Capsicum: practical capabilities for UNIX

Capsicum - Publications and Documentation

Capsicum is an experimental and rapidly evolving system, so documentation on how to use and develop it is as-yet limited. As papers and manual pages become available, we will put them up here.

Papers and Articles

• Watson, R. N. M., Anderson, J., Laurie, B., and Kennaway, K. Capsicum: practical capabilities for UNIX. In Proceedings of the 19th USENIX Security Symposium, Washington, DC, August 2010. (Best Student Paper, Most Notable Publication 2011 - Cambridge Ring)
• Watson, R. N. M., Anderson, J., Laurie, B., and Kennaway, K. Introducing Capsicum: practical capabilities for UNIX. In ;login: Magazine, December 2010, Volume 35, Number 6.

Talks

• Watson, R. N. M., Anderson, J., Laurie, B., and Kennaway, K. Capsicum: practical capabilities for UNIX. Presented at 19th USENIX Security Symposium, Washington, DC, August, 2010. Recording available on YouTube.
• Watson, R. N. M. and Anderson, J. Connecting the Dot Dots: Model Checking Concurrency in Capsicum. Presented at 4th International Workshop on Analysis of Security APIs, Edinburgh, Scotland, July 2010.

Documentation

• cap_enter(2) - Capability mode system calls
• cap_new(2) - System calls to manipulate capabilities
• pdfork(2) - System calls to manage process descriptors
• rtld-elf-cap(3) - Capability-mode run-time link editor
• libcapsicum(3) - Library interface to capability-mode services
• libcapsicum_fdlist(3) - Library interface to capability-mode services -- file descriptor management API
• libcapsicum_host(3) - Library interface to capability-mode services -- host API
• libcapsicum_sandbox(3) - Library interface to capability-mode services -- sandbox API