CloudABI - Capability Based Security on Linux/Unix

Explore capability-based security on Unix systems with CloudABI in this EuroPython conference talk. Dive into the design principles of CloudABI, a POSIX-based computing environment that enhances security by restricting processes to only affect provided file descriptors. Learn how CloudABI removes APIs capable of acquiring global resources, requiring processes to be granted specific capabilities. Discover the benefits and trade-offs of this approach, including the ability to safely execute unknown binaries without containers or virtual machines. Gain insights into writing Python software for CloudABI, potential pitfalls to avoid, and the current and future status of this technology. Compare CloudABI to traditional Unix security models and understand its implementation across various operating systems, including BSD, Linux, and macOS.

Intro
Background
Problem
CloudABI
API Removal
Capability Tokens
Example Configuration
Future Possibilities
Questions