Bestand wählen
Merken

Capsicum

Zitierlink des Filmsegments
Embed Code

Automatisierte Medienanalyse

Beta
Erkannte Entitäten
Sprachtranskript
all especially suggestion and this and you got to us about capsicum and how this can make our lives the circuit with the policy thank you very much thank you and the only way in the back and yes alright excellent i so if I could ask you by a show of hands how many people in this room watched video
in a web browser ever OK now let's add to those people the people who use web pages that involve script or images now connect comes pretty much everybody now all the people who do any of those things how many of you use online banking in the same browser I very many of you OK so hopefully this talk will be of interest so this talk is about caps which is a security framework that we've implemented in the previous the this work was done with a Robert Watson who is kind of my boss at the University of Cambridge UK double-decker the previous committed who's doing lots of the work then Laurie David Drysdale and Chris away are all at Google and have done various things some technical and otherwise for us so here is the motivation
here's the problem so I have a web browser and I
do lots of different things instead web browser and you can see up here I'm just looking at what looks like a pretty boring webpage even though it's kind of a complicated JavaScript application this is definitely a complicated JavaScript applications over here watching some videos and in video decompression with Kodak that was written by who knows who you who's interested in performance performance and performance and your notes security is not on that list of 3 things they care about and then down here and doing something very sensitive my online banking and the trouble is that whenever there is an exploit in some video codec
and what they could have access to all kinds of crazy stuff and that is why we
try to employ sandboxing to seperate the various pieces of things that you might like to do but particularly in web browsers but also in lots of other kinds of applications for web browsers are kind of a natural examples all probably talk mostly about those out so the concept of sandbox and is that you take every have logically the ASM actually work quite like that but logically you take every time you stick it in his own little box where can build its own Sandcastles were conducted Sandcastles over whatever but it doesn't have the ability to you know going to the next and knock over somebody else's Sandcastles so when you get in exploiting you have now well it doesn't get outside here so they can mess up my video rendering but that's not a big deal so that is conceptually very
simple and now the question is how is is actually implemented and the answer is find capsicum in a bit of a uneven way but so let's see let's
start look at the conventional picture of a stack of and so if programmers kernel on top that's running a bunch of applications the key thing is that these applications are running on behalf of users so here if I'm using their office and I want to open a document then this will a Windows dialog nobody in this room would see that 1 obviously but anyway but the point is that this application is allowed to do anything such as open files that I as the user I'm allowed to do is operating on my behalf with what we call ambient authority the authority that I would normally have when I'm using my computer but and this means that if you have trouble in application well can do anything that you can do but so in practice let's see here we go so here we have again this decomposed view of a web browser where not only if absent sandbox anomalies and now were able to do things in another tab in your web browser and it is in fact allowed to do anything that you as the user have the authority to do on your own computer and so this is the discretionary access control model where
things have owners and there are people and then the people while sorry the users and there may not be people can do whatever they like to anything they own and that is back so what browser-like chromium does in order to try and address this is to split itself up into a bunch
of little processes see the browser process and then you have several renderers in the browser runs with the normal ambient authority and the renderer processes run with some kind of protection put underneath them to stop them from doing stuff stuff know stuff will vary by operating system even within operating systems depending on the sand technique that stuff will be defined very very differently but this is conceptually the model so what capsicum is is it's a mechanism for implementing
that sandboxing regimes so
applications that are big applications can split themselves up in the little parts and each little bit
can have just the least privileges that it requires but this is targeted on Free BSD mostly because work previously committed some very familiar with it but also there's a potential for this stuff to get adopted in products by companies that contend that who build products on previous state and the goal of capsicum was to take a an older literature but on capability oriented security and applied in a real UNIX operating system that has real applications and run real stuff today but often many security of what historically capability systems were an active field of research but you don't see a lot of them running today so and then on the other side we have sort of the UNIX model which while about not quite as locked down as the key the oriented security model I so this was done in an academic context we did a bunch of work but it wasn't just a prototype we've actually push this upstream into previously BSD so how does it work the end all say do stop me at any time in the middle for questions if you like clear and
