Video thumbnail (Frame 0) Video thumbnail (Frame 1783) Video thumbnail (Frame 2698) Video thumbnail (Frame 3880) Video thumbnail (Frame 5851) Video thumbnail (Frame 7011) Video thumbnail (Frame 8824) Video thumbnail (Frame 9751) Video thumbnail (Frame 11095) Video thumbnail (Frame 12509) Video thumbnail (Frame 14173) Video thumbnail (Frame 16173) Video thumbnail (Frame 21653) Video thumbnail (Frame 22535) Video thumbnail (Frame 23368) Video thumbnail (Frame 24416) Video thumbnail (Frame 26483) Video thumbnail (Frame 27283) Video thumbnail (Frame 28236) Video thumbnail (Frame 29060) Video thumbnail (Frame 29985) Video thumbnail (Frame 31404) Video thumbnail (Frame 32377) Video thumbnail (Frame 33276) Video thumbnail (Frame 34422) Video thumbnail (Frame 36005) Video thumbnail (Frame 38735)
Video in TIB AV-Portal: Capsicum

Formal Metadata

Practical capabilities for UNIX
Title of Series
CC Attribution 2.0 Belgium:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
The Capsicum project adds new security primitives to FreeBSD and other UNIX-like operating systems, blending security models from capability systems with the practicality of real running code, today. This talk will describe what Capsicum is, how it works, and several exciting new developments in its deployment.
Scripting language Web page Boss Corporation Medical imaging Digital electronics Spherical cap Videoconferencing Software framework Web browser Telebanking Information security
Web page Computer animation Different (Kate Ryan album) Videoconferencing Electronic mailing list Codec Web browser Telebanking Cartesian coordinate system Information security Data compression
Computer animation Lecture/Conference Multiplication sign Videoconferencing Cuboid Web browser Cartesian coordinate system
Point (geometry) Game controller Computer file View (database) Bit Web browser Open set Cartesian coordinate system System call Software bug Programmer (hardware) Kernel (computing) Authorization Endliche Modelltheorie Office suite Window
Mechanism design Process (computing) Computer animation Order (biology) Volumenvisualisierung Authorization Web browser Endliche Modelltheorie Physical system
Context awareness Key (cryptography) State of matter Multiplication sign Real number Orientation (vector space) Bit Cartesian coordinate system Mereology Field (computer science) Product (business) Vector potential Prototype Computer animation Endliche Modelltheorie Quicksort Freeware Information security Operating system Physical system
Wave Lecture/Conference Token ring Analogy Execution unit Quicksort Event horizon
Point (geometry) Programming language Computer file Java applet Order (biology) Website Bit HTTP cookie Endliche Modelltheorie Formal language
Computer file Open set Web browser Mereology Computer font Product (business) Number Lecture/Conference Computer network File system Physical system Namespace Interface (computing) Bit Directory service Instance (computer science) Limit (category theory) Graphical user interface Arithmetic mean Process (computing) Personal digital assistant Volumenvisualisierung Right angle Family Operating system Reading (process) Asynchronous Transfer Mode
Computer program Observational study Computer file State of matter Flash memory Plastikkarte Web browser Directory service Computer font Subset Process (computing) Lecture/Conference Finite difference Personal digital assistant Hierarchy Computer network File system Volumenvisualisierung Routing Information security Window Physical system
Slide rule State observer Greatest element Game controller Computer file Code System administrator Set (mathematics) Primitive (album) Web browser Mereology Computer programming Formal language Revision control Lecture/Conference Term (mathematics) Computer network Green's function Cuboid Software framework Endliche Modelltheorie Information security Macro (computer science) Physical system Software developer Fitness function Bit Line (geometry) Cartesian coordinate system Type theory Process (computing) Order (biology) Right angle Object (grammar) Quicksort Routing Writing Reading (process)
Point (geometry) Mathematics Root Lecture/Conference Code Computer network Core dump Pressure Physical system
Group action Computer file Code Moment (mathematics) Function (mathematics) Disk read-and-write head Message passing Lecture/Conference Computer network Right angle Endliche Modelltheorie Routing Resultant Vulnerability (computing)
Computer file Closed set Interface (computing) Set (mathematics) Branch (computer science) Staff (military) Function (mathematics) Instance (computer science) Number Computer animation Spherical cap Lecture/Conference Different (Kate Ryan album) Order (biology) Phase transition Interpreter (computing) output Right angle Data structure Quicksort Freeware Writing Physical system
Point (geometry) Computer animation Computer file Lecture/Conference Core dump output Right angle Data structure Function (mathematics) Asynchronous Transfer Mode
Parsing Vapor barrier Computer animation Computer file Root Lecture/Conference Semiconductor memory MiniDisc output Function (mathematics) Endliche Modelltheorie Cartesian coordinate system
Multiplication Computer animation Computer file Lecture/Conference Multiplication sign Core dump Quicksort Function (mathematics) Directory service
Point (geometry) Computer animation Computer file Lecture/Conference Core dump File system Normal (geometry) Right angle Directory service Function (mathematics) System call Vulnerability (computing)
Demon Server (computing) Service (economics) Run time (program lifecycle phase) Moment (mathematics) Bit Mereology Disk read-and-write head Limit (category theory) Cartesian coordinate system Lecture/Conference Network socket Internet service provider Energy level Resolvent formalism
