The FreeBSD Foundation has announced that it and the Google Open Source Programs Office are jointly funding developer Pawel Jakub Dawidek to improve the Capsicum framework. Capsicum was originally developed by Robert Watson of the University of Cambridge and Ben Laurie from Google Research to extend the POSIX API and provide object-capability security to Unix-like operating systems. The goal of the framework is to give thin-client operating systems like Google's Chrome OS a robust security model that is relatively lightweight. Capsicum has been available in FreeBSD since version 9.0 and Google is working on a Linux version.

As part of the grant, Dawidek will be implementing new systems calls that enable new, programmer friendly capabilities of the framework and also sandbox several security-sensitive applications using Capsicum. He will improve the Casper Capsicum service daemon and build on work he had previously completed as part of a similar grant last year, when he built a userspace framework for building Capsicum-based applications that work with the framework's kernel-level features. In 2012, Dawidek created a runtime linker and a library that provides sandboxed versions of higher-level system libraries. As part of the effort, Cambridge's prototype libcapsicum implementation was updated in light of lessons the developers had learned when they started to port applications to the framework.

Google is again matching the FreeBSD Foundation's financial support in the hope of helping open source applications transition to Capsicum. Ben Laurie from the company's security team was quoted as saying that he believes that Access Control Lists (ACLs) are the wrong model to use for operating system security and that Capsicum can provide a way to gradually migrate to a better model.

Dawidek is expected to conclude development work on the project by August.

(fab)