their wave furiously if I don't notice you just kind of bigram and so what is a capability capabilities a token that says I'm allowed to do something and it's an unforgeable token and people often use a
crown as as a sort of analogy for this some guy walked into the Belgian Parliament is dissolved parliament unit where he put the crown on insists to dissolve the parliament you're like OK so I but it might actually be more helpful to think about a subway token so a subway token or in fact a year token at the falls them beer event on Friday nite on a token is something that you can exchange for 1
year at the delirium thing or 1
ride on the subway and critically it doesn't depend on who you are
you show your passport in order to get on the subway it doesn't depend on how much money you currently have it doesn't depend on any at tribute about you or other than the fact that you possess this token somehow you came to possess this token now you may ride the subway so is a model that was 1st explored in the 19 seventies and it had some impact on programming languages ever since and things like references in Java JavaScript are kind of a capability in that you can't do point arithmetic and make them up something somebody's to give you this token that says you're allowed to do stuff but but you can also think of these as cookies cookies that you get from a website for their references and languages or file descriptors are almost a little bit like capabilities so far
all descriptors but you can open a file and here is in back going back to our Chrome Chromium case you open in this case the font directory but and what we're doing in capability mode is we say that you are not allowed to acquire these new references to things new capabilities you can't just make them up you can just as the operating system for them either we see any access to global namespace which includes things like the file system but also includes things like network interfaces any access to a global namespace is cut off completely you cannot open new files but what you can do it's have somebody delegate and pass them to you so somebody else was more privileged and open that font directory and then handed off to the renderer process because the renderer process needs it so we have done this capability this is kind of 1 of the 2 parts of capsicum the 2nd part of which was kind of a product of a lot more of the work that is the idea
of partial delegation so file-descriptor is a bit like a capability you can't just say right to the number for you 1st have to have the number 4 or have some meaning to the operating system and however if you open a file read only with all underscore read-only you might think excellent that's a read-only file handed off to my sandbox browser process or render process and the at the render might not a right to file can have to monitor which is probably not what you meant when you said this is a read only reference to something and therefore but what we do is we impose more limitations on file descriptors very very fine-grained ways of saying what you're allowed to do with a particular file descriptor so you've opened it you pass this around and now and you can restrict that so you can only read and seek on a file descriptor for instance so there are all kinds of other rights that you can also delegate and so yeah here here in a lot to modern this case in this partial delegation also works nicely with the act family of system calls things like open actin chmod act of
where the here is an example of a subset of a file system hierarchy of and the renderer process in a browser need access to these fonts were able to do is open directory
descriptor for justice top-level
directory and then they can use the AP system calls relative to that route and is just not allowed to use doctor to go back up in the so we apply this to chromium to a large Web browser
and 1 reason that we wanted do use chromium was because it was already a case study of all the possible ways that you could do sandboxing at the time of on a bunch of different operating systems so you can see on the Windows case while the people in this room again may not be very surprised to see that the Windows skaters and very very well on so in Windows it is possible to put the process into a state of where if you don't give it a security label then things any excesses that have security labels it's not allowed to access so that sounds pretty good the is knows there are a lot of things that don't have security labels and that includes things like the network card and so sigh well that's very nice that you can only access might flash drive that I've plugged in here and you can access my VPN but you can't access the files under C program files with a very exciting time and as you
can see it was also extremely complex and extremely complex to implement and on Linux we have a slightly different story so the troops sandboxing models quite popular but it's also actually quite ports dataset using posets network namespaces then maybe it's a little bit better because the other problem with the true model you have the privilege so in order to protect yourself from expletive in your program 1st you have to have part of your program be set UID route which doesn't seem like a great idea but the Linux policy version of which I think is never deprecating in fact but that really also didn't work out very well partly because you're not able to with static as Linux label you not able to say this is one sandbox and this is a different sandbox and I wanna create a bunch of ephemeral sandboxes all you can say this is of type sandbox T and then they're all in the same the security or the olives security label which means 1 can do things together which is not really what was intended in the 1st place but not a lot of code was required however it turns out that