Presentation is loading. Please wait.

Presentation is loading. Please wait.

Analyzing Capsicum for Usability and Performance Ben Farley.

Published byJacob Carroll Modified over 7 years ago

Similar presentations

Presentation on theme: "Analyzing Capsicum for Usability and Performance Ben Farley."— Presentation transcript:

1 Analyzing Capsicum for Usability and Performance Ben Farley

2 Motivation  Security is important  Rise in large-scale cyber attacks (i.e. Stuxnet)  Software is written by programmers  Security is only as good as they can make it  Software is big  Programs get very hard to analyze and understand as they get bigger

3 The Problem  Security is difficult!  Ideal: simple-to-use security  Intuitive, makes sense to developers  Doesn't hurt functionality of programs  Provides security without too much extra complexity  Even more ideal: simple-to-migrate?

4 Outline  Evaluation Criteria  Capsicum  Performance  Usability  Limitations  Conclusion

5 Evaluation Criteria  Performance  Programmer usability  (Also important: is it secure?)  Example: server hosting files

6 Capsicum  Provides new security primitives for UNIX  Capability  Unforgeable token of authority  Replaces file descriptors when accessing resources  Holding a capability is sufficient to allow access to a resource  Capability mode  Limits access to global namespace  Can only use what you already had  Library that provides more complicated functionality

7 Performance  Is it fast (or is it not slow?)  Principle: reasonable to take a minor performance hit for improved security  More complicated calls = more overhead  How much more?  When and where?

8 Performance System call Time taken (in microseconds)

9 Performance Time taken (in microseconds)

10 Performance  Certain calls have significant overhead  Certain calls have none  Real application?

11 Usability  Server example  Security policy: clients can only access their files on the file system  Server thread accepts requests, spawns workers as it receives them Better: thread pool?  Limited interaction between worker and server  Most communication between client and worker Via sockets (capabilities)  Workers untrusted

12 Usability ServerWorker Client Request Do work Done Spawn worker Get capabilities Start sandbox Normal Server and WorkerCapsicum Server and Worker

13 Server performance Time taken (in milliseconds)

14 Usability  Not intuitive or easy to learn  Poor documentation  Some arbitrary choices on implementation  But! Automatable?  Specific (limited) points of interest open(), fork(), etc  Most things stay the same read(), write(), close(), etc  Can get away with looking only at types of things you might want to modify

15 Limitations  Cannot “revoke” capabilities ServerWorker Client Request Do work Get job Done Revoke capabilities Get job Send capabilities Security policy violated!

16 Limitations  Somewhat ad hoc implementation  Send capabilities = normal IPC message, but tack on some stuff Good and bad  Root-level attacker = bad news

17 Conclusion  Provides good functionality  Slight performance hit  Slight usability hit  But programming languages people should be able to fix/help this

18 Thanks!

Download ppt "Analyzing Capsicum for Usability and Performance Ben Farley."

Similar presentations

29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
Usage of the memoQ web service API by LSP – a case study

Usage of the memoQ web service API by LSP – a case study
CS 443 Advanced OS Fabián E. Bustamante, Spring 2005 Resource Containers: A new Facility for Resource Management in Server Systems G. Banga, P. Druschel,

CS 443 Advanced OS Fabián E. Bustamante, Spring 2005 Resource Containers: A new Facility for Resource Management in Server Systems G. Banga, P. Druschel,
Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.

Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
Java Security: From HotJava to Netscape & Beyond Drew Dean, Edward W. Felten, Dan S. Wallach Department of Computer Science, Princeton University May,

Java Security: From HotJava to Netscape & Beyond Drew Dean, Edward W. Felten, Dan S. Wallach Department of Computer Science, Princeton University May,
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
28.2 Functionality Application Software Provides Applications supply the high-level services that user access, and determine how users perceive the capabilities.

28.2 Functionality Application Software Provides Applications supply the high-level services that user access, and determine how users perceive the capabilities.
Slide 1 Client / Server Paradigm. Slide 2 Outline: Client / Server Paradigm Client / Server Model of Interaction Server Design Issues C/ S Points of Interaction.

Slide 1 Client / Server Paradigm. Slide 2 Outline: Client / Server Paradigm Client / Server Model of Interaction Server Design Issues C/ S Points of Interaction.
1 Extensible Security Architectures for Java Authors: Dan S.Wallch, Dirk Balfanz Presented by Moonjoo Kim.

1 Extensible Security Architectures for Java Authors: Dan S.Wallch, Dirk Balfanz Presented by Moonjoo Kim.
Group Communications Group communication: one source process sending a message to a group of processes: Destination is a group rather than a single process.

Group Communications Group communication: one source process sending a message to a group of processes: Destination is a group rather than a single process.
Hidden Terminal based Attack, Diagnosis and Detection Yao Zhao, Leo Zhao, Yan Chen Lab for Internet & Security Tech, Northwestern Univ.

Hidden Terminal based Attack, Diagnosis and Detection Yao Zhao, Leo Zhao, Yan Chen Lab for Internet & Security Tech, Northwestern Univ.
Maintenance = Software Evolution Any changes after the client has accepted the product is considered maintenance. n Any Changes? n What might these be?

Maintenance = Software Evolution Any changes after the client has accepted the product is considered maintenance. n Any Changes? n What might these be?
Understanding Factors That Influence Performance of a Web Server Presentation CS535 Project By Thiru.

Understanding Factors That Influence Performance of a Web Server Presentation CS535 Project By Thiru.
A Framework for Smart Proxies and Interceptors in RMI Nuno Santos P. Marques, L. Silva CISUC, University of Coimbra, Portugal

A Framework for Smart Proxies and Interceptors in RMI Nuno Santos P. Marques, L. Silva CISUC, University of Coimbra, Portugal
Stack Management Each process/thread has two stacks  Kernel stack  User stack Stack pointer changes when exiting/entering the kernel Q: Why is this necessary?

Stack Management Each process/thread has two stacks  Kernel stack  User stack Stack pointer changes when exiting/entering the kernel Q: Why is this necessary?
Highly Available ACID Memory Vijayshankar Raman. Introduction §Why ACID memory? l non-database apps: want updates to critical data to be atomic and persistent.

Highly Available ACID Memory Vijayshankar Raman. Introduction §Why ACID memory? l non-database apps: want updates to critical data to be atomic and persistent.
1 Chapter 28-29 Client-Server Interaction. 2 Functionality  Transport layer and layers below  Basic communication  Reliability  Application layer.

1 Chapter Client-Server Interaction. 2 Functionality  Transport layer and layers below  Basic communication  Reliability  Application layer.
1 22 August 2001 The Security Architecture of the M&M Mobile Agent Framework P. Marques, N. Santos, L. Silva, J. Silva CISUC, University of Coimbra, Portugal.

1 22 August 2001 The Security Architecture of the M&M Mobile Agent Framework P. Marques, N. Santos, L. Silva, J. Silva CISUC, University of Coimbra, Portugal.
Least-Privilege Isolation: The OKWS Web Server Brad Karp UCL Computer Science CS GZ03 / M030 12 th December, 2008.

Least-Privilege Isolation: The OKWS Web Server Brad Karp UCL Computer Science CS GZ03 / M th December, 2008.

Similar presentations

Ads by Google