BSDCan2016 - v1.1.24a

BSDCan 2016
The Technical BSD Conference

Mariusz Zaborski
Day Talks #1 - 10 June - 2016-06-10
Room DMS 1140
Start time 11:15
Duration 01:00
ID 661
Event type Lecture
Track Security
Language used for presentation English

Capsicum and Casper

fairy tale about solving security problems

Capsicum is a sandbox framework in the FreeBSD operating systems and it's based on the capabilities concept. Programs running in a sandbox don't have access to any global namespaces. For some applications this limitation could be too restraining. So how developers handle those exceptions with Capsicum?

Capsicum is a lightweight OS capability and sandbox framework implementing a hybrid capability system model.

As mentioned before after entering the sandbox we don’t have access to any global namespaces (such as path names, so we can’t open files in a sandbox).

The main idea behind Casper is to replace standard libc functions (those which are using global namespaces) with wrappers which allow for using those functions in sandboxed programs in secure and controlled way. When Casper was first implemented it was a daemon in operating system (called casperd(8)). But this implementation created a lot of problems because zygotes inherits all capabilities from the daemon not from the process which will use it. Author recent work was to change Casper architecture. The best way will be forking zygotes from the original process which run it. This is how libcasper was created. The implementation was possible thanks to mechanism like pdfork(2), which allows us to fork inside the other process but without being afraid that it will react with standard wait(2) functions.

The talk will cover Capsicum architecture basics and compare it to well known security frameworks such as seccomp and to new models like pledge. The main part of the talk will be presentation of Casper and its architecture. Old one in which Casper is a demon and new one in which we transformed it into a library.