in order to write essay Linux policy you actually write something in a macro language that expands to a massive as Linux policy and the only way to do that sensible same way actually grant way too many rights but nobody notices because nobody complains when you're allowed to do the things that you want to do as well as other things they only complain when your stopped from doing the things that you wish you could do the 2nd 1 is an interesting model so the original set called where you just had 3 system calls available to you on in some ways is a little bit capability oriented you have files and you can read them and you can write them and you can close how exciting but the trouble is that in order to get any meaningful work done by the developers to chromium had a right over 11 thousand lines of much of this was like 2 thousand lines or something of hand-crafted assembly all of which was absolutely security critical in order to forward system calls out to the browser process and and so this desire to really clamp down sort of backfired there since led to 2nd to which they can perhaps talk a little bit more about that in a bit of but on OS 10 the sandbox model based on a mandatory access control framework of which resurrection came from previously so there if it's sort of OK there are some restrictions when you're doing the some IPC primitives that you can't restrict and yet and unsurprisingly the system that we developed as all the green check boxes isn't that fantastic but but the reason for that is and it's not just a glimpse of the bottom of the slide thing it's the observation that the discretionary and the discretionary access control model the owners and the owners and things that they own model but isn't a great fit for trying to do this kind of sandboxing way take an application running as 1 user and split up into a bunch of bits but neither is the mandatory access control framework which is the SE Linux approach and the apple sandbox approach is really not actually a very good fit of because there that's excellent you want to talk about what I want to keep my secret users from reading top-secret data some system administrator provided policy is a great fit for that was really not good fit again for this application sandbox model which this capability oriented model and when you think of it in language terms of references and things that actually the pretty natural fit for decomposing an application into objects that can't access things inside of each other but so to give a kind of a more concrete example of how this all works let's take a
look at TCP dump that tcpdump is a great application because it passes all kinds of arbitrary code or sorry all kinds of
arbitrary network traffic and the pressures are written by who knows who I am and it often runs with privilege and your eyes and years in the networks to say 0 no there's an attack there weird packets floating around my network compromising systems I will run TCP dump as root and point this arbitrary
person code at and then we'll see what happens and this is often what happens and often not there yet but not a great idea but so this idea talk about some changes
that we've made to previously to free these days
the import of tcpdump and you can see these things in the head at the moment and subversion or if you prefer dataset and get as the in right so here's the extremely
simplistic overly simplistic model of what's going on in tcpdump tcpdump and so you set the filter and you get some stuff that comes in a TCP
dump and and then you pass that stuff and then you spit it out into a final this is this action more complicated that but still I and so in this model to if you see a
nasty packet that contains some data that will exploit a vulnerability in 1 of the many many many passes that's been written produced be done while like those in network regarded then that exploits the pastor here and then OK well you corrupt the output file there's no getting around that if you're passing code is incorrect the results of the person or not going to be right on the trouble is of course that you are also able as route to access all kinds of other crazy stuff that you would like
to not be true so and so what we've done is applied capsicum here in order to limit the privileges that the CBM has access to while it is running so on the stack we have to put
some more stuff and not very much but we have put a little structure here that says the
rights that you're allowed to and or what you'll see what that structure is used for a moment and so we limit the pcap cap input
device here and so this if staff under under free BSD this is in our and vendor import her contribute important branch and then you can see here is basically the difference required so what we do but we declared the IOC tools that we might want to use and we limit we set up that right structure to say OK you're allowed to do and I and you're allowed to read from that device and then we actually limit that file-descriptor to those rights so with that file descriptor now you're only allowed to do I octal and really you can't write to it for instance and then we also limit which I'll close you're allowed to do and this has to be done this way can be done in a sort of a global old system way because the IOC tools which tools you are allowed to use and interpretation of those numbers and I want to place you talking to so this limits that input interface you no longer allowed to just write stuff bacteria not allowed to do I Octel's that we don't want you to be able to do so this is in the set up phase before you stop processing untrusted data then the output
is this dump file and again similarly
were in this set up that temporary structure to say what you're allowed to create a dump file so you're allowed to do control on it truncated couple of other things and of course right to it and that's
