Leash: A Transparent Capability-Based Sandboxing Supervisor for Unix

Mahya Jadidi; Jonathan Anderson

doi:10.5220/0013186700003899

Leash: A Transparent Capability-Based Sandboxing Supervisor for Unix

Mahya Jadidi, Jonathan Anderson

2025

Abstract

In computer security, the principle of least privileges or denial by default is a practical approach to mitigate the risk against potential attacks. However, providing least-privileged applications is a challenge without source code modification, system privilege, or configuration changes. In this paper, we introduce Leash, a transparent application sandboxing supervisor for Unix systems designed based on FreeBSD’s Capsicum framework. Leash provides required resources to programs based on sandbox restrictions and policies predefined by the user without requiring root privilege. The approach is transparent to the code and the user, eliminating the need for any source code modification and deep knowledge about the underlying security framework. We evaluated this system by sandboxing a set of widely used Unix utilities and real-world installer scripts. Leash is designed to be expandable for becoming a general-purpose sandboxing service for Unix. Our evaluations show that the system achieves robust security while maintaining efficient performance.

Download

Paper Citation

in Harvard Style

Jadidi M. and Anderson J. (2025). Leash: A Transparent Capability-Based Sandboxing Supervisor for Unix. In Proceedings of the 11th International Conference on Information Systems Security and Privacy - Volume 2: ICISSP; ISBN 978-989-758-735-1, SciTePress, pages 542-551. DOI: 10.5220/0013186700003899

in Bibtex Style

@conference{icissp25,
author={Mahya Jadidi and Jonathan Anderson},
title={Leash: A Transparent Capability-Based Sandboxing Supervisor for Unix},
booktitle={Proceedings of the 11th International Conference on Information Systems Security and Privacy - Volume 2: ICISSP},
year={2025},
pages={542-551},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0013186700003899},
isbn={978-989-758-735-1},
}

in EndNote Style

TY - CONF

JO - Proceedings of the 11th International Conference on Information Systems Security and Privacy - Volume 2: ICISSP
TI - Leash: A Transparent Capability-Based Sandboxing Supervisor for Unix
SN - 978-989-758-735-1
AU - Jadidi M.
AU - Anderson J.
PY - 2025
SP - 542
EP - 551
DO - 10.5220/0013186700003899
PB - SciTePress