport Layer Security Connectivity (graph theory) Similarity (geometry) Student's t-test Rule of inference Twitter Latent heat Prototype Goodness of fit Root Internetworking Term (mathematics) Operator (mathematics) Authorization Selectivity (electronic) Computer-assisted translation Metropolitan area network Form (programming) Default (computer science) MIDI Scaling (geometry) Projective plane Cartesian coordinate system Software maintenance System call Software Limit set Library (computing)
Multiplication Group action Service (economics) Run time (program lifecycle phase) Computer file State of matter Code Connectivity (graph theory) Multiplication sign Set (mathematics) Water vapor Function (mathematics) Cartesian coordinate system Symbol table Process (computing) Kernel (computing) Linker (computing) Endliche Modelltheorie Extension (kinesiology) Physical system Spacetime
Demon Process (computing) Link (knot theory) Connectivity (graph theory) Cuboid Control flow Right angle Web browser Cartesian coordinate system Physical system Vulnerability (computing)
Computer virus Axiom of choice Polar coordinate system Complex (psychology) Group action Thread (computing) System administrator Execution unit Source code Range (statistics) Water vapor Open set Solid geometry Fluid statics Mechanism design Sign (mathematics) Hypermedia Different (Kate Ryan album) Office suite Information security Data compression Physical system Social class God Compact space Mapping Structural load Binary code Keyboard shortcut Sampling (statistics) Electronic mailing list Bit Instance (computer science) 10 (number) Electronic signature Category of being Data management Message passing Process (computing) Text editor Spacetime Web page Point (geometry) Socket-Schnittstelle Computer file Connectivity (graph theory) Control flow Online help Event horizon Template (C++) Number Internet forum Term (mathematics) Representation (politics) Energy level Selectivity (electronic) Data structure Computer-assisted translation Address space Punched card Computing platform Electronic data processing Pairwise comparison Standard deviation Scaling (geometry) Information Key (cryptography) Interface (computing) Chemical equation Total S.A. Basis <Mathematik> Line (geometry) Cartesian coordinate system Word Personal digital assistant Codec Window Library (computing) Building Ferry Corsten Code View (database) Direction (geometry) Multiplication sign 1 (number) Sheaf (mathematics) Set (mathematics) Primitive (album) Insertion loss Parameter (computer programming) Mereology Public key certificate Formal language Mathematics Spherical cap Modul <Datentyp> Cuboid Software framework Endliche Modelltheorie Data conversion Extension (kinesiology) Vulnerability (computing) Moment (mathematics) Flow separation Public-key cryptography Sparse matrix Website Right angle Species Resultant Asynchronous Transfer Mode Mobile app Functional (mathematics) Implementation Overhead (computing) Perfect group Service (economics) Observational study Login Trigonometric functions Theory Power (physics) Internetworking Operator (mathematics) Gastropod shell Condition number User interface Domain name Dependent and independent variables Multiplication Validity (statistics) Projective plane Cryptography Interprozesskommunikation Kernel (computing) Pointer (computer programming) Object (grammar) Pressure
so I guess the data pointed out to me correctly that the programs is is a lecture next I think what I'll do is I'll talk about what's going on and off our conversations as well like so of I've what I've done is I've listed the slides from the working group session that we had in November 2 because the weather here is the cost of a little bit of updating a lot of things so pretty but it's often fairly quickly walk through doing have assumed that people in the audience knows something about that this is proving entirely true sources of of these little very very much so
Casamance's lightweight operate system capability and sandbox framework are what we mean by that is that it provides an operative is make certain kinds of sandboxing usually being quite difficult perhaps easier to deploy and use and in particular their driven to a large extent by userspace applications in terms of what policies boy but they are targeted at a very specific type of sandboxing from good compartment position which is not I want my application to follow certain rules but rather I the application author and I have many components to myself and I need to control the behavior of those of so this trend in lots of software design kicked off in to the mid late 90 nineties with the work of by news provost simplest separation very similar work by Doe Kilpatrick and a simple proof men and if you look at SHG you get the classic example you break it into 2 process is 1 of them was the loss of a privileged over on the less privileged in that way I would have vulnerabilities ideally you misstated them by allowing the exploit only access to a limited set of privileges today we call it application canonicalization because we're referring to the compartmentalization of large-scale out if we're interested in applications like chromium OpenOffice song although most of the work to date has been on a smaller scale applications jeez it these the like that things that I expect have particularly risky code exposed untrustworthy catered there are lots of dimensions and strategies you might use for breaking things up were interested in a lot of them and we're starting to deploy these techniques in years so we using them to vote displaced compartment position already done in the form of privilege separation based tools such as the duties be quiet but we're also adding compartmentalization to some things that traditionally have not had for the separation gee that's a nice example deviate doesn't run as root it runs whatever user you have evolved in as a deals with a year potentially