it and then finally we enter capability
mode so 1st you do some set up you initialise things and then you limit yourself and so that you have your input output you can only use them for those purposes the you enter capabilities of at this point tcpdump is not allowed to open any new files so this point
if you have see that evil traffic
and you managed to well we have put this barrier around so that if you manage to compromise the packet parsing while you're still able to correct the output file because you're allowed to write to the output file but but that's it you certainly can't do arbitrary things in memory
or on disk so whenever you can't access other applications you can do things as root that you otherwise might be able to do it now that's a very nice simple
model but it's actually slightly more complex because what sometimes you're reading from an input file because you want to record stuff and you want to read it so we do a similar
sort of thing as for the idea that it's at this time much simpler you just get read on that
file and or sometimes you want
to write to multiple output files because you achieve a director in you have you want each dump file to be so large and rotate that sort of
thing and so again using kept them this is a fairly straightforward thing to do because we can give you a capability to the directory
so in this dump infrastructure that we haven't tcpdump while we just had a file descriptor for the directory and we arrange for you to
have a the appropriate right on that directory only so that then later but we used open rather than opening a new file with normal call so you're allowed to write stuff in that output directory being allowed to write stuff anywhere else in the file system so that looks pretty good and then the
question is alright well are we all done
now not all at this point if you pass the packet and something evil happens you exploit a vulnerability you can write into the dump output directory and that looks pretty good and for freebies BSD 10 at this point we're
done because this is as far as we kind of can go up but the trouble is there's a limitation when it comes to name resolution so if you change your name server part way through execution or something there's no way to open a new socket to talk to the name server and resolve names so this is an example of the kind of problem that larger more complex higher level applications tend to have and this is why I something that Pavel is working on at the moment and as well has done a lot of work on you can see it in the in the head at the moment of is a
service called Caspar the capability services provider also known as the friendly Ghost a little bit like a demon but the ghost in slightly different and the idea here is that we provide what is In some ways almost a cross between a runtime wintering D-Bus a service that provides these higher-level services of that itself understands how to limit those services so in the tcpdump
case you'll see code that only applies for free BSD 11 current and head but where if we have this capability DNS provided that instead of doing get by either in the normal way we'll do it um proxying through Caspar uh
will rather will last desperate gives a handle to the capability DNS provider the reader but and this is how we get access to cast in the
1st place before winter capability mode that we can simply talk to Casper and we have ambient authority so let's do that and then we can open services and then we can limit what we do over those services so
much like the kernel API for capsicum provides a way of limiting limiting file-descriptor access and narrowing the
interfaces that you're allowed to use in a similar way Caspar does this for
services of a more abstract nature you write a service and it has a number of methods and you're able to restrict access to those methods so this way your lab you're able to have maps higher-level ideas about the program writes down into level software so what's next well currently there are a bunch of people who are working on this stuff so
in Cambridge and this is kind of started by Barbara and I came along and join him and then some folks from Google got involved and they did some work of this paper among other things that did fairly well but Google has also funded Pavel as jointly with previous foundation to put this into more based system application so we now have lots of things in the previous debate system they're using it and we also have the guy who's working at Google pretty much full time on the Linux support and so in some ways of and I'm leaving a meeting imaging going to Canada so I by so we hard for me to come to fast and in the future will take longer something on a plane and so it's being used in a number of places but we're quite interested
in acquiring more platforms and in more target so obviously previously on the dragonfly people have been looking at the at the eyes and we've encountered going back and forth and talking about stuff and just last week actually announced that the next version of SSH capsicums support on any platform that provides capsicum support currently just previously but others in the future and a number of other interesting people and companies that we talked to who are interested in the sort of thing but but were very much interested in getting this
API into other places as well and so the dead in K Free BSD people can benefit from it almost for free because there already running Odevene users based on the previous the kernel of what the GoboLinux export we would quite like that too can happen and we'll see I mean there's a certain amount of track record with Google getting patches into Linux and there's also the track record with Linux developers say not a good idea let us write it completely incompatible API to do very very similar things and and that's the sort of thing that could possibly happen but are also interested in more targets
