[cap-talk] Sandboxing and POLA News

Cliffe cliffe at ii.net
Tue Dec 29 20:31:40 PST 2009 

Toby Murray wrote:
> Hi all cap-talkers,
>
> I wanted to mention a couple of things I've come across recently that
> I thought might interest some here.
>
> Firstly, a new sandboxing system for Linux has just been announced
> called FBAC-LSM [1]. FBAC-LSM is unique compared to most other
> sandobxing and least-privilege systems (such as AppArmor, SELinux
> etc.) because it allows one to create parameterised, hierarchical
> policy abstractions that make instantiating policy for a particular
> application much easier than competing approaches.
>
> (Note: these "abstractions" are not the same thing that Mark Miller
> and Jonathan Shapiro talk about in "Paradign Regvained". They are not
> object-based abstractions for enforcing security policy. Instead,
> FBAC-LSM has a policy language that allows one to create reusable,
> parameterised chunks of policy. These chunks of policy are naturally
> abstractions since they can refer to other policy chunks etc.)
>
> While it is not capability-based, FBAC-LSM looks very interesting.
> Much of the philosophy that underpins it will be familiar to many on
> this list.
>
> Secondly, a new website [2] and mailing list [3] has been set-up by
> Michael Stone (who was responsible for implementing the OLPC sanboxing
> system IIUC) to discuss sandboxing and systems for running
> applications with limited privileges.
>
> Cheers
>
> Toby
>
> [1] http://schreuders.org/FBAC-LSM
> [2] http://sandboxing.org/
> [3] http://lists.sandboxing.org/listinfo/sandboxing-talk
>   
Thanks for the CC Toby. I CCed the new sandboxing mailing list to 
introduce FBAC-LSM to them also.

I would like to add a few points about FBAC-LSM:

FBAC-LSM is designed to provide finely grained controls over 
applications based on the features they provide. Most users can leave 
the creation of the policy abstractions (which are known as 
/functionalities/) to experts. What this means is that users can use 
these functionalities to confine applications using high level security 
goals. For example to confine Firefox a user can assign the Web_Browser 
functionality. The /parameters /specify application-specific details and 
can usually be automatically discovered by the Policy Manager graphical 
tool. In this case this would include the location of directories to 
download to and hosts to connect to.

One of the unique things about FBAC-LSM is that a policy can be created 
which specifies the resources a program is authorised to access without 
first running the program. Most other systems which provide finely 
grained application-oriented access controls (such as Systrace, AppArmor 
and SELinux) require the person creating the policy to vet the actions 
of the program being confined. This approach is very prone to error, as 
most users do not have the expertise to vet low level program activity. 
Because abstractions are used which can represent high level goals, 
users can more easily manage FBAC-LSM. I have conducted a usability 
study which shows FBAC-LSM is easier to use and results in improved 
security, compared to SELinux and AppArmor.

FBAC-LSM can also provide discretionary (user-defined) and 
non-discretionary (admin defined) policies.

Please check out the website for more information and a video demo: 
http://schreuders.org/FBAC-LSM

I would love to discuss this further so please let me know if you have 
any queries.

Cheers,

Cliffe.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.eros-os.org/pipermail/cap-talk/attachments/20091230/80be57f9/attachment.html

More information about the cap-talk mailing list