quite risky data downloaded from the people full Internet and you're not interested in but you know protecting the specific files from G that we're interested in is enforcing the policy the jeez it plays by the rules that was written to take in but 1 file and send it to another file so capsicum provides facilities such as ephemeral sandboxing without the use of privilege answers supplements the existing facilities and systems the workers receive done in collaboration between Cambridge and Google has also Mori Chris Kennewick who will join Anderson myself carriage but since then for a few people have gotten involved I 1st of all some part of work on demons previously base sees added them I'm adding apps support to the we also have live back and was a summer of code student last year I had been employed won't work with the applications we have some more folks came region elsewhere who are interested but also some people University of Wisconsin tools to automatically apply new capsicum isation certain classes of applications but interesting project by researchers something we find pretty exciting so I guess the big news since this talks last given by in UConn is that we now have some new funded work as producer foundation who funding call several months of work to provide software infrastructure make it easier to adjust applications provide sandbox libraries every sample a TLS right lots of applications you see a lot we like to make it very easy for any application is just to automatically pull in a sandbox TLS so hopefully workshops work for some of this we might spend a couple minutes brainstorming the kind of applications we like once again have time but also there's a framework around the construction sandboxed applications that we did a prototype of a Cambridge I feel was in 1 of the 2 parts the work that is it worked and allowed us to explore they worry maturing eyes and question 4 upstream in this work previous the is how can we should use it the eyes maintainable on how we deal with EDI issues associated with Acquisition so that in November 2011 and we sat down we identified a bunch of areas we thoughts work he's done so 1 of the ones I highlighted by Pavel was part of his work with past was that certain kinds of operations was simply not initiatives have also told because we had trouble reasoning about whether they were safe it's boxes and i've controls last example we came up with a strong man approach for addressing that right now nothing's happened the base with respect she have become the sponsor I we identified small the services a DNS for example supplements last point as this kind of thing you want to run from a sandbox applications so it has to be available to TCP them running this EM books but also you want to run it in its own set of there also this kind of more general question which is today we start applications inattentive launch sandboxes so the container application starts out with and the privilege right axis of the system and then you create these little boxes where on Proclus things happen we rather start the application entirely on privileged and then have you know the runtime interapplication framework to provide access to system resources through the selective upgrade of privilege this is completely the inverse of what happened the class proposed operation we say I pull privilege not distributed so that we have a nice thing to do we also in the original work I we just chromium he's cats this is clouded weapon actually a fermion previously search and I know chromium is now quite well maintained previously released this question about the status of patches the people Google eager 1st upstream patches lots of interesting in using them up so it would be good to do that a few remaining ones He's been maintaining think that they from work and the capstone this is this library would like to replace Hubble's work but another thing we were interested in was what is among the 1 a general like in 9 though we should capsicums an experimental feature become of features that are enabled by default in under 1 would like to enable them but everything we enabled by default is something that we have very sure we got the guys right on change the way we that simple there there are also a bunch of calls and that's the functionality we felt was necessary and so
sequential read about us to the IOC to whitelisting
consent and missing features 1 I wanna get
to know is action this 1 this has to do with this but time referring to his services the main I think is still some this year example holders in the water capsicum applications are more than 1 process is of a set of processes that overall make up a logical so in is no application we have a runtime linker that finds all the components symbols the missing whether stays in capsicum we need runtime for each output space what we actually want is some component that will assemble the whole applications and make sure all these there so notion notionally that thing is also a runtime ligatures the multi address space front so we really have multi outer-space runtime when this thing like quantities of spent where services and components along on demand as required by linkage inside that's about if we need something that resembles this but are quite sure is it a system so this is a and session so this is something that have an extension to the base are still deviates happens to know about linking additional processes an open question and we also have a larger services we would offer ideally this runtime linker has component model but in his code that offer common thing drift it's just DS and all these other things but file services and system monitoring would it be nice top was rented sandbox will talk has to use the CIS controls to extract kernel state so how's it gonna get those working inside sandbox isn't allowed to name a global system resources and so on what what some of the things and so this is something that I hope all workers directly about the thing that we spent a few minutes on
