Capsicum and Casper

Capsicum is a lightweight OS capability and sandbox framework implementing a hybrid capability system model.

As mentioned before after entering the sandbox we don’t have access to any global namespaces (such as path names, so we can’t open files in a sandbox).

The main idea behind Casper is to replace standard libc functions (those which are using global namespaces) with wrappers which allow for using those functions in sandboxed programs in secure and controlled way. When Casper was first implemented it was a daemon in operating system (called casperd(8)). But this implementation created a lot of problems because zygotes inherits all capabilities from the daemon not from the process which will use it. Author recent work was to change Casper architecture. The best way will be forking zygotes from the original process which run it. This is how libcasper was created. The implementation was possible thanks to mechanism like pdfork(2), which allows us to fork inside the other process but without being afraid that it will react with standard wait(2) functions.

The talk will cover Capsicum architecture basics and compare it to well known security frameworks such as seccomp and to new models like pledge. The main part of the talk will be presentation of Casper and its architecture. Old one in which Casper is a demon and new one in which we transformed it into a library.