things like so lots of reviews base system applications we would like it if every base system application or every network facing demon use capsicum to protect itself because basically anything that accepts on trusted content and that is anything that talks to the network among other things on could be exploited in that if something goes wrong and so we like all those applications to use these protections also like upstream things that we have done in a B grade if more upstream like open SSH were to adopt a capstone for those platforms that support it will we work on getting more platforms supported working on the chicken and the egg but also in the vein of Caspar were really interested in how you can map these low-level security concepts into higher level application frameworks so I did a little bit of proof of concept work when we're 1st doing the capsicum thing with I Q t of so that you could write a little cutie text editor so the thing that was completely oblivious a capsicum but the Qt libraries understood capsicum and sandboxes and how to ask for privileges through another mechanism and that sort of thing and so that was great and so that that kind of cute stuff would be nice and and also KDE is an interesting opportunity is the K I was slaves framework is actually a really really good fit for this kind of protection we say here's slave that's going off often speaking some network protocol and it would be nice if that I was slave exploded if it didn't get to do anything that I get to do but instead it just gets to you know crop the file that I get back for that sort of thing in which case you need to have another exploit in order to do arbitrary things as me and and so really were interested in more people adopting and using and collaborating
and so this is the web page where supposed to say he was like you but you can really see it but so it then there's the web page and there is a mailing list and from the web page you can get to all of the code and talk to friendly people who say that we would be love we love to help you understand how capsicum can be deployed in various places whether it's in applications or whether it's in distros or what have you and so yeah thank you for listening if
if and the question you mentioned that you have something to say about 2nd to shop is to show right but so it's a cult to use this kind of more sophisticated model of doing some call stuff or you can write like BPF style descriptions of the system calls that are allowed that sort of thing so the 2 pieces of capsicum 1 is the restricting what system called you can interact with and the other thing is restricting what you can do with a file descriptor and so succumbed to is something that allows you to do the 1st basically but when it comes to so David actually tried to use a comp 2 as the basis for the Linux capsicum support but the problem is it's basically system-call wrapper framework and any system call wrapper framework there are limitations around time of checked at use vulnerabilities and that sort of thing so we did a lot of work in order to try and make 2nd to support the sort of functionality but in the end it's a high it makes everybody uncomfortable cause there's no way to know that you got it right kind of thing so 1 thing that we were able to do by doing surgery deep in the previous the kernel is we could say OK here's the Afghan function this is the 1 place that you turn a file descriptor number into a pointer to instruct file therefore if we change the signature to that the compiler will tell us if we haven't changed all of the rest of the code that kind of thing and so techniques like that they require surgery deep in the kernel but on the other hand they allow you to have a pheromone of confidence that you've got all the corner cases i In the 2nd to model it's harder yeah but the so you through a high ported to to use that's going on and it was patents into complex but to make it easy you of the other programs of you guys planning the tool that can say statically analyze this is schools that program makes this a stochastic things that you can do to use it's funny you should ask that of that because we actually have a colleague of mine giving good girl who is in the next office to me at Cambridge is working on a static analysis framework that allows you to annotate code and say I think this code is dangerous but I think this is sensitive I think that I might put up some kind sandbox boundary here and that sort of thing and then you can ask the tool have i satisfied that policy that I would like to have before actually do all the work of converting things for sandbox and the other point about to be done and it is a very simplistic example you right 1 thing that it does nicely is that it does everything that requires privilege 1st and then it doesn't trusted stuff or does things of untrusted data and anything that fits that model is really easy to sandbox anything that's more complicated because you continually doing new things and you can't statically declare them that's where you have to have some kind of runtime support something like pastoral which kind of get you new privileges as you OK for the questions yeah I really think of 1st ladies 1st how they how much modifications their did you to enter today come along and was it mostly outer pondering on the scope Ontario was it part to the idea our the so I definitely the question really is you keep halving might only I who can't hear your microphone so yes so the changes were they touched a lot of places in the code but they weren't extensive changes so for instance the Afghan change that I described we basically said anywhere in the kernel that you do enough get you now have to do enough get that declares