Declarative, Temporal, and Practical Programming with Capabilities
W.R. Harris, S. Jha, T. Reps, J. Anderson, and R.N.M. Watson
New operating systems, such as the Capsicum capability system, allow a
programmer to write an application that satisfies strong security
properties by invoking security-specific system calls at a few key
points in the program. However, rewriting an application to invoke
such system calls correctly is an error-prone process: even the
Capsicum developers have reported difficulties in rewriting programs
to correctly invoke system calls.
This paper describes capweave, a tool that takes as input (i) an LLVM
program, and (ii) a declarative policy of the possibly-changing
capabilities that a program must hold during its execution, and
rewrites the program to use Capsicum system calls to enforce the
policy. Our experiments demonstrate that capweave can be applied to
rewrite security-critical Unix utilities to satisfy practical security
policies. capweave itself works quickly, and the runtime overhead
incurred in the programs that capweave produces is generally low for
practical workloads.
(Click here to access the paper:
PDF.)
University of Wisconsin