We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

CloudABI: Capability based security on Linux/Unix

00:00

Formal Metadata

Title
CloudABI: Capability based security on Linux/Unix
Title of Series
Part Number
28
Number of Parts
169
Author
License
CC Attribution - NonCommercial - ShareAlike 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal and non-commercial purpose as long as the work is attributed to the author in the manner specified by the author or licensor and the work or content is shared also in adapted form only under the conditions of this
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
Alex Willmer - CloudABI: Capability based security on Linux/Unix Take POSIX, add capability-based security, then remove anything that conflicts. The result is CloudABI, available for BSD, Linux, OSX et al. A CloudABI process is incapable of any action that has a global impact It can only affect the file descriptors you provide. As a result even unknown binaries can safely be executed - without the need for containers, virtual machines, or other sandboxes. This talk will introduce CloudABI, how to use it with Python, the benefits, and the trade-offs. ----- [CloudABI] is a new POSIX based computing environment that brings [capability-based security] to BSD, Linux, OSX et al. Unlike traditional Unix, if a CloudABI process goes rogue it _cannot_ execute random binaries, or read arbitrary files. This is achieved by removing `open()` & any other API able to acquire global resources. Instead a CloudABI process must be granted _capabilities_ to specific resources (e.g. directories, files, sockets) in the form of file descriptors. If a process only has a descriptor for `/var/www` then it's _incapable_ of affecting any file or folder outside that directory. This talk will - Review the security & reusability problems of Linux & Unix processes - Introduce capability-based security - Summarize the design of CloudABI - its benefits & trade-offs - Demonstrate how to write Python software for CloudABI & run it - Point out the pitfalls & gotchas to be aware of - Discuss the current & future status of CloudABI CloudABI began life on FreeBSD. It also runs DragonFly BSD, NetBSD, PC-BSD, Arch Linux, Debian, Ubuntu, & OS X. The API & ABI are kernel agnostic - a CloudABI binary can run on any supported kernel. The design is evolved from [Capsicum], a library that allows processes to drop access to undesired syscalls at runtime. CloudABI applies this at build time to make testing & lock- down easier.
Information security1 (number)Information securityFormal grammarContent (media)Cycle (graph theory)Line (geometry)RoboticsLecture/Conference
Insertion lossCycle (graph theory)Data miningMereologyInheritance (object-oriented programming)Source code
TelecommunicationMusical ensembleTelecommunicationDivisorMusical ensembleSynchronizationMultiplication signIncidence algebraWave packetLecture/ConferenceComputer animation
2 (number)Fiber (mathematics)Food energyMotion captureCASE <Informatik>KinematicsLecture/ConferencePanel painting
Data miningMultiplication signPosition operatorDivisorNatural numberLecture/Conference
Charge carrierCharge carrierMotion captureExecution unitPlanningRule of inferencePhysical systemExistenceOperating systemIntelComputer animation
WordEmailCommunications protocolBell and HowellPhysical systemComputer virusCodeSoftware developerWeightLecture/Conference
Computer virusPrimitive (album)Field (computer science)Replication (computing)Charge carrierFamilyComputer animation
CausalityMathematical analysisRootCausalityRootField (computer science)Constructor (object-oriented programming)Decision theoryProcedural programmingMathematical analysisLecture/Conference
RootCausalityMathematical analysisComputer fileOrder (biology)Buffer overflowComputer architectureTrojanisches Pferd <Informatik>Table (information)WeightTraffic reportingSocket-SchnittstelleLecture/Conference
ArchitectureZugriffskontrolleComputer architectureGame controllerBoiling pointPhysical systemComputer programSoftware testingDefault (computer science)Integrated development environmentData structureState of matterOperating systemInformation securityLecture/Conference
System administratorRevision controlExecution unitReverse engineeringPhysical systemScaling (geometry)Lecture/Conference
Information securityComputer programClient (computing)Semiconductor memoryPoint cloudResultantBinary codeStaff (military)Thread (computing)Befehlsprozessor
Process (computing)ResultantVirtual machineOperating systemDerivation (linguistics)Functional (mathematics)Level (video gaming)MultiplicationBitPoint cloudProjective planeHuman migrationInformation securityFreewareSystem callSpherical capWeightLecture/Conference
Information securitySystem callLibrary (computing)Projective planePseudozufallszahlenProcess (computing)Phase transitionComputer fileRun time (program lifecycle phase)
Computer filePoint cloudSystem callProcess (computing)DatabasePrincipal ideal domainDefault (computer science)Physical systemLecture/Conference