Direct numerical simulation Service (economics) Computer animation Lecture/Conference Personal digital assistant Code Internet service provider Authorization Normal (geometry) Disk read-and-write head Asynchronous Transfer Mode
Kernel (computing) Service (economics) Software Mapping Lecture/Conference Natural number Interface (computing) Similarity (geometry) Energy level Computer programming Number
Revision control Medical imaging Googol Computer animation Multiplication sign Planning Lattice (order) Quicksort Cartesian coordinate system Computing platform Physical system Number
Demon Trail Computer file Patch (Unix) Mechanism design Oval Computer network Energy level Software framework Information security Computing platform Physical system Software developer Gradient Content (media) Fitness function Bit Cartesian coordinate system Proof theory Kernel (computing) Computer animation Personal digital assistant Order (biology) Text editor Quicksort Freeware Communications protocol Row (database) Library (computing)
Complex (psychology) Context awareness Group action Confidence interval Numbering scheme Open set Disk read-and-write head Computer programming Inference Fluid statics Mechanism design Different (Kate Ryan album) Convex set Office suite Information security Descriptive statistics Physical system Namespace Electronic mailing list Shared memory Bit Instance (computer science) Electronic signature Category of being Arithmetic mean Process (computing) Telecommunication Order (biology) Quicksort Reading (process) Spacetime Web page Point (geometry) Socket-Schnittstelle Computer file Patch (Unix) Declarative programming Machine vision Number Differenz <Mathematik> Goodness of fit Authorization Boundary value problem Compilation album Form (programming) Pairwise comparison Distribution (mathematics) Basis <Mathematik> Directory service Line (geometry) Cartesian coordinate system Limit (category theory) System call Compiler Graphical user interface Personal digital assistant Library (computing) Run time (program lifecycle phase) Code Multiplication sign 1 (number) Sheaf (mathematics) Primitive (album) Function (mathematics) Mereology Mathematics Linker (computing) Software framework Endliche Modelltheorie Vulnerability (computing) Area Email Wrapper (data mining) Fitness function Variable (mathematics) Configuration space Right angle Remote procedure call Freeware Asynchronous Transfer Mode Ocean current Functional (mathematics) Server (computing) Surgery Causality Lecture/Conference Natural number Operator (mathematics) Gastropod shell Utility software Condition number Module (mathematics) Domain name Addition Inheritance (object-oriented programming) Interactive television Mathematical analysis Kernel (computing) Pointer (computer programming)
all especially suggestion and this and you got to us about capsicum and how this can make our lives the circuit with the policy thank you very much thank you and the only way in the back and yes alright excellent i so if I could ask you by a show of hands how many people in this room watched video
in a web browser ever OK now let's add to those people the people who use web pages that involve script or images now connect comes pretty much everybody now all the people who do any of those things how many of you use online banking in the same browser I very many of you OK so hopefully this talk will be of interest so this talk is about caps which is a security framework that we've implemented in the previous the this work was done with a Robert Watson who is kind of my boss at the University of Cambridge UK double-decker the previous committed who's doing lots of the work then Laurie David Drysdale and Chris away are all at Google and have done various things some technical and otherwise for us so here is the motivation
here's the problem so I have a web browser and I
do lots of different things instead web browser and you can see up here I'm just looking at what looks like a pretty boring webpage even though it's kind of a complicated JavaScript application this is definitely a complicated JavaScript applications over here watching some videos and in video decompression with Kodak that was written by who knows who you who's interested in performance performance and performance and your notes security is not on that list of 3 things they care about and then down here and doing something very sensitive my online banking and the trouble is that whenever there is an exploit in some video codec
and what they could have access to all kinds of crazy stuff and that is why we
try to employ sandboxing to seperate the various pieces of things that you might like to do but particularly in web browsers but also in lots of other kinds of applications for web browsers are kind of a natural examples all probably talk mostly about those out so the concept of sandbox and is that you take every have logically the ASM actually work quite like that but logically you take every time you stick it in his own little box where can build its own Sandcastles were conducted Sandcastles over whatever but it doesn't have the ability to you know going to the next and knock over somebody else's Sandcastles so when you get in exploiting you have now well it doesn't get outside here so they can mess up my video rendering but that's not a big deal so that is conceptually very
simple and now the question is how is is actually implemented and the answer is find capsicum in a bit of a uneven way but so let's see let's
