Improving Unmodified Classic Application Confinement

The presentation discusses various methods for improving application confinement and security, with a focus on achieving a level of confinement similar to that of Android applications.

• Shell type programs can be used to extract information and limit access to certain subsets of data
• Forced launchers can be used to override kernel settings and set up custom loaders for applications
• Code injection can be used to modify application behavior, but is not feasible for widespread use
• Address matching and control flow integrity can be used to modify application behavior without directly modifying the code
• The goal is to achieve tighter confinement for applications without burdening the user
• Dynamic data can be used to tighten security measures

The speaker mentions that file pickers are easy to confine, but other applications require more work. They discuss the need for more dynamic data to tighten security measures, but note that this can lead to user burden if not implemented carefully.

Canonical uses snap application sand boxing to improve application security. While applications can be rewritten or modified to use portals and other privilege separation there are many applications that need to be run from confinement without modification. This presentation will cover the set of techniques being used and/or experimented with to improve application confinement without over burdening the user. This includes a variety of different techniques from notifying notifying userspace to allow it to provide policy updates and a more nuanced response, application and file tagging, to providing better control over environment variables and dynamic policy composition.