Capsicum: practical capabilities for UNIX
|Newsflash - October 2013: Google has announced Capsicum for Linux, an adaptation of the Linux kernel to support Capsicum capability mode, capabilities, and process descriptors.|
|Newsflash - September 2013: The Google Open Source Programs Office has posted a blog article on open-source security, including their support for Capsicum.|
|Learn more about Capsicum by watching our USENIX Security Symposium talk on YouTube|
Capsicum is a lightweight OS capability and sandbox framework developed at the University of Cambridge Computer Laboratory, supported by a grant from Google. Capsicum extends the POSIX API, providing several new OS primitives to support object-capability security on UNIX-like operating systems:
- capabilities - refined file descriptors with fine-grained rights
- capability mode - process sandboxes that deny access to global namespaces
- process descriptors - capability-centric process ID replacement
- anonymous shared memory objects - an extension to the POSIX shared memory API to support anonymous swap objects associated with file descriptors (capabilities)
- rtld-elf-cap - modified ELF run-time linker to construct sandboxed applications
- libcapsicum - library to create and use capabilities and sandboxed components
- libuserangel - library allowing sandboxed applications or components to interact with user angels, such as Power Boxes.
- chromium-capsicum - a version of Google's Chromium web browser that uses capability mode and capabilities to provide effective sandboxing of high-risk web page rendering.
The Capsicum prototype was developed on FreeBSD 8.x, and released under a BSD license to encourage open source, research, and commercial deployment. We hope that Capsicum will make it easier for software developers and researchers to use capability-based security in operating systems and applications. Capsicum has now shipped as an "experimental" feature in FreeBSD 9.0!
To demonstrate Capsicum, we have added self-compartmentalization to a number of UNIX applications and core system libraries, including tcpdump's packet processing and rendering, and data compression using gzip. We have also augmented existing privilege separation in OpenSSH and dhclient using Capsicum, substituting strong capability-mode sandboxes for those based on the porous UNIX chroot() API. In collaboration with Google, we have adapted the Chromium web browser to use Capsicum, showing significant programmability and security benefits over its existing use of UNIX security primitives.
In order to explore the relationship between user interface security and capability models, we have begun creating user agents, or angels, which grant capabilities to sandboxed processes based on user interaction. This includes a KDE-based PowerBox scheme allowing sandboxed applications to request user-driven file open using standard dialogs. You can read more about this and other on-going Capsicum-related projects to make capability-based security more accessible to mainstream desktop and applications on the Projects page.