start look at the conventional picture of a stack of and so if programmers kernel on top that's running a bunch of applications the key thing is that these applications are running on behalf of users so here if I'm using their office and I want to open a document then this will a Windows dialog nobody in this room would see that 1 obviously but anyway but the point is that this application is allowed to do anything such as open files that I as the user I'm allowed to do is operating on my behalf with what we call ambient authority the authority that I would normally have when I'm using my computer but and this means that if you have trouble in application well can do anything that you can do but so in practice let's see here we go so here we have again this decomposed view of a web browser where not only if absent sandbox anomalies and now were able to do things in another tab in your web browser and it is in fact allowed to do anything that you as the user have the authority to do on your own computer and so this is the discretionary access control model where
things have owners and there are people and then the people while sorry the users and there may not be people can do whatever they like to anything they own and that is back so what browser-like chromium does in order to try and address this is to split itself up into a bunch
of little processes see the browser process and then you have several renderers in the browser runs with the normal ambient authority and the renderer processes run with some kind of protection put underneath them to stop them from doing stuff stuff know stuff will vary by operating system even within operating systems depending on the sand technique that stuff will be defined very very differently but this is conceptually the model so what capsicum is is it's a mechanism for implementing
that sandboxing regimes so
applications that are big applications can split themselves up in the little parts and each little bit
can have just the least privileges that it requires but this is targeted on Free BSD mostly because work previously committed some very familiar with it but also there's a potential for this stuff to get adopted in products by companies that contend that who build products on previous state and the goal of capsicum was to take a an older literature but on capability oriented security and applied in a real UNIX operating system that has real applications and run real stuff today but often many security of what historically capability systems were an active field of research but you don't see a lot of them running today so and then on the other side we have sort of the UNIX model which while about not quite as locked down as the key the oriented security model I so this was done in an academic context we did a bunch of work but it wasn't just a prototype we've actually push this upstream into previously BSD so how does it work the end all say do stop me at any time in the middle for questions if you like clear and
their wave furiously if I don't notice you just kind of bigram and so what is a capability capabilities a token that says I'm allowed to do something and it's an unforgeable token and people often use a
crown as as a sort of analogy for this some guy walked into the Belgian Parliament is dissolved parliament unit where he put the crown on insists to dissolve the parliament you're like OK so I but it might actually be more helpful to think about a subway token so a subway token or in fact a year token at the falls them beer event on Friday nite on a token is something that you can exchange for 1
year at the delirium thing or 1
ride on the subway and critically it doesn't depend on who you are
you show your passport in order to get on the subway it doesn't depend on how much money you currently have it doesn't depend on any at tribute about you or other than the fact that you possess this token somehow you came to possess this token now you may ride the subway so is a model that was 1st explored in the 19 seventies and it had some impact on programming languages ever since and things like references in Java JavaScript are kind of a capability in that you can't do point arithmetic and make them up something somebody's to give you this token that says you're allowed to do stuff but but you can also think of these as cookies cookies that you get from a website for their references and languages or file descriptors are almost a little bit like capabilities so far
all descriptors but you can open a file and here is in back going back to our Chrome Chromium case you open in this case the font directory but and what we're doing in capability mode is we say that you are not allowed to acquire these new references to things new capabilities you can't just make them up you can just as the operating system for them either we see any access to global namespace which includes things like the file system but also includes things like network interfaces any access to a global namespace is cut off completely you cannot open new files but what you can do it's have somebody delegate and pass them to you so somebody else was more privileged and open that font directory and then handed off to the renderer process because the renderer process needs it so we have done this capability this is kind of 1 of the 2 parts of capsicum the 2nd part of which was kind of a product of a lot more of the work that is the idea
of partial delegation so file-descriptor is a bit like a capability you can't just say right to the number for you 1st have to have the number 4 or have some meaning to the operating system and however if you open a file read only with all underscore read-only you might think excellent that's a read-only file handed off to my sandbox browser process or render process and the at the render might not a right to file can have to monitor which is probably not what you meant when you said this is a read only reference to something and therefore but what we do is we impose more limitations on file descriptors very very fine-grained ways of saying what you're allowed to do with a particular file descriptor so you've opened it you pass this around and now and you can restrict that so you can only read and seek on a file descriptor for instance so there are all kinds of other rights that you can also delegate and so yeah here here in a lot to modern this case in this partial delegation also works nicely with the act family of system calls things like open actin chmod act of
