2026-03-21 –, Room B
Casper, a userspace library in FreeBSD, provides system services such as DNS resolution to applications confined by Capsicum. However, these Casper services execute with normal privileges, exposing the system to potential security threats including privilege escalation and unauthorized resource access. To address this issue, we present a sandboxing mechanism for Casper based on FreeBSD’s Mandatory Access Control (MAC) framework. Our design confines Casper services within MAC-enforced domains, thereby limiting their privileges and isolating their interactions with the system. We evaluate the proposed mechanism across multiple Casper services and show that it strengthens system security while incurring less than 16\% performance overhead.
I am a second-year master’s student in Computer Science at National Central University, Taiwan. I previously worked on the FreeBSD online documentation and manual page editor, and participated in Google Summer of Code 2024, where I contributed to IPv6 support and the cleanup of address family dependencies in FreeBSD userland utilities, improving code maintainability and protocol support.