what rights you're supposed to have in order to do this after that so if you're doing operation that is morally reading from a file then you have to change a f signature it also have kappa reading somewhere that but that caused a lot of data because we use get all lot anywhere you interact with the file a cost a lot of data but on the were all very very simple do all the things that we did which were a little bit thorny I guess so we modify the name look up stuff in order to make sure that the open at relative to a capability stuff would work correctly and in particular we basically had disallowed doctor when you're incapability mode because of absent a universal locking scheme which would have to include like remote NFS servers things like that but it's there's a possibility of a race where you could get out so we had to do some work there disallow things some work in like the run-time linker but yeah but mostly in the kernel of it was kind of infrastructure stuff which is either the thing that takes a list of system calls and then generates the code that handles the system calls or things like of declaring rights that you need which is a small change times many hundreds of places and that kind of thing the it OK so the soul of even the program is uh this restricted access to catch some of them do these restrictions specialized of for system calls yes um so when you enter capability mode you can never leave it it's like Hotel California I guess and when you for your children will also be in that same OK so go for it don't you can around of the Dutch company where programs we already insight catch form like through integrated support in the shell or something like that right I think I couldn't quite hear me you just as I heard a great support in the shell of running a program at some books the running capsicum program which is unaware of the credit program which is the most capsicum inside the camps and some some books but by the means of restricting access by the caller program right yes um so it is definitely of interest and we've done a little bit of infrastructure work to do that so I'm currently poking the run-time linker to make it possible to run dynamically linked applications stop them from within a sandbox of basically instead of giving it an lD library past you give it your you open the directory descriptors for the library path and you put that in environment variable and then you exact and then it's able to go off and find libraries that way but and with that yeah there's definitely a big interest in the group of doing a capability aware shell where you could run lots of command line utilities particularly the simple ones but even some of the not so simple ones you want to be able to run without the them ever having see ambient authority and that would also be really nice if you're trying to do things like reproducible and deterministic builds because it's like well I can actually say definitely for sure these are all the files that the compiler accessed and it wasn't secretly going into uses the something something something something that I didn't know about but you know that kind of approach what there was the question here of up to get of here the and it would so the sandbox thing is that the easy sharing his heart and so what capsicum doesn't respect to sharing between sandboxed right so you have access to all the normal of Munich's IPC primitives so long as you set them up in a certain way so either it you know you can of open sockets Unix domain sockets and past descriptors over them and stuff but if you're accessing anything in the namespace and you have to have done that in advance of you can still do anonymous shared memory segments and that sort of thing you can from within a sandbox but you can create a share many shared memory segments along the does name it's an anonymous shared memory segment that only referenced by file-descriptor and then you pass that up up your parents and then the you so you can set of communications channels like that you can open the doors wide as you want to know but we want to start with the door being close to you have to be explicit about some of the things that you want to share rather than just implicitly assume the available and so yeah ascend often mechanism by itself is not the whole story is still have to write the code to you know do useful things and communicate with other bits but I just want to compare a little bit to pack armored running on Linux and I have 2 questions about that um many distributions that actually up our also have a small role tcpdump and I was wondering if you've ever done a comparison between that and the 1 the basically sandbox by capsicum and that in addition I was wondering is at all it would be possible to have a patch work for capsicum in a reasonable time frame right so so on the 1st question about that armor we did our main comparison of a bunch of different things in the context of chromium just as it already had all these different mechanisms and the thing about that promise basically in the same category as a Linux for this purpose is that you have to have a policy that you can describe statically see say tcpdump is only allowed output files into this directory or something but what you can do say after what has been done is allowed output files into the current working directory or something like that so a dynamic policy like that is much harder to express those tools and the yeah I mean the internal protection thing if you had a process space in him for Apache but that's the sort of thing where is the more than a it's it's a debatable point but I think it is much more natural fit for Apache and start his work and started capability mode and I'm going to give it access to this thing and this thing and this thing as opposed to trying to write some global policy definition