2026-03-21 –, Room B
Casper, a userspace library in FreeBSD, provides system services such as DNS resolution to applications confined by Capsicum. However, these Casper services execute with normal privileges, exposing the system to potential security threats including privilege escalation and unauthorized resource access. To address this issue, we present a sandboxing mechanism for Casper based on FreeBSD’s Mandatory Access Control (MAC) framework. Our design confines Casper services within MAC-enforced domains, thereby limiting their privileges and isolating their interactions with the system. We evaluate the proposed mechanism across multiple Casper services and show that it strengthens system security while incurring less than 16\% performance overhead.
