

Apiary: Fast and Simple Application Fault Containment for Linux [pdf] - randombit
http://www.ncl.cs.columbia.edu/publications/usenix2010_apiary.pdf

======
randombit
From Usenix 2010.

Abstract: Desktop computers are often compromised by the inter action of
untrusted data and buggy software. To address this problem, we present Apiary,
a system that transparently contains application faults while retaining the
usage metaphors of a traditional desktop environment. Apiary accomplishes this
with three key mechanisms. It isolates applications in containers that
integrate in a controlled manner at the display and file system. It introduces
ephemeral containers that are quickly instantiated for single application
execution, to prevent any exploit that occurs from persisting and to protect
user privacy. It introduces the Virtual Layered File System to make
instantiating containers fast and space efficient, and to make managing many
containers no more complex than a single traditional desktop. We have
implemented Apiary on Linux without any application or operating system kernel
changes. Our results with real applications, known exploits, and a 24-person
user study show that Apiary has modest performance overhead, is effective in
limiting the damage from real vulnerabilities, and is as easy for users to use
as a traditional desktop.

