Modern software systems inherit their architecture, software development methodology, and security model from time-sharing operating systems developed four decades ago. Desktop, server, cloud, and even industrial control systems rely on a large stack of commercial off-the-shelf software that runs on top of a monolithic operating system kernel. Each application runs with the full set of privileges of some user, has access to the entire file space of that user, and can access the complete interface of a complex operating system kernel, and a number of privileged systems components. The security model exposed by existing software systems is fundamentally too weak; it fails to provide adequate isolation between computations. XCap is a secure environment for least-authority execution of applications and system services. Unmodified, untrusted, off-the-shelf applications, running on untrusted operating systems, are isolated by a virtual machine monitor. XCap builds on two principles: strong isolation and secure collaboration. XCap's default -- a share nothing environment -- is augmented by a capability access control model: a clean and general abstraction, enabling fine-grained delegation of rights in a flexible and manageable way. In XCap, capabilities serve as a general foundation for constructing least privilege services out of existing components of the traditional operating system stack. XCap maximizes the principle of least authority: it redesigns common operating system services in such a way that the authority of individual applications and services is minimized. Each component possesses the smallest subset of rights required to accomplish its task.
TWC: Small: XCap: Practical Capabilities and Least Authority for Virtualized Environments