POSIX Capabilities are a technique to manage privilege separation in the Linux Kernel, similar to traditional capabilities such as the ones used in microkernels. This approach can create a security mechanism that presents a strong and well-defined privilege separation. Whilst capabilities are a really powerful way to describe user permissions, it can be difficult to analyze the security implications behind every single configuration, making it difficult to not result in a sense of False Security and a cumbersome tuning process. Being a relatively new technology, usable tools to configure Ambient capabilities security subsystems are lacking in the industry scene. To overcome this industrial gap, we propose cado, a usable system to configure capabilities and capability environments. Focusing on usable security and scripting possibilities alongside real-world use-case scenarios, we compare it with reference implementations of similar models. We also present in great detail the attacks analyzed during the creation of the tool, and how cado makes them inapplicable by default in every installation scenario.
Capability Ambient DO – A Usable Tool for Linux System Security
Berardi, Davide
;
2024-01-01
Abstract
POSIX Capabilities are a technique to manage privilege separation in the Linux Kernel, similar to traditional capabilities such as the ones used in microkernels. This approach can create a security mechanism that presents a strong and well-defined privilege separation. Whilst capabilities are a really powerful way to describe user permissions, it can be difficult to analyze the security implications behind every single configuration, making it difficult to not result in a sense of False Security and a cumbersome tuning process. Being a relatively new technology, usable tools to configure Ambient capabilities security subsystems are lacking in the industry scene. To overcome this industrial gap, we propose cado, a usable system to configure capabilities and capability environments. Focusing on usable security and scripting possibilities alongside real-world use-case scenarios, we compare it with reference implementations of similar models. We also present in great detail the attacks analyzed during the creation of the tool, and how cado makes them inapplicable by default in every installation scenario.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.