C3Subtitles: 32c3: CloudABI
back

CloudABI

Pure capability-based security for UNIX

If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!

Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.

Video duration
01:02:05
Language
English
Abstract
CloudABI is an alternative runtime environment for UNIX-like operating systems that is purely based on the principle of capability-based security. This makes it possible to create applications that are strongly sandboxed, easier to test and easier to maintain.

UNIX-like operating systems don't seem to make it easy to sandbox programs to harden them against exploits. They also don't allow you to run untrusted executables directly without compromising security, which is the reason why we require technology like virtual machines and containers to secure our systems.

I am going to talk about a system I am developing called CloudABI. CloudABI is a simplified POSIX-like runtime environment that is inspired by FreeBSD's Capsicum. It allows you to create exectables that can solely interact with the environment through file descriptors (capabilities). This not only makes CloudABI more secure than the traditional POSIX runtime, it also makes it easier to test programs through dependency injection. This makes CloudABI a perfect environment for developing microservices.

In my presentation I am going to focus on how CloudABI works, how you can develop software for it and how it works in practice.

Talk ID
7231
Event:
32c3
Day
2
Room
Hall 6
Start
12:45 p.m.
Duration
01:00:00
Track
Security
Type of
lecture
Speaker
Ed Schouten