where the here is an example of a subset of a file system hierarchy of and the renderer process in a browser need access to these fonts were able to do is open directory
descriptor for justice top-level
directory and then they can use the AP system calls relative to that route and is just not allowed to use doctor to go back up in the so we apply this to chromium to a large Web browser
and 1 reason that we wanted do use chromium was because it was already a case study of all the possible ways that you could do sandboxing at the time of on a bunch of different operating systems so you can see on the Windows case while the people in this room again may not be very surprised to see that the Windows skaters and very very well on so in Windows it is possible to put the process into a state of where if you don't give it a security label then things any excesses that have security labels it's not allowed to access so that sounds pretty good the is knows there are a lot of things that don't have security labels and that includes things like the network card and so sigh well that's very nice that you can only access might flash drive that I've plugged in here and you can access my VPN but you can't access the files under C program files with a very exciting time and as you
can see it was also extremely complex and extremely complex to implement and on Linux we have a slightly different story so the troops sandboxing models quite popular but it's also actually quite ports dataset using posets network namespaces then maybe it's a little bit better because the other problem with the true model you have the privilege so in order to protect yourself from expletive in your program 1st you have to have part of your program be set UID route which doesn't seem like a great idea but the Linux policy version of which I think is never deprecating in fact but that really also didn't work out very well partly because you're not able to with static as Linux label you not able to say this is one sandbox and this is a different sandbox and I wanna create a bunch of ephemeral sandboxes all you can say this is of type sandbox T and then they're all in the same the security or the olives security label which means 1 can do things together which is not really what was intended in the 1st place but not a lot of code was required however it turns out that in order to write essay Linux policy you actually write something in a macro language that expands to a massive as Linux policy and the only way to do that sensible same way actually grant way too many rights but nobody notices because nobody complains when you're allowed to do the things that you want to do as well as other things they only complain when your stopped from doing the things that you wish you could do the 2nd 1 is an interesting model so the original set called where you just had 3 system calls available to you on in some ways is a little bit capability oriented you have files and you can read them and you can write them and you can close how exciting but the trouble is that in order to get any meaningful work done by the developers to chromium had a right over 11 thousand lines of much of this was like 2 thousand lines or something of hand-crafted assembly all of which was absolutely security critical in order to forward system calls out to the browser process and and so this desire to really clamp down sort of backfired there since led to 2nd to which they can perhaps talk a little bit more about that in a bit of but on OS 10 the sandbox model based on a mandatory access control framework of which resurrection came from previously so there if it's sort of OK there are some restrictions when you're doing the some IPC primitives that you can't restrict and yet and unsurprisingly the system that we developed as all the green check boxes isn't that fantastic but but the reason for that is and it's not just a glimpse of the bottom of the slide thing it's the observation that the discretionary and the discretionary access control model the owners and the owners and things that they own model but isn't a great fit for trying to do this kind of sandboxing way take an application running as 1 user and split up into a bunch of bits but neither is the mandatory access control framework which is the SE Linux approach and the apple sandbox approach is really not actually a very good fit of because there that's excellent you want to talk about what I want to keep my secret users from reading top-secret data some system administrator provided policy is a great fit for that was really not good fit again for this application sandbox model which this capability oriented model and when you think of it in language terms of references and things that actually the pretty natural fit for decomposing an application into objects that can't access things inside of each other but so to give a kind of a more concrete example of how this all works let's take a
look at TCP dump that tcpdump is a great application because it passes all kinds of arbitrary code or sorry all kinds of
arbitrary network traffic and the pressures are written by who knows who I am and it often runs with privilege and your eyes and years in the networks to say 0 no there's an attack there weird packets floating around my network compromising systems I will run TCP dump as root and point this arbitrary
