undefined | Better HN

0 pointstptacek13y ago0 comments

I don't think I disagree, but for the sake of argument, if the cost of addressing flaws with progressively pickier authorization controls exceeds the cost of eradicating bugs, that's not a success for least-privilege.

My bigger bone to pick here is that the security frontier has shifted; we're no longer as interested in the border between applications and the operating system as we are in the border between different pieces of application code, and the border between the application and the database.

0 comments

6 comments · 3 top-level

cperciva13y ago· 2 in thread

And my point is that capsicum is a way to impose boundaries between different parts of a single application.

tptacekOP13y ago

Neat. Can you say a little more about that?

cperciva13y ago

Not really -- I'm not involved with capsicum, either as a developer or as a user (yet... I'm waiting for this project to make it easier for me to integrate capsicum into my code). What I know is just based on talking to the people behind capsicum.

The best information is on the Capsicum website: http://www.cl.cam.ac.uk/research/security/capsicum/

Particularly interesting bits:

chromium-capsicum - a version of Google's Chromium web browser that uses capability mode and capabilities to provide effective sandboxing of high-risk web page rendering.

Library self-compartmentalization - we are adapting a number of commonly-used libraries, such as compression and image processing libraries, to automatically execute risky portions of their code in capability mode sandboxes. This will allow largely or entirely unmodified applications, such as web browers, to benefit from lightweight and easy-to-deploy sandboxing.

jfb13y ago· 1 in thread

There was a recent XKCD cartoon that touched on this; the focus on separation of privilege has historically been couched in terms of protecting one user from another. But the overwhelming majority of computing devices being sold are no longer multiuser, even as they maintain the outdated modalities.

I'm not happy that my single-user machine even has the concept of multiple users; that is way, way, way too coarse a level of granularity for privilege separation.

emaste13y ago

Indeed, this is one of the things Capsicum is intended to address.

Quoting from Robert Watson's PhD thesis, "A purely system-centric view, however, fails to address the observation that the security interactions of "users" are decreasingly central: desktop and notebook computers, tablet PCs, and smart phones typically have exactly one user."

...

"Capsicum addresses these problems by introducing new (and complementary) security primitives to support compartmentalisation: capability mode and capabilities. Capsicum capabilities should not be confused with operating system privileges, occasionally referred to as capabilities in the OS literature. Capsicum capabilities are an extension of UNIX file descriptors, and reflect rights on specific objects, such as files or sockets. Capabilities may be delegated from process to process in a granular way in the same manner as other file descriptor types: via inheritance or message-passing."

http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-818.html

trotsky13y ago

If you're not primarily spending time doing audits on n-tier web and enterprise, I'm not sure how inclusive that is. At least for user devices os and interprocess defense along with chains of trust and mitigation via painless refresh is all pretty os centric. It's just not as rbac centric.

j / k navigate · click thread line to collapse