A new BSDCan video has been posted:
Sandbox Your Program Using FreeBSD's Capsicum By Jake Freeland
With security vulnerabilities rapidly rising each year, program security is more important than ever. One solution to keeping your program from being the victim of the next big CVE is FreeBSD's Capsicum.
Originally developed at the University of Cambridge Computer Laboratory, Capsicum is a lightweight capability and sandbox framework built into the FreeBSD base system. It is designed around the principle of least privilege - where programs only have access to resources that are required for operation.
This talk will follow my blog post, which outlines the process of Capsicumization, or sandboxing your program using Capsicum. I will cover capability violation detection, restructuring existing programs for Capsicum, and filesystem/networking access inside of the capability sandbox.
Recent Capsicumization efforts in the FreeBSD base system and the future of Capsicum will also be discussed.