person code at and then we'll see what happens and this is often what happens and often not there yet but not a great idea but so this idea talk about some changes
that we've made to previously to free these days
the import of tcpdump and you can see these things in the head at the moment and subversion or if you prefer dataset and get as the in right so here's the extremely
simplistic overly simplistic model of what's going on in tcpdump tcpdump and so you set the filter and you get some stuff that comes in a TCP
dump and and then you pass that stuff and then you spit it out into a final this is this action more complicated that but still I and so in this model to if you see a
nasty packet that contains some data that will exploit a vulnerability in 1 of the many many many passes that's been written produced be done while like those in network regarded then that exploits the pastor here and then OK well you corrupt the output file there's no getting around that if you're passing code is incorrect the results of the person or not going to be right on the trouble is of course that you are also able as route to access all kinds of other crazy stuff that you would like
to not be true so and so what we've done is applied capsicum here in order to limit the privileges that the CBM has access to while it is running so on the stack we have to put
some more stuff and not very much but we have put a little structure here that says the
rights that you're allowed to and or what you'll see what that structure is used for a moment and so we limit the pcap cap input
device here and so this if staff under under free BSD this is in our and vendor import her contribute important branch and then you can see here is basically the difference required so what we do but we declared the IOC tools that we might want to use and we limit we set up that right structure to say OK you're allowed to do and I and you're allowed to read from that device and then we actually limit that file-descriptor to those rights so with that file descriptor now you're only allowed to do I octal and really you can't write to it for instance and then we also limit which I'll close you're allowed to do and this has to be done this way can be done in a sort of a global old system way because the IOC tools which tools you are allowed to use and interpretation of those numbers and I want to place you talking to so this limits that input interface you no longer allowed to just write stuff bacteria not allowed to do I Octel's that we don't want you to be able to do so this is in the set up phase before you stop processing untrusted data then the output
is this dump file and again similarly
were in this set up that temporary structure to say what you're allowed to create a dump file so you're allowed to do control on it truncated couple of other things and of course right to it and that's
it and then finally we enter capability
mode so 1st you do some set up you initialise things and then you limit yourself and so that you have your input output you can only use them for those purposes the you enter capabilities of at this point tcpdump is not allowed to open any new files so this point
if you have see that evil traffic
and you managed to well we have put this barrier around so that if you manage to compromise the packet parsing while you're still able to correct the output file because you're allowed to write to the output file but but that's it you certainly can't do arbitrary things in memory
or on disk so whenever you can't access other applications you can do things as root that you otherwise might be able to do it now that's a very nice simple
model but it's actually slightly more complex because what sometimes you're reading from an input file because you want to record stuff and you want to read it so we do a similar
sort of thing as for the idea that it's at this time much simpler you just get read on that
file and or sometimes you want
to write to multiple output files because you achieve a director in you have you want each dump file to be so large and rotate that sort of
thing and so again using kept them this is a fairly straightforward thing to do because we can give you a capability to the directory
so in this dump infrastructure that we haven't tcpdump while we just had a file descriptor for the directory and we arrange for you to
have a the appropriate right on that directory only so that then later but we used open rather than opening a new file with normal call so you're allowed to write stuff in that output directory being allowed to write stuff anywhere else in the file system so that looks pretty good and then the
question is alright well are we all done
now not all at this point if you pass the packet and something evil happens you exploit a vulnerability you can write into the dump output directory and that looks pretty good and for freebies BSD 10 at this point we're
done because this is as far as we kind of can go up but the trouble is there's a limitation when it comes to name resolution so if you change your name server part way through execution or something there's no way to open a new socket to talk to the name server and resolve names so this is an example of the kind of problem that larger more complex higher level applications tend to have and this is why I something that Pavel is working on at the moment and as well has done a lot of work on you can see it in the in the head at the moment of is a
service called Caspar the capability services provider also known as the friendly Ghost a little bit like a demon but the ghost in slightly different and the idea here is that we provide what is In some ways almost a cross between a runtime wintering D-Bus a service that provides these higher-level services of that itself understands how to limit those services so in the tcpdump
