With the use of highly connected computers, desktop security and privacy are major concerns. Users of these highly connected computers are constantly exposed to untrusted data that can be received through the Internet by, for example, visiting new web sites, downloading files, and sending e-mails to strangers or untrusted sources. These activities use information whose safety cannot be verified by the user and, in some cases, an attacker can construct this information to exploit bugs and/or vulnerabilities in applications. In doing this, the attacker can, for example, take control of a user's desktop computing device to exfiltrate sensitive information. For example, a significant vulnerability was recently discovered in Adobe Acrobat products that allowed an attacker to take control of a desktop computing device when a maliciously constructed PDF file was opened. The prevalence of untrusted data and vulnerable or buggy software makes application fault containment increasingly important.
Many attempts have been made to isolate applications from one another using approaches, such as the use of virtual machines. For example, separate virtual machines have been used for moving applications into distinct environments. However, these approaches suffer from an unresolved tension between ease of use (e.g., the look and feel of a desktop environment) and degree of fault containment.
There is therefore a need in the art for approaches that compartmentalize applications into isolated containers for application fault containment. Accordingly, it is desirable to provide methods, systems, and media that overcome these and other deficiencies of the prior art.
For example, approaches that isolate applications into containers for application fault containment while retaining the integrated look, feel, and ease of use of a desktop environment are provided. In another example, approaches for application fault containment are provided without the need for modifying applications or the operating system (e.g., kernel changes).