Tag Archives: FreeBSD 9 Capsicum
At the USENIX security conference held in Washington, DC last week, a group of researchers presented a new sandbox framework for lightweight operating systems called Capsicum. Developed by the University of Cambridge with a grant from Google, Capsicum will help to better protect Unix-derived systems as well as Chrome browser and Chrome OS.
Essentially, what this provides is a better framework for developers because they don’t have to spend so much time with security delegation in their own web applications.
“Privilege separation is a pattern that has been adopted for applications such as OpenSSH, Apple’s SecurityServer, and, more recently, Google’s Chromium web browser. Compartmentalisation is enforced using various access control techniques, but only with signiﬁcant programmer effort.”
“Capsicum addresses these problems by introducing new (and complementary) security primitives to support compartmentalisation: capability mode and capabilities”.
The UNIX-compliant FreeBSD 9 will integrate Capsicum when it is released. Capsicum features are even expected to hit the Chromium browser at some point for testing; at USENIX the researchers showed off a version of Chromium with the framework installed.
Seeing that the research was supported by Google and will be included into operating systems, it’s safe to say that Capsicum will also be a part of Chrome, further reducing the amount of coding developers have to do in order to allow webapps to be secure. Instead, Chrome will be able to handle all of the different requests that come to it via the web, and act accordingly.