in November is brainstorming lots of things that we thought deserve some sandboxing and their everything from system now demons that had
vulnerabilities the past to third-party applications that are quite sizable right KDE we'd love to run lots lots apart KDE sandboxes we don't want a global system policy for how KDE should behave and out the silly right don't know how the web browser that KDE will behave until you start a clicking on links on the other hand we also know that KDE links insulin very risky happily KDE countries AIOs layers from nicely already running such processes components that might lend themselves to being wrapped up some boxes so yeah I think break
ever said that we we want take responsibility to his previous TECO 1 encourage people to do and so the captain that's a chromium was a nice example of that all this package and you covered total of active managers lost people injured something about security the sandboxing is part of that so
I've said lots of words and the result I think is a plant and maybe we have to talk about Hubble's work so I did not know I said not a generic and gone public with it and generic this means that we must not change the system quite guys nontrivial after that with a great deal of thought we regret happy losses late hours and I'd also like 9 the 1 for us to start working through the base system and making them Sandel bits of of code sandbox solid of 2 kinds of things on a given was secured a critical code in terms of things this requires that the run let people log and stuff like this HD and so on but also of 2 code that is really be ignored in sandboxing work to date that's tools like jeez it by talk things that deal with very risky things up I do complex data processing on costly stuff and so we can dig into that that would really be good the mission of a conversation show stoppers talking to you all these yet I see people this weekend right the ambitiously events can off you were but the intent is the larva then to be yeah so more than 1 of the implications of the design of tax and is more processes and we know that in low-rent embedded systems more processes that so we need go terms of all some of the gaps of doesn't have to give you the cost of taking something which are to be dumped have things operator to speedup at the front was a lot of things that require privilege like open media and put you know the interfaces into promiscuous mode and then at some point into the steady-state were just process is extremely evil data and those very dangerous things right so it's it's they're passing essence you packets that is randomly come off the internet and the cost of entering a sandbox is nil so once a in the sandbox is no ongoing cost so in that case the argument for disabling is a bit weaker also we already do unconditional for the separation of the so we can reinforce the sandboxes using apps Committee become Deficit boxes so and that is so it isn't telling that awful you're just a word about the overhead of Jesus processes that I yeah but short conference and I feel that way but it's a love lots of it and you no I agree on modularity is good like more virus in right now everything about cats is is there any way the base kernel overhead caps this actually almost right is a very very small and much smaller than all kinds of other things like a synchronous I-O so this quite right back to the office of the minimal assemble except that the place we begin to pick up a load I mean infrastructure but is in userspace libraries we watched components that theory of linked interchanges runtime so and that's awful be this out that said it would be very nice if it were initially Neapolitan enabled all mobile platforms a really benefit I don't think we should exclude Embedded World from that because the kinds of things you like to run on small embedded appliances like access points often are subject to these kinds of your 1st of all yeah 1 moment to work on that our mean that's like right but we like to go to Manistee that is similar to that of the event just about everything else it's that this that there was yeah I mean I you copies of each of the pages yes that's a good question so we're very careful not ONSPEC question research we previously because we propose a model which allows you to answer but but but more generally if you look at Mac was tens reference right by the mechanisms that you're very similar in some ways so the workers some more water which implies made a lot of other stuff on top of it I don't know about me again yeah when you want though about generator effective right so when all of these when it will be gone off could not the generated by does build stubs that run on both sides of message passing it but it's still stands on the site and I was studies have generated messages right pseudocode is generated using a shifting away from RBC Towards explicitness passing absolutely all right so yes the mother must you distributors systems properties in a distributed system causes problems with the failure modes of reliability and performance and transparency and debug ability of book yet so right now and have seen everything is but we don't we haven't done in part because a moderate amount of work was to adapt existing privilege separate applications is adopt a framework for generalized message passing for representation of stuff I soon this is only exit does help solve by saying how I hope you bond up the information in a way that allows you to me it effectively right so we haven't explicitly adopters where an article the applications where we really had already for the chromium is a perfect sample application that what's your solution it has at least a dozen handcrafted no message passing mechanisms with fill out structures and send them back and forth we keep writing a good people saying notes Proc I thought