case you'll see code that only applies for free BSD 11 current and head but where if we have this capability DNS provided that instead of doing get by either in the normal way we'll do it um proxying through Caspar uh
will rather will last desperate gives a handle to the capability DNS provider the reader but and this is how we get access to cast in the
1st place before winter capability mode that we can simply talk to Casper and we have ambient authority so let's do that and then we can open services and then we can limit what we do over those services so
much like the kernel API for capsicum provides a way of limiting limiting file-descriptor access and narrowing the
interfaces that you're allowed to use in a similar way Caspar does this for
services of a more abstract nature you write a service and it has a number of methods and you're able to restrict access to those methods so this way your lab you're able to have maps higher-level ideas about the program writes down into level software so what's next well currently there are a bunch of people who are working on this stuff so
in Cambridge and this is kind of started by Barbara and I came along and join him and then some folks from Google got involved and they did some work of this paper among other things that did fairly well but Google has also funded Pavel as jointly with previous foundation to put this into more based system application so we now have lots of things in the previous debate system they're using it and we also have the guy who's working at Google pretty much full time on the Linux support and so in some ways of and I'm leaving a meeting imaging going to Canada so I by so we hard for me to come to fast and in the future will take longer something on a plane and so it's being used in a number of places but we're quite interested
in acquiring more platforms and in more target so obviously previously on the dragonfly people have been looking at the at the eyes and we've encountered going back and forth and talking about stuff and just last week actually announced that the next version of SSH capsicums support on any platform that provides capsicum support currently just previously but others in the future and a number of other interesting people and companies that we talked to who are interested in the sort of thing but but were very much interested in getting this
API into other places as well and so the dead in K Free BSD people can benefit from it almost for free because there already running Odevene users based on the previous the kernel of what the GoboLinux export we would quite like that too can happen and we'll see I mean there's a certain amount of track record with Google getting patches into Linux and there's also the track record with Linux developers say not a good idea let us write it completely incompatible API to do very very similar things and and that's the sort of thing that could possibly happen but are also interested in more targets
things like so lots of reviews base system applications we would like it if every base system application or every network facing demon use capsicum to protect itself because basically anything that accepts on trusted content and that is anything that talks to the network among other things on could be exploited in that if something goes wrong and so we like all those applications to use these protections also like upstream things that we have done in a B grade if more upstream like open SSH were to adopt a capstone for those platforms that support it will we work on getting more platforms supported working on the chicken and the egg but also in the vein of Caspar were really interested in how you can map these low-level security concepts into higher level application frameworks so I did a little bit of proof of concept work when we're 1st doing the capsicum thing with I Q t of so that you could write a little cutie text editor so the thing that was completely oblivious a capsicum but the Qt libraries understood capsicum and sandboxes and how to ask for privileges through another mechanism and that sort of thing and so that was great and so that that kind of cute stuff would be nice and and also KDE is an interesting opportunity is the K I was slaves framework is actually a really really good fit for this kind of protection we say here's slave that's going off often speaking some network protocol and it would be nice if that I was slave exploded if it didn't get to do anything that I get to do but instead it just gets to you know crop the file that I get back for that sort of thing in which case you need to have another exploit in order to do arbitrary things as me and and so really were interested in more people adopting and using and collaborating
and so this is the web page where supposed to say he was like you but you can really see it but so it then there's the web page and there is a mailing list and from the web page you can get to all of the code and talk to friendly people who say that we would be love we love to help you understand how capsicum can be deployed in various places whether it's in applications or whether it's in distros or what have you and so yeah thank you for listening if