where you have to change a Apache configuration and you also have to go to interact farmers stuff to say well and then a worker that has this security label attached to it which then also have to do elsewhere is only allowed to get things from bodily w slash my sight 1 the yeah so I have not fact Apache and myself but it is the sort of thing that should be doable from that that I have colleagues who hacked on Apache more including then of course it so but yeah so I think it should be a fairly good fit but don't section on the work but the next question nobody OK but to this and and what the the the head of a host of very different ways of work the use of this is areas and vision of as gypsy good is but through the is that ending convexity in completely the needs to know the status in the history of free and it took part in the things that changes sitting on capsicum adding complexity in complexity being the enemy of security and so basically what 1st of all the applications it really doesn't have much complexity and infer chrome which is a fairly complicated application we had a hundred lines of code which just said take these fall descriptors that we already have opened limit them then enter capability mode in the kernel we have at well weeping diff in the kernel but it didn't actually have a lot of complexity of there was a bit more declaration of intent of where you had to say you must hold the and that capability must have the in that right on this file descriptor in order to open that sort of thing I yeah it was restriction so we're very careful to only restrict things but never to open them up more and so it is decomposable model in that way I and actually didn't really make the kernel significantly more complicated is 1 of the reasons actually why the this can export based on to give us so much hesitation so much pause because it did at a lot of complexity because you gave it had had had to add this whole framework for doing time of checked time use the yeah race condition checking stuff where you would hold onto additional things that you otherwise wouldn't and then release them at the right time but the several points were could be the right time and was a lot of complexity that was required of and this is part of why we're quite concerned about that approach that OK any more questions the and guess further on that point is the so the complexity thing we we made quite simple changes have previously kernel we like to make exactly the same simple changes to the Linux kernel however that involves things that are in Linux Security Module and our current read of the situation that might be politically very difficult to do but it could be that we can get a distro interested in applying patches and saying actually a simple much simpler patches less complex than they had an important security benefit correct the more questions no more questions we thank you very much thank you for your few
Benutzerschnittstellenverwaltungssystem
Browser
Computersicherheit
Digitaltechnik
Skript <Programm>
Telebanking
Web-Seite
Framework <Informatik>
Bildgebendes Verfahren
Kugelkappe
Videokonferenz
Codec
Subtraktion
Computersicherheit
Browser
Mailing-Liste
Kartesische Koordinaten
Telebanking
Web-Seite
Quellencodierung
Computeranimation
Videokonferenz
Quader
Browser
Vorlesung/Konferenz
Kartesische Koordinaten
Computeranimation
Videokonferenz
Inklusion <Mathematik>
Autorisierung
Bit
Programmiergerät
Punkt
Sichtenkonzept
Browser
Kartesische Koordinaten
Computer
Elektronische Publikation
Kernel <Informatik>
Programmfehler
Office-Paket
Informationsmodellierung
Offene Menge
Bildschirmfenster
Gamecontroller
Autorisierung
Kernel <Informatik>
Kraftfahrzeugmechatroniker
Informationsmodellierung
Prozess <Physik>
Browser
Browser
Volumenvisualisierung
Physikalisches System
Ordnung <Mathematik>
Computeranimation
Hardware
Orientierung <Mathematik>
Bit
Vektorpotenzial
Freeware
Computersicherheit
Kartesische Koordinaten
Physikalisches System
Biprodukt
Kontextbezogenes System
Hybridrechner
Quick-Sort
Computeranimation
Informationsmodellierung
Datenfeld
Reelle Zahl
Netzbetriebssystem
Mereologie
Schlüsselverwaltung
Aggregatzustand
Prototyping
Einheit <Mathematik>
Wellenlehre
Datenmodell
Computersicherheit
Vorlesung/Konferenz
Token-Ring
Ereignishorizont
Quick-Sort
Analogieschluss
Programmiersprache
Bit
Web Site
Punkt
Cookie <Internet>
Formale Sprache
Applet
Datenmodell
Elektronische Publikation
Metropolitan area network
Informationsmodellierung
Computersicherheit
Cookie <Internet>
Ordnung <Mathematik>
Kernel <Informatik>
Bit
Prozess <Physik>
Browser
Familie <Mathematik>
Zahlenbereich
Font
Netzbetriebssystem
Volumenvisualisierung
Dateiverwaltung
Inverser Limes
Vorlesung/Konferenz
Schnittstelle
ATM
Namensraum
Datennetz
Browser
Physikalisches System
Biprodukt
Elektronische Publikation
Arithmetisches Mittel
Rechter Winkel
Offene Menge
Mereologie
Benutzerführung
Verzeichnisdienst
Lesen <Datenverarbeitung>
Instantiierung
Prozess <Physik>
Sampler <Musikinstrument>
Browser
Programm
Hierarchische Struktur
Flash-Speicher
Font
Gewicht <Mathematik>
Bildschirmfenster
Volumenvisualisierung
Dateiverwaltung
Vorlesung/Konferenz
Interprozesskommunikation
Differenzenrechnung
Beobachtungsstudie
Datennetz
Computersicherheit
Routing
Physikalisches System
Elektronische Publikation
Chipkarte
Teilmenge
Digital-Analog-Umsetzer
Verzeichnisdienst
Aggregatzustand
Bit
Prozess <Physik>
Quader
Sampler <Musikinstrument>
Browser
Formale Sprache
Versionsverwaltung
Parser
Schreiben <Datenverarbeitung>
Kartesische Koordinaten
Term
Framework <Informatik>
Code
Informationsmodellierung
Gewicht <Mathematik>
Datentyp
Minimum
Luenberger-Beobachter
Vorlesung/Konferenz
Interprozesskommunikation
Primitive <Informatik>
Softwareentwickler
Optimierung
Gerade
Datennetz
Green-Funktion
Computersicherheit
Systemverwaltung
Routing
Physikalisches System