I would repeat the answer right it is a source of 3 days so that Mori has a precise generated how bundle things up with a bit of help from that you know you all my message issue of domestic here's what my API is right helped me build things and build data structures and so on and it required a change in their educational PCs stuff not visit not RBC this doesn't do that language bindings but also because the other things we all surrounded by different right 1 offer of references to objects studying the structure Beate making power right and maybe maybe is the solution of which is matter that we talk but if you have if you have a nice solution to the problem of this this problem then I think we'd like my solution we have nice problem the and yeah and you know it was something compact small sea-friendly right able to deal with ATI differences I guess free part of your problem space as well right I mean if we're running at the age of it in the sandbox why should not be to 64 bits right and I've seen that thing here I think is a very nice person who made between launched friends and what might effectively think over the multi process with the right and that is all the same from slight different scale right Gerd documentation available for species as it is the cosine available that is why the as for the show you a lot right the CIA World War all right so is not quite as much those would dispatch press the case for the dispatch was but there's almost nothing and basis and use is threads have so the all you're shifting away from threats to a more mature dispatch model is is weakened by the fact that it is not that much to convert right whereas on the basis of actionable of components of benefit from with it because we have many system management tools that deal with things in it look at of produced got it right from its update without a major delistings each gas and air compressor compressibility binary updates the valid signatures and new certificate in it the chain of vulnerabilities it existed at Pipeline is truly impressive and almost all of them have been exploitable so you have that kind of thing really would lend itself to a solution says I have multiple sets the bird there is a nice basis if I I agree that the really interesting problem is monolithic applications to make a comparison to by professionals and you have that was that that they had watery is promoting the animal was saying it's not decomposing linking using message-passing that means you have to be where cost and some of some of the sparse announced performance cost the debug ability costs a year turning into little distributed systems which we know it's a painful and that thing you would have to but on the other hand we found longer lines of code in the year the producer can all price of few million lines for instance right and I have never was a good from you know where I was formally start with another 2 million lines here the very conferrable scale approach so I think that the philosophy espoused by asking the standard of care object capability to the world says you're delegated rights the things this implies modification code right so the things that once the sandbox have be somehow where it now that modification of code doesn't have to be you know above all there could be below so there's a guy a born on the latch which uses a cable is more on the amendments would see on top of it so he's able to all kinds of year you can only access a structure that directly fairly transparently I feel that approach has a more amount of but I actually think the best argument you know for whether place this stuff is in our libraries for example we might sit on the other side of a library of God is not be modified and then internally school and sandboxes process things and then you'd over the design choices about granularity of my television capability shall we not to merge anything until such time as a really happy with it but in a sign you put something like the shell on the system you know you find yourself committing date the eyes and user interface choices I think the right now that work is not yet mature a exciting ideas there I'm not sure what the timeline for the becoming excited amateur but the county's ranges of the of the project is blue the idea of the product but isn't giving up right there but in some ways of goes componentization than philosophically that's if a problem I don't I'm not opposed to sandbox techniques such as Backus and it has about even policy files that users are that framework your transposed to to macOS stand and that's a very useful technique from constraining applications where you have a list of all the objects they have to access statically available without it his break down as in case we of applications the general-purpose you don't know what files and all that that anomaly that is not the application that's the object of your subject enters its components inside the application and they're a delegation more which is driven by Cogent user behavior of whatever roster of you how boxes represent example as a dialog box pops up a dialog box has and the religion system you click on the file open OK now the right to use that files delegated to the thing running the sample so John has a bit of a KDE editors that does this previous using that is not impossible to implement using conventional somewhat systems but it is it is unnatural that way that but there's a lot more work is that really pretty vulnerability prolonged scary things right that already come with in particular KDE is interesting because it or it is object oriented right and you can see in the background behind all this you know gesture in the direction of object idea was we do there was missing Soffer infrastructure to really be effective on large-scale user this application that the solution for that was to implement that so that's all about to Google and produce the foundation funds of and it was follows