if and the question you mentioned that you have something to say about 2nd to shop is to show right but so it's a cult to use this kind of more sophisticated model of doing some call stuff or you can write like BPF style descriptions of the system calls that are allowed that sort of thing so the 2 pieces of capsicum 1 is the restricting what system called you can interact with and the other thing is restricting what you can do with a file descriptor and so succumbed to is something that allows you to do the 1st basically but when it comes to so David actually tried to use a comp 2 as the basis for the Linux capsicum support but the problem is it's basically system-call wrapper framework and any system call wrapper framework there are limitations around time of checked at use vulnerabilities and that sort of thing so we did a lot of work in order to try and make 2nd to support the sort of functionality but in the end it's a high it makes everybody uncomfortable cause there's no way to know that you got it right kind of thing so 1 thing that we were able to do by doing surgery deep in the previous the kernel is we could say OK here's the Afghan function this is the 1 place that you turn a file descriptor number into a pointer to instruct file therefore if we change the signature to that the compiler will tell us if we haven't changed all of the rest of the code that kind of thing and so techniques like that they require surgery deep in the kernel but on the other hand they allow you to have a pheromone of confidence that you've got all the corner cases i In the 2nd to model it's harder yeah but the so you through a high ported to to use that's going on and it was patents into complex but to make it easy you of the other programs of you guys planning the tool that can say statically analyze this is schools that program makes this a stochastic things that you can do to use it's funny you should ask that of that because we actually have a colleague of mine giving good girl who is in the next office to me at Cambridge is working on a static analysis framework that allows you to annotate code and say I think this code is dangerous but I think this is sensitive I think that I might put up some kind sandbox boundary here and that sort of thing and then you can ask the tool have i satisfied that policy that I would like to have before actually do all the work of converting things for sandbox and the other point about to be done and it is a very simplistic example you right 1 thing that it does nicely is that it does everything that requires privilege 1st and then it doesn't trusted stuff or does things of untrusted data and anything that fits that model is really easy to sandbox anything that's more complicated because you continually doing new things and you can't statically declare them that's where you have to have some kind of runtime support something like pastoral which kind of get you new privileges as you OK for the questions yeah I really think of 1st ladies 1st how they how much modifications their did you to enter today come along and was it mostly outer pondering on the scope Ontario was it part to the idea our the so I definitely the question really is you keep halving might only I who can't hear your microphone so yes so the changes were they touched a lot of places in the code but they weren't extensive changes so for instance the Afghan change that I described we basically said anywhere in the kernel that you do enough get you now have to do enough get that declares what rights you're supposed to have in order to do this after that so if you're doing operation that is morally reading from a file then you have to change a f signature it also have kappa reading somewhere that but that caused a lot of data because we use get all lot anywhere you interact with the file a cost a lot of data but on the were all very very simple do all the things that we did which were a little bit thorny I guess so we modify the name look up stuff in order to make sure that the open at relative to a capability stuff would work correctly and in particular we basically had disallowed doctor when you're incapability mode because of absent a universal locking scheme which would have to include like remote NFS servers things like that but it's there's a possibility of a race where you could get out so we had to do some work there disallow things some work in like the run-time linker but yeah but mostly in the kernel of it was kind of infrastructure stuff which is either the thing that takes a list of system calls and then generates the code that handles the system calls or things like of declaring rights that you need which is a small change times many hundreds of places and that kind of thing the it OK so the soul of even the program is uh this restricted access to catch some of them do these restrictions specialized of for system calls yes um so when you enter capability mode you can never leave it it's like Hotel California I guess and when you for your children will also be in that same OK so go for it don't you can around of the Dutch company where programs we already insight catch form like through integrated support in the shell or something like that right I think I couldn't quite hear me you just as I heard a great support in the shell of running a program at some books the running capsicum program which is unaware of the credit program which is the most capsicum inside the camps and some some books but by the means of restricting access by the caller program right yes um so it is definitely of interest and we've done a little bit of infrastructure work to do that so I'm currently poking the run-time linker to make it possible to run dynamically linked applications stop them from within a sandbox of basically instead of giving it an lD library past you give it your you open the directory descriptors for the library path and you put that in environment variable and then you exact and then it's able to go off and find libraries that way but and with that yeah there's definitely a big interest in the group of doing a capability aware shell where you could run lots of command line utilities particularly the simple ones but even some of the not so simple ones you want to be able to run without the them ever having see ambient authority and that would also be really nice if you're trying to do things like reproducible and deterministic builds because it's like well I can actually say definitely for sure these are