Elektronische Publikation
Quick-Sort
Objekt <Kategorie>
Rechenschieber
Digital-Analog-Umsetzer
Menge
Rechter Winkel
Mereologie
Gamecontroller
Ordnung <Mathematik>
Makrobefehl
Fitnessfunktion
Druckverlauf
Punkt
Datennetz
Primzahlzwillinge
Mathematisierung
Speicherabzug
Parser
Vorlesung/Konferenz
Speicherabzug
Wurzel <Mathematik>
Physikalisches System
Code
Spannungsmessung <Mechanik>
Resultante
Momentenproblem
Datennetz
Konvexe Hülle
Gruppenoperation
Parser
Routing
E-Mail
Elektronische Publikation
Sichtenkonzept
Code
Magnettrommelspeicher
Informationsmodellierung
Verschlingung
Rechter Winkel
Softwareschwachstelle
Primzahlzwillinge
Vorlesung/Konferenz
Neunzehn
Message-Passing
Schreib-Lese-Kopf
Funktion <Mathematik>
Interpretierer
Fehlermeldung
Subtraktion
Freeware
Stab
Verzweigendes Programm
Abgeschlossene Menge
Zahlenbereich
Schreiben <Datenverarbeitung>
Physikalisches System
Ein-Ausgabe
Elektronische Publikation
Quick-Sort
Computeranimation
Inverser Limes
Kugelkappe
Rechter Winkel
Vorlesung/Konferenz
Ordnung <Mathematik>
Datenstruktur
Phasenumwandlung
Schnittstelle
Funktion <Mathematik>
Instantiierung
ATM
Punkt
Ein-Ausgabe
Elektronische Publikation
Computeranimation
Rechter Winkel
Fahne <Mathematik>
ATM
Speicherabzug
Vorlesung/Konferenz
Speicherabzug
Datenstruktur
Funktion <Mathematik>
Motion Capturing
Konvexe Hülle
Kartesische Koordinaten
Elektronische Publikation
Ein-Ausgabe
Computeranimation
W3C-Standard
Informationsmodellierung
Gigaelektronenvoltbereich
Funktion <Mathematik>
Syntaktische Analyse
Verschlingung
Festspeicher
Mini-Disc
Protokoll <Datenverarbeitungssystem>
Vorlesung/Konferenz
Wurzel <Mathematik>
Funktion <Mathematik>
Feuchteleitung
Multiplikation
Funktion <Mathematik>
Ein-Ausgabe
Speicherabzug
Vorlesung/Konferenz
Speicherabzug
Information
Elektronische Publikation
Verzeichnisdienst
Quick-Sort
Computeranimation
Funktion <Mathematik>
Kreisbewegung
Fehlermeldung
Motion Capturing
Punkt
Systemaufruf
Elektronische Publikation
Information
Schaltwerk
Computeranimation
Funktion <Mathematik>
Verschlingung
Rechter Winkel
Softwareschwachstelle
Protokoll <Datenverarbeitungssystem>
Speicherabzug
Dateiverwaltung
Vorlesung/Konferenz
Speicherabzug
Normalvektor
Verzeichnisdienst
Funktion <Mathematik>
Bit
Momentenproblem
Bildauflösung
Rechenzeit
Kartesische Koordinaten
Service provider
Übergang
Dienst <Informatik>
Mereologie
Server
Resolvente
Inverser Limes
Vorlesung/Konferenz
Socket
Dämon <Informatik>
Schreib-Lese-Kopf
Autorisierung
ATM
Fehlermeldung
Code
Service provider
Computeranimation
Physikalisches System
Dienst <Informatik>
Typentheorie
Direkte numerische Simulation
Vorlesung/Konferenz
Direkte numerische Simulation
Normalvektor
Schreib-Lese-Kopf
Mapping <Computergraphik>
Kernel <Informatik>
Dienst <Informatik>
Software
Natürliche Zahl
Zahlenbereich
Vorlesung/Konferenz
Ähnlichkeitsgeometrie
Optimierung
Übergang
Schnittstelle
Kernel <Informatik>
Inklusion <Mathematik>
Ebene
Verbandstheorie
Versionsverwaltung
Systemplattform
Zahlenbereich
Kartesische Koordinaten
Physikalisches System
Systemplattform
Quick-Sort
Bildgebendes Verfahren
Computeranimation
Bit
Freeware
Kartesische Koordinaten
Systemplattform
Framework <Informatik>
Computeranimation
Übergang
Kernel <Informatik>
Gradient
Datensatz
Weg <Topologie>
Programmbibliothek
Inhalt <Mathematik>
Softwareentwickler
Kraftfahrzeugmechatroniker
Oval
Protokoll <Datenverarbeitungssystem>
Datennetz
Computersicherheit
Systemplattform
Physikalisches System
Elektronische Publikation
Quick-Sort
Texteditor
Patch <Software>
Beweistheorie
Dämon <Informatik>
Ordnung <Mathematik>
Fitnessfunktion
Distributionstheorie
Bit
Punkt
Prozess <Physik>
Freeware
Inferenz <Künstliche Intelligenz>
Nabel <Mathematik>
Gemeinsamer Speicher
Natürliche Zahl
Compiler
Konvexer Körper
Gruppenkeim
Kartesische Koordinaten
Komplex <Algebra>
Raum-Zeit
Kernel <Informatik>
Eins
Deskriptive Statistik
RPC
Vorlesung/Konferenz
Maschinelles Sehen
E-Mail
Gerade
Funktion <Mathematik>
Nichtlinearer Operator
Addition
ATM
Kraftfahrzeugmechatroniker
Lineares Funktional
Namensraum
Kategorie <Mathematik>
Physikalischer Effekt
Computersicherheit
Güte der Anpassung
Systemaufruf
Nummerung
Sampler <Musikinstrument>
Strömungsrichtung
Kontextbezogenes System
Elektronische Unterschrift
Arithmetisches Mittel
Randwert
Rechter Winkel
Konditionszahl
Deklarative Programmiersprache
Server
Garbentheorie
Benutzerführung
Ordnung <Mathematik>
Verzeichnisdienst
Instantiierung
Lesen <Datenverarbeitung>
Fitnessfunktion
Telekommunikation
Subtraktion
Mathematisierung
Interaktives Fernsehen
Zahlenbereich
Web-Seite
Framework <Informatik>
Code
Socket-Schnittstelle
Hydrostatik
Bildschirmmaske
Informationsmodellierung
Domain-Name
Variable
Bereichsschätzung
Wrapper <Programmierung>
Vererbungshierarchie
Programmbibliothek
Inverser Limes
Primitive <Informatik>
Optimierung
Zeiger <Informatik>
Konfigurationsraum
Analysis
Schreib-Lese-Kopf
Autorisierung
Softwarewerkzeug
Rechenzeit
Mailing-Liste
Physikalisches System
Paarvergleich
Binder <Informatik>
Elektronische Publikation
Modul
Quick-Sort
Office-Paket
Patch <Software>
Chirurgie <Mathematik>
Flächeninhalt
Softwareschwachstelle
Offene Menge
Mereologie
Basisvektor

Metadaten

Formale Metadaten

Titel Capsicum
Untertitel Practical capabilities for UNIX
Serientitel FOSDEM 2014
Autor Anderson, Jonathan
Lizenz CC-Namensnennung 2.0 Belgien:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen.
DOI 10.5446/32496
Herausgeber FOSDEM VZW
Erscheinungsjahr 2014
Sprache Englisch

Inhaltliche Metadaten

Fachgebiet Informatik
Abstract The Capsicum project adds new security primitives to FreeBSD and other UNIX-like operating systems, blending security models from capability systems with the practicality of real running code, today. This talk will describe what Capsicum is, how it works, and several exciting new developments in its deployment.

Ähnliche Filme

Loading...
Feedback