Sandboxing Adoption in Open Source Ecosystems

TL;DR

The paper analyzes sandboxing adoption across four open-source OS ecosystems by scanning packages for Seccomp, Landlock, Pledge, Unveil, and Capsicum usage. It reveals that direct use is very low (<1%), though many packages indirectly depend on sandboxed code, with OpenBSD showing relatively higher direct usage. The study details how different mechanisms are applied (e.g., Arg-based Seccomp filters on Linux vs. stdio-focused Pledge on OpenBSD) and highlights challenges such as code complexity, required architectural changes, and debugging difficulties. It discusses factors affecting adoption, including usability and observability, and suggests security-by-default approaches and improved tooling to boost broader, correct usage of sandboxing mechanisms in practice.

Abstract

Sandboxing mechanisms allow developers to limit how much access applications have to resources, following the least-privilege principle. However, it's not clear how much and in what ways developers are using these mechanisms. This study looks at the use of Seccomp, Landlock, Capsicum, Pledge, and Unveil in all packages of four open-source operating systems. We found that less than 1% of packages directly use these mechanisms, but many more indirectly use them. Examining how developers apply these mechanisms reveals interesting usage patterns, such as cases where developers simplify their sandbox implementation. It also highlights challenges that may be hindering the widespread adoption of sandboxing mechanisms.