Researchers Release Capsicum, New Sandbox Framework

As applications have become more and more complex in recent years and Web browsers have evolved into operating systems unto themselves, the task of securing desktop environments has become increasingly difficult. And while there’s been quite a bit of innovation on Windows security, advances in Unix security have been less common of late. But now, a group of researchers from Google and the University of Cambridge in England have developed a new sandboxing framework called Capsicum, designed specifically to provide better security capabilities on Unix and Unix-derived systems.

As applications have become more and more complex in recent years and Web browsers have evolved into operating systems unto themselves, the task of securing desktop environments has become increasingly difficult. And while there’s been quite a bit of innovation on Windows security, advances in Unix security have been less common of late. But now, a group of researchers from Google and the University of Cambridge in England have developed a new sandboxing framework called Capsicum, designed specifically to provide better security capabilities on Unix and Unix-derived systems.

Capsicum is the work of four researchers at Cambridge and the framework extends the POSIX API and introduces a number of new Unix primitives that are meant to isolate applications and users and handle rights delegation in a better way. The research, done by Robert N.M. Watson, Ben Laurie, Kris Kennaway and Jonathan Anderson, was supported by Google and the researchers have added some of the new Capsicum features to a version of Google’s Chromium browser in order to demonstrate the functionality.

“Capsicum responds to the trend of application compartmentalisation
(sometimes called privilege separation) by providing strong and
well-defined isolation primitives, and by facilitating rights delegation
driven by the application (and eventually, user). These facilities
prove invaluable, not just for traditional security-critical programs
such as tcpdump and OpenSSH, but also complex security-aware
applications that map distributed security policies into local
primitives, such as Google’s Chromium web browser, which implement the
same-origin policy when sandboxing JavaScript execution,” Watson said in a blog post about the research, which was presented at the USENIX Security Symposium Wednesday in Washington.

Capsicum is optimized right now for FreeBSD 8.x and the researchers expect it to be included in the upcoming 9.x release. The heart of the thinking behind the framework is the premise that most applications and processes have too many privileges and too much access in modern systems. Sandboxing, which separates applications from the OS as a means for preventing malicious code exploitng a vulnerability from affecting multiple programs, has become a popular technique for addressing this problem, but the Cambridge and Google researchers found a number of limitations in most sandbox models.

“In order to protect user data from malicious JavaScript, Flash, etc., the Chromium web browser is decomposed into several OS processes. Some of these processes handle content from untrusted sources, but their access to user data is restricted using DAC or MAC mechanism
(the process is sandboxed). These mechanisms vary by platform, but all require a significant amount of programmer effort (from hundreds of lines of code or policy to, in one case, 22,000 lines of C++) and, sometimes, elevated privilege to bootstrap them. Our analysis shows significant vulnerabilities in all of these sandbox models due to inherent flaws or incorrect
use (see Section 5). Capsicum addresses these problems by introducing new (and complementary) security primitives to support compartmentalisation: capability mode and capabilities,” they write in their paper on Capsicum.

[block:block=47]

The specifics of Capsicum’s design:

  • capabilities – refined file descriptors with fine-grained
    rights
  • capability mode – process sandboxes that deny access to global
    namespaces
  • process descriptors – capability-centric process ID
    replacement
  • anonymous shared memory objects – an extension to the POSIX shared
    memory API to support anonymous swap objects associated with file
    descriptors (capabilities)
  • rtld-elf-cap – modified ELF run-time linker to construct
    sandboxed applications
  • libcapsicum – library to create and use capabilities and
    sandboxed components
  • libuserangel – library allowing sandboxed applications or
    components to interact with user angels, such as Power Boxes.
  • chromium-capsicum – a version of Google’s Chromium web browser that
    uses capability mode and capabilities to provide effective sandboxing of
    high-risk web page rendering.

While the initial research on Capsicum was prioritized for FreeBSD, the researchers said that there also is work underway at Google to port the framework to Linux.

Suggested articles