Process (computing)File systemComputer fileBuffer overflowZustandsgrößePoint cloud1 (number)Functional (mathematics)Operator (mathematics)Buffer solutionCategory of beingExterior algebraStatisticsSound effectSoftware bug2 (number)Thread (computing)Operating systemObject (grammar)JSON
Standard errorExterior algebraComputer programStandard deviationPoint cloudParameter (computer programming)Message passingProcess (computing)Lecture/ConferenceJSON
Token ringComputer fileString (computer science)Process (computing)Token ringComputer fileDirectory serviceNetwork socketPoint cloudLecture/ConferenceComputer animation
Single-precision floating-point formatComputer fileToken ringInterface (computing)Cartesian coordinate systemSingle-precision floating-point formatProcess (computing)Binary codePhysical systemCompilerLecture/ConferenceComputer animation
FingerprintLevel (video gaming)Physical systemFreewareArithmetic progressionCASE <Informatik>Point (geometry)Lecture/Conference
Scripting languageDifferent (Kate Ryan album)MereologyUtility softwareMessage passingSource codeContent (media)Endliche ModelltheorieoutputComputer fileOperating systemStandard deviationDirectory serviceSingle-precision floating-point formatProcess (computing)Mathematical analysisString (computer science)Computer programNumberRead-only memoryElectronic mailing listResultantSystem callOperator (mathematics)Open sourceExact sequenceSource codeJSON
Point cloudComputer programMechanism designPhysical systemSequenceSet (mathematics)Functional (mathematics)Computer fileMappingoutputFunction (mathematics)Descriptive statisticsContent (media)Electronic mailing listScripting languageProcess (computing)Online helpError messageSingle-precision floating-point formatStandard errorLevel (video gaming)Network topologyStructured programmingResultantOpen setKey (cryptography)Data structureLecture/ConferenceSource codeJSON
Open sourceComputer programoutputPoint (geometry)HypothesisPoint cloudArithmetic progressionMoment (mathematics)Lecture/Conference
World Wide Web ConsortiumServer (computing)Web 2.0Server (computing)Computer fileSoftwareContent (media)Configuration spaceString (computer science)Network socketParameter (computer programming)Moment (mathematics)Order (biology)Point cloudStreaming mediaOnline helpJSON
Service (economics)SoftwareSoftwarePoint cloudPlug-in (computing)Physical systemLimit setOperating systemEntire functionComputer fileLecture/Conference
SoftwareService (economics)Vulnerability (computing)Physical systemCloud computingGoogle App EngineResultantLibrary (computing)Assembly languageVirtual machineCartesian coordinate systemOverhead (computing)outputComputer programFormal languageTheoryMedical imagingOrder (biology)Videoconferencing3 (number)VirtualizationLecture/Conference
Chi-squared distributionComputer fileDirectory serviceComputer-assisted translationProgrammable read-only memoryBinary fileInstallation artOrdinary differential equationLetterpress printingDegree (graph theory)Natural languageTouchscreenSharewarePhysical systemOnline helpPressureKey (cryptography)Computer fileBinary codeRevision controlComputer programGodContent (media)Order (biology)EmailFunction (mathematics)Moment (mathematics)Arithmetic progressionParameter (computer programming)Combinational logicSubsetStandard deviationMultiplication signoutputRight anglePoint cloudClient (computing)Lecture/ConferenceComputer animation
Arc (geometry)Computer-assisted translationLibrary (computing)System callStandard errorLibrary (computing)Process (computing)Binary codeResultantOrder (biology)Standard deviationBefehlsprozessorRight anglePhysical systemContent (media)Read-only memoryCASE <Informatik>Scripting languageComputer fileLecture/ConferenceComputer animation
Open sourceEvent horizonInformationAddress spacePoint cloudSoftwarePhysical systemTap (transformer)Forcing (mathematics)Lecture/Conference
System administratorSoftware developerMultiplicationMereologyExecution unitUniverse (mathematics)Physical systemMultiplication signNumberFrequencyINTEGRALDistribution (mathematics)Moment (mathematics)Repository (publishing)Information securitySoftwareProduct (business)Configuration spaceBinary codeSynchronizationLevel (video gaming)Computer programCycle (graph theory)ResultantProcess (computing)Shared memoryLibrary (computing)NeuroinformatikInheritance (object-oriented programming)Pattern languageOverhead (computing)Element (mathematics)Focus (optics)Operating systemMobile appSubsetPoint cloudPhase transitionCuboidOrbitFreewareLecture/Conference
Degree (graph theory)Graph (mathematics)SequelPulse (signal processing)CAN busRing (mathematics)Revision controlSpecial unitary groupWeightLaceBranch (computer science)Maxima and minimaArmScalable Coherent InterfaceGrand Unified TheoryRun time (program lifecycle phase)CuboidEndliche ModelltheorieSoftwareOrder (biology)Interactive televisionBinary codeSoftware developerComputer fileProcess (computing)DemonGastropod shellSource codeProgram flowchartLecture/Conference
Point cloudLink (knot theory)Lecture/Conference
Transcript: English(auto-generated)