Redox OS Implements Capability-Based Security: Namespace and CWD as Capabilities

Redox OS Advances Security Model with Capability-Based Namespace Management

Redox OS, the Rust-based microkernel operating system, has implemented a capability-based security model for namespace management and current working directory handling, funded by NGI Zero Commons and NLnet.

What Are Capabilities?

In capability-based security, an open file descriptor serves as a capability — it identifies both a resource and the application's access rights. All resource access must originate from a valid capability, eliminating entire classes of security vulnerabilities.

The Architecture

Redox OS uses a microkernel design where most system components run as userspace services called 'Schemes'. Resources are accessed via scheme-rooted paths (e.g., ). Namespaces control which schemes a process can access.

Key Changes

Namespace as Capability: Previously managed by the kernel, namespace access is now controlled through capabilities. A process can only access schemes explicitly granted to its namespace — preventing unauthorized resource access.

CWD as Capability: The current working directory, previously managed as a string, is now a capability object. This prevents directory traversal attacks and path confusion vulnerabilities.

Impact on POSIX Compatibility

The changes are implemented in (the Redox runtime), which provides a POSIX compatibility layer translating standard paths to scheme-rooted paths. This means existing C applications can run without modification.

Significance

This work represents one of the most thorough implementations of capability-based security in a practical operating system. By enforcing the 'no capability, no access' principle at the namespace level, Redox eliminates entire categories of privilege escalation and lateral movement attacks.