Bernstein wrote qmail, which can safely claim to be the first modern least-privilege mail server design, and one of the first modern least-privilege designs of any sort. qmail tries to derive some additional security from splitting up its activities into multiple components running with different credentials. Despite qmail's extremely impressive security record (it is one of the most impressive bits of secure code ever written), Bernstein considers his privilege-separation experiment a failure.
http://cr.yp.to/qmail/qmailsec-20071101.pdf
The problem is that minimizing the capabilities of a computer program often just moves the goalposts for an attacker. Too many times, unexpectedly conceding to an attacker some privileges on a target results in a compromise of all meaningful privileges, because attackers can use those new privileges to launch further attacks.
The problem is even harder in modern web applications, because breaking the operating system almost doesn't matter; all the attacker really needs is a working handle on the database.
To take an example the Capsicum people are fond of: Decompression. zlib has a long history of vulnerabilities in decompression of corrupt data, so it's a natural thing to run inside a sandbox. djb's argument is "but a vulnerability in zlib is still bad because it can return incorrect output", which is true as far as it goes, but it completely misses the important point that it prevents the attacker from accessing anything not inside zlib's sandbox -- say, connections to a database.
> "but a vulnerability in zlib is still bad because it can return incorrect output" which is true as far as it goes, but it completely misses the important point that it prevents the attacker from accessing anything not inside zlib's sandbox -- say, connections to a database.
Bernstein's mailing list software recovered multiple Unix servers for us at EnterAct; we ended up delegating them to a 486SX.
djb's stance seems to require "avoiding bugs," a laudable bug extremely difficult goal for most programmers. Capsicum aims to make it easy to minimize the damage possible if a bug is exploited. Capsicum-enabled gzip is a good example: an exploit in the decompression code is limited to modifying the content of the output stream.
My bigger bone to pick here is that the security frontier has shifted; we're no longer as interested in the border between applications and the operating system as we are in the border between different pieces of application code, and the border between the application and the database.
Fun times. We've all grown up since then, I think, self included. I think.
There's a nice explanation of concurrency vulnerabilities in chapter 2 of Robert Watson's thesis, and a comparison of Capsicum vs other security mechanisms in chapter 5. It's worth looking at, if you're interested in these issues:
Capsicum is a lightweight OS capability and sandbox framework developed at the University of Cambridge Computer Laboratory, supported by a grant from Google. Capsicum extends the POSIX API, providing several new OS primitives to support object-capability security on UNIX-like operating systems:
* capabilities - refined file descriptors with fine-grained rights
* capability mode - process sandboxes that deny access to global namespaces
* process descriptors - capability-centric process ID replacement
* anonymous shared memory objects - an extension to the POSIX shared memory API to support anonymous swap objects associated with file descriptors (capabilities)
* rtld-elf-cap - modified ELF run-time linker to construct sandboxed applications
* libcapsicum - library to create and use capabilities and sandboxed components
* libuserangel - library allowing sandboxed applications or components to interact with user angels, such as Power Boxes.
* chromium-capsicum - a version of Google's Chromium web browser that uses capability mode and capabilities to provide effective sandboxing of high-risk web page rendering.
There's also a video of Robert Watson's 2010 Capsicum talk at http://www.youtube.com/watch?v=raNx9L4VH2k
Edited to add: The FreeBSD Foundation plans to significantly increase spending on projects (such as this one) as well as full-time staff members in 2013: https://news.ycombinator.com/item?id=5564478