The Capslock project was started within Google to provide a capability analysis toolkit for Go packages, and has since been open sourced and is being extended to support other languages.
In this talk, we'll walk through using the experimental cargo-capslock tool developed through a grant from Alpha-Omega to analyse the capabilities of Rust services. We'll then use the result of that analysis to create seccomp profiles that can be applied using container orchestration systems (such as Kubernetes) to restrict services and ensure that updates are unable to silently open new attack vectors, and discuss how this technique can be applied to services written in other languages as well.