Integrating Flexible Support for Security Policies into the Linux Operating System
Proceedings of the FREENIX Track: 2001 USENIX Annual Technical Conference
SIGGRAPH '84 Proceedings of the 11th annual conference on Computer graphics and interactive techniques
Isolated Program Execution: An Application Transparent Approach for Executing Untrusted Programs
ACSAC '03 Proceedings of the 19th Annual Computer Security Applications Conference
SubDomain: Parsimonious Server Security
LISA '00 Proceedings of the 14th USENIX conference on System administration
Solaris Zones: Operating System Support for Consolidating Commercial Workloads
LISA '04 Proceedings of the 18th USENIX conference on System administration
The design and implementation of Zap: a system for migrating computing environments
OSDI '02 Proceedings of the 5th symposium on Operating systems design and implementationCopyright restrictions prevent ACM from being able to make the PDFs for this conference available for downloading
Optimizing the migration of virtual computers
OSDI '02 Proceedings of the 5th symposium on Operating systems design and implementationCopyright restrictions prevent ACM from being able to make the PDFs for this conference available for downloading
THINC: a virtual display architecture for thin-client computing
Proceedings of the twentieth ACM symposium on Operating systems principles
Versatility and Unix semantics in namespace unification
ACM Transactions on Storage (TOS)
MAPbox: using parameterized behavior classes to confine untrusted applications
SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
Improving host security with system call policies
SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
WindowBox: a simple security model for the connected desktop
WSS'00 Proceedings of the 4th conference on USENIX Windows Systems Symposium - Volume 4
TRON: process-specific file protection for the UNIX operating system
TCON'95 Proceedings of the USENIX 1995 Technical Conference Proceedings
Virtualization aware file systems: getting beyond the limitations of virtual disks
NSDI'06 Proceedings of the 3rd conference on Networked Systems Design & Implementation - Volume 3
Secure isolation of untrusted legacy applications
LISA'07 Proceedings of the 21st conference on Large Installation System Administration Conference
Application-level isolation and recovery with solitude
Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems 2008
Isolating web programs in modern browser architectures
Proceedings of the 4th ACM European conference on Computer systems
Protecting confidential data on personal computers with storage capsules
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
Proceedings of the 4th Symposium on Computer Human Interaction for the Management of Information Technology
Improving virtual appliance management through virtual layered file systems
LISA'11 Proceedings of the 25th international conference on Large Installation System Administration
Lockdown: towards a safe and practical architecture for security applications on commodity platforms
TRUST'12 Proceedings of the 5th international conference on Trust and Trustworthy Computing
International Journal of Information Security and Privacy
InkTag: secure applications on an untrusted operating system
Proceedings of the eighteenth international conference on Architectural support for programming languages and operating systems
Practical and effective sandboxing for non-root users
USENIX ATC'13 Proceedings of the 2013 USENIX conference on Annual Technical Conference
| Hi-index | 0.00 |
Desktop computers are often compromised by the interaction of untrusted data and buggy software. To address this problem, we present Apiary, a system that transparently contains application faults while retaining the usage metaphors of a traditional desktop environment. Apiary accomplishes this with three key mechanisms. It isolates applications in containers that integrate in a controlled manner at the display and file system. It introduces ephemeral containers that are quickly instantiated for single application execution, to prevent any exploit that occurs from persisting and to protect user privacy. It introduces the Virtual Layered File System to make instantiating containers fast and space efficient, and to make managing many containers no more complex than a single traditional desktop. We have implemented Apiary on Linux without any application or operating system kernel changes. Our results with real applications, known exploits, and a 24-person user study show that Apiary has modest performance overhead, is effective in limiting the damage from real vulnerabilities, and is as easy for users to use as a traditional desktop.