all the files that the compiler accessed and it wasn't secretly going into uses the something something something something that I didn't know about but you know that kind of approach what there was the question here of up to get of here the and it would so the sandbox thing is that the easy sharing his heart and so what capsicum doesn't respect to sharing between sandboxed right so you have access to all the normal of Munich's IPC primitives so long as you set them up in a certain way so either it you know you can of open sockets Unix domain sockets and past descriptors over them and stuff but if you're accessing anything in the namespace and you have to have done that in advance of you can still do anonymous shared memory segments and that sort of thing you can from within a sandbox but you can create a share many shared memory segments along the does name it's an anonymous shared memory segment that only referenced by file-descriptor and then you pass that up up your parents and then the you so you can set of communications channels like that you can open the doors wide as you want to know but we want to start with the door being close to you have to be explicit about some of the things that you want to share rather than just implicitly assume the available and so yeah ascend often mechanism by itself is not the whole story is still have to write the code to you know do useful things and communicate with other bits but I just want to compare a little bit to pack armored running on Linux and I have 2 questions about that um many distributions that actually up our also have a small role tcpdump and I was wondering if you've ever done a comparison between that and the 1 the basically sandbox by capsicum and that in addition I was wondering is at all it would be possible to have a patch work for capsicum in a reasonable time frame right so so on the 1st question about that armor we did our main comparison of a bunch of different things in the context of chromium just as it already had all these different mechanisms and the thing about that promise basically in the same category as a Linux for this purpose is that you have to have a policy that you can describe statically see say tcpdump is only allowed output files into this directory or something but what you can do say after what has been done is allowed output files into the current working directory or something like that so a dynamic policy like that is much harder to express those tools and the yeah I mean the internal protection thing if you had a process space in him for Apache but that's the sort of thing where is the more than a it's it's a debatable point but I think it is much more natural fit for Apache and start his work and started capability mode and I'm going to give it access to this thing and this thing and this thing as opposed to trying to write some global policy definition where you have to change a Apache configuration and you also have to go to interact farmers stuff to say well and then a worker that has this security label attached to it which then also have to do elsewhere is only allowed to get things from bodily w slash my sight 1 the yeah so I have not fact Apache and myself but it is the sort of thing that should be doable from that that I have colleagues who hacked on Apache more including then of course it so but yeah so I think it should be a fairly good fit but don't section on the work but the next question nobody OK but to this and and what the the the head of a host of very different ways of work the use of this is areas and vision of as gypsy good is but through the is that ending convexity in completely the needs to know the status in the history of free and it took part in the things that changes sitting on capsicum adding complexity in complexity being the enemy of security and so basically what 1st of all the applications it really doesn't have much complexity and infer chrome which is a fairly complicated application we had a hundred lines of code which just said take these fall descriptors that we already have opened limit them then enter capability mode in the kernel we have at well weeping diff in the kernel but it didn't actually have a lot of complexity of there was a bit more declaration of intent of where you had to say you must hold the and that capability must have the in that right on this file descriptor in order to open that sort of thing I yeah it was restriction so we're very careful to only restrict things but never to open them up more and so it is decomposable model in that way I and actually didn't really make the kernel significantly more complicated is 1 of the reasons actually why the this can export based on to give us so much hesitation so much pause because it did at a lot of complexity because you gave it had had had to add this whole framework for doing time of checked time use the yeah race condition checking stuff where you would hold onto additional things that you otherwise wouldn't and then release them at the right time but the several points were could be the right time and was a lot of complexity that was required of and this is part of why we're quite concerned about that approach that OK any more questions the and guess further on that point is the so the complexity thing we we made quite simple changes have previously kernel we like to make exactly the same simple changes to the Linux kernel however that involves things that are in Linux Security Module and our current read of the situation that might be politically very difficult to do but it could be that we can get a distro interested in applying patches and saying actually a simple much simpler patches less complex than they had an important security benefit correct the more questions no more questions we thank you very much thank you for your few