Despite a number of radical changes in how computer systems are used, the security model of a modern operating system is based on principles laid down by the first time-sharing computing environments four decades ago. Early computer systems were designed to fulfill a simple security goal: provide isolation of multiple users in a time-sharing environment. Security attacks against these systems were a pastime for small communities of hobbyists. Today, systems with essentially the same security model are required to operate in the face of targeted security attacks sponsored by a multi-national malware economy, commercial espionage, and government intelligence agencies. A lack of strong isolation between processes and users, an outdated access control model, excessive authority granted to applications, and a shared operating system kernel make it challenging to secure modern systems against these sophisticated attacks.
We are creating XCap, a secure environment for least-authority execution of applications and system services. Unmodified, untrusted, off-the-shelf applications, running on untrusted operating systems, are be isolated by a virtual machine manager. XCap builds on two principles: strong isolation and secure collaboration.
XCap's default, a share nothing environment, will be augmented by a capability access control model---a clean and general abstraction, enabling fine-grained delegation of rights in a flexible and manageable way. In XCap, capabilities will serve as a general foundation for constructing least privilege services out of existing components of the traditional operating system stack. Furthermore, capabilities enable formal reasoning about authority of individual applications, and the system overall.
Several principles constitute the core of XCap's architecture. First, XCap relies on a hardware-level virtualization platform to provide strong isolation of individual applications. Each application runs in a fresh, private copy of an operating system, communicating with the rest of the system through a minimal, capability-mediated interface. Second, XCap builds on a capability access control model. Capabilities explicitly name all resources in the system, and provide the only way of accessing them. Third, XCap maximizes the principle of least authority - XCap redesigns common operating system services in such a way that the authority of individual applications and services is minimized. Each component possesses the smallest subset of rights required to accomplish its task, e.g. a shared file system has rights to provide a naming service, but no rights to access the content of the files. Thus, the effect of the compromise of an individual application is restricted to the set of resources that the application can access.