BSDCan2014 - Final
BSDCan 2014
The Technical BSD Conference
| Speakers | |
|---|---|
|
Mariusz Zaborski |
|
Pawel Jakub Dawidek |
| Schedule | |
|---|---|
| Day | Talks - Day 1 - Fri May 16 - 2014-05-16 |
| Room | Montpetit 202 |
| Start time | 13:30 |
| Duration | 01:00 |
| Info | |
| ID | 486 |
| Event type | Lecture |
| Track | Security |
| Language used for presentation | English |
Capsicum and Casper - more than a lipstick on a pig
Don't build security on hacks
Capsicum and Casper are FreeBSD proposal for a clean, robust and intuitive application compartmentalization. Today's sandboxing techniques build on top of existing technologies that weren't really designed for this sort of protection (like chroot(2), rlimit(2), setuid(2), Mandantory Access Control, etc.). Capsicum and Casper provide rich infrastructure for breaking applications into multiple useful sandboxes and thus significantly reducing Trusted Computing Base.
Capsicum is a lightweight OS capability and sandbox framework implementing a hybrid capability system model. The Casper daemon enables sandboxed application to use functionality normally unavailable in capability-mode sandboxes.
The talk will discuss Capsicum framework, Casper daemon and its services. It will provide introduction based on already implemented examples to those new FreeBSD features. The talk will also present existing portable sandboxing implementations to give clear picture how hacky those solutions are.