done his work were a very strong place to start investigating things go on scale another view really help is the wider adoption of academy guys and other property systems and there are ongoing conversations in a number of things about what might happen it certainly Google has been very supportive of this project will be interested in seeing the technology is more and an and and using the back rooms we doubt later but never right but it is that it is isn't you right meaning KDE if they use lead the JPA allergy that as he said what suffered transparently KDE benefits without actually being modified and there is some interesting things after the process make that case right if he if your library to the launch processes you know the units signal on a child song all right so so we have to have new primitives to allow us to solve problems we don't have a lot of you is like that when I say that that the in short as as Jordan Conley recommended you should remind you recently went on 1 pushing shorter papers and the the reasoning conditions is the the 6 pages which is like a shorter it's probably you know and you can use it later for other things too yeah this is our again is instead of mutual right OK any other supports pressure that it may be all you might also that we're playing his youth in others you want also time as if he was of you all I mean this moderate on argument that nest so if the I was never designed therefore you find yourself 1 integrating new API crypto that it does aligned with the model after I don't think it quite it school and of that's interesting it was and so on so absolutely right and that is that the the the the problem from those that there's a selection of trade off of Sprite we're trying to balance mitigation vulnerabilities you know about from all of that is you don't know about against formants lower end up being tossed to do then is allow people to make choices they fill their applications as to what's going on but what we might find we need of ALP suggesting is that we need guys that allow us to mosque which actual implementation choices being made it the absolutely right was like we have done quite a bit of work to modify things Uzis by come on I cannot unsatisfied with some of the results I think is the capital our mission hovels point on policy 1 of the nice things about approach like capsicums you stop the extent that no 1 has the right to anything and therefore you now need to build up a set of rights which various units have a traditional way to do this we say that we have endpoints you know I can see and points that refer to objects or sections and therefore we only delegate to grow out of we would never perhaps delegate rights to use the key the private key outside and we have consumer and punch allows request coming but we never know ax except to request to reveal the private key from 1 it was only supposed to go to the sandboxes not get it as you build up if you if you need to make a slug you open comparison to Java right if you have a bunch of job classes and objects and so on you wouldn't pop singer reference your private is Sandbox those lossless use it you fostered a reference to an object larger maker limited set of requests right the in to implement crypto without necessarily revealing key just not unreasonable and the way you construct the weather right by saying well the way I set up my PC channels controls the rights to the delegates the interesting tension with static policies which you can analyze easily look at this and dynamic policies that this way but you can imagine CSC right providing I expect father was yes I have these will components and these are the ones that are delicate rights to and then the mechanism sets up the weather of right so the policies when the that 1 of them and other is way Wilson that would design choices light the inaccurate step you don't want random things forking in producing new processes that have very little functionality the best example back then was that the Windows over 40 in exactly applications on application stuff you take a Windows several with a billion every mappings from windows and things before the whole thing replicating targets space to the need for a way so that you can go in X been sh that is the kind of structure you'd like to report that CSC does address that but this also is a design choices that you don't eliminate 7 costs a you pretty quickly end up with I decided I didn't chromium when they say well you know if a also mostly sandboxes normal takes the same at 1 affairs in KDE right they keep around pools of worker processes as templates for services they need Graham Mont mitigate runtime linking costs initialization of of stuff so you get forced down that avenue design choices proper the biggest risk in this work is now how do we will waking picking up reliability and robustness problems that you get out of more complex structure so I think 1 imperative in building a system like this is to turn it off right say yes you can run this thing in the same address space or you can run as a separate address space that helps you to probabilities and so that that is the glue this is between it's be a little flexible not committed that science is probably healthy anyway because we might decide not unreasonably in a year's time all Unix domain sockets are great but they were never designed for this possibly which have a new like the mechanism will look like those will look like mark IPC I don't know but that would be a natural choice when you realize you really care about latency in exercise passing references as to yes absolutely at a certain level distributed objects we you you wanna be careful they get too many of the nasty properties of a distributed systems programming and look up its and if like you force registered for the reason that OK preferring time I think so thank you everyone hopefully people were interesting would induction Jetmore a lot of work