
Introducing Windows Defender Application Guard for Microsoft Edge - inian
https://blogs.windows.com/msedgedev/2016/09/27/application-guard-microsoft-edge/
======
CurtHagenlocher
Microsoft's excellent word salad naming engine strikes again!

(Disclosure: Microsoft is my employer.)

~~~
sdegutis
Why not just block [http://www.atrixnet.com/bs-
generator.html](http://www.atrixnet.com/bs-generator.html) from the corporate
firewall?

------
dahjelle
Am I reading correctly: WDAGfME (for lack of a better acronum) is essentially
starting a VM with a fresh copy of Windows _for every site that it is
protecting_? Does this happen for every open & protected tab/window? What kind
of overhead does it have?

The idea sounds similar to Qubes OS, with the exception that it's transparent
to the user and doesn't have to be configured by the end-user.

I presume this kills any of the offline-storage approaches?

~~~
0xFFC
The idea of starting new fresh copy of Windows software stack for every site
is kinda naive. I would say they are using something similar to Linux kernel
namespace mechanism for sandboxing in Windows kernel, which is quite efficient
and secure sandboxing without going through the pain of virtualization(Google
uses this mechanism for implementing Android subsystem in ChromeOS). But how
hyper-v fits to this equation, I don't know.Maybe something similar to docker
service in hyper-v.

But anyhow this is quite amazing idea, Microsoft really tries hard to improve
Edge.

The reason they can overcome technical difficulty of something this cool is
because they have very consistent and very limited underlying platform (they
don't have to support macOS, Linux, etc). Imagine how hard it would be for
Firefox and chrome to pull off something similar.

>I presume this kills any of the offline-storage approaches?

Not necessarily, it depends on how they did implement this.

(I may be wrong,please correct me)

~~~
daeken
I see two options: 1) they're using Hyper-V and exposing a small number of
hypercalls to allow for rendering and interaction. 2) they've overloaded the
Hyper-V name for a user space sandbox.

I'm really hoping for the former, as it'll mean they finally might expose a
KVM-esque API. That would mean a drastic change for virtualization dev on
Windows.

~~~
jlgaddis
Maybe I'm misunderstanding the question, but the article clearly describes
that they're using Hyper-V to launch a separate instance of the kernel and the
browser in a "container" (which is later "discarded").

------
chrismorgan
Fewest vulnerabilities: I suspect that Chrome and Firefox being open source is
a factor here. Thus it seems possible to me that they actually have _fewer_
vulnerabilities than Edge—Edge’s just haven’t been found yet.

This is pure speculation on my part; I have no evidence nor any investigation,
deep or otherwise.

~~~
nickpsecurity
"Edge’s just haven’t been found yet."

Haven't been introduced and haven't been found. It's both. Microsoft's SDL has
dramatically reduced number of 0-days in their products. I speculate that
eliminating many common vulnerability classes also eliminates a lot of the
low-hanging fruit that's easiest to spot in the binaries by reverse engineers.
They have potential to raise the security even higher if they apply MS
Research's tools like VCC or Dafny. I don't even know what Edge is written in,
though.

~~~
lawnchair_larry
You're kind of talking out of your ass here, fyi. They have been introduced
and they have been found. Don't underestimate Google's resources on chrome.
Especially considering that many Google security folks were previously at MS.

~~~
nickpsecurity
Im not sure what comment you read as I mentioned they both have 0-days and
that number of them dropped sharply due to SDL. The numbers available prove
both. Even more true given attackers are focusing on common applications more
than Windows itself. That's because they're easier to attack than Windows
code.

------
transpute
Two related projects, both with copy-on-write "forks" of disk storage and OS
memory, creating disposable VMs with hardware-enforced memory isolation.

Cappsule (open-source for Linux),
[https://cappsule.github.io](https://cappsule.github.io)

    
    
      virtualize any software on the fly (e.g. web browser,
      office suite, media player) into lightweight VMs called 
      cappsules. Attacks are confined inside cappsules and 
      therefore don’t have any impact on the host OS. 
      Applications don’t need to be repackaged, and their usage 
      remain the same for the end user: it’s completely 
      transparent. Moreover, the OS doesn’t need to be 
      reinstalled nor modified.
    

Bromium (proprietary for Windows, based on open-source Xen),
[https://blogs.bromium.com/2016/09/26/introducing-
virtualizat...](https://blogs.bromium.com/2016/09/26/introducing-
virtualization-based-security-next/)

    
    
      Bromium and Microsoft partnered in 2015 
      .. extends VBS – isolating the execution of targeted 
      applications such as the browser, documents, executables, 
      downloads, attachments and media files .. to all 
      vulnerable applications on all Windows 7, 8 and 10 
      endpoints

~~~
brazzledazzle
I wonder how Bromium is taking this news.

------
jasonkostempski
"We’re determined to make Microsoft Edge the safest and most secure browser."

Then open source the whole thing, not just little parts of it. It has the
lowest number of vulnerabilities in the National Vulnerability Database
because it has the least number of eyes able to look for them.

~~~
tptacek
It's been a little while since I was close to Microsoft (they were a client
for a bit at Matasano), but: those people spend more on software security for
WINMINE.EXE than a lot of startups do for their whole stack.

Would their software be safer if it was open source? Probably. Open code is
rarely a _loss_ for security. But it's not easy to say how much safer.
Probably less than you think.

~~~
nickpsecurity
I recall the Windows source leaked a long time ago. One programmer wrote an
article on it saying it was actually good code. The problem areas seem to be
little hacks they had littered everywhere to keep 3rd party hardware or
software from breaking. My bookmark leads to a missing article that's not in
Wayback Machine. Do you have a substitute link to a review by a qualified
person who got to look at the source? I'd be interested in that.

~~~
ksk
Yes, it leaked during the Win2K release cycle I believe. And you're probably
thinking about the kuro5hin website, where someone claimed to have analyzed
it.
([http://webcache.googleusercontent.com/search?q=cache:3BlVJSk...](http://webcache.googleusercontent.com/search?q=cache:3BlVJSk8XV4J:www.theinquirer.net/inquirer/news/1030335/leaked-
windows-2000-source-code-analysed+&cd=7&hl=en&ct=clnk&gl=us))

>One programmer wrote an article on it saying it was actually good code.

"one programmer" commenting about 30+ million lines of code. Yeah. uh-huh.
Anyway, you can still find the kernel's source if you care to dig around. Its
the Windows Research Kernel but it's mostly unchanged from the commercial
codebase.

>The problem areas seem to be little hacks they had littered everywhere to
keep 3rd party hardware or software from breaking.

Those are mostly relegated to the compatibility shim layer. You can turn it
off, in any case.

~~~
nickpsecurity
"Yes, it leaked during the Win2K release cycle I believe. And you're probably
thinking about the kuro5hin website, where someone claimed to have analyzed
it. "

Yeah, my inability to evaluate the skill level or character of source was main
drawback of claim. I gave a little credence to it because I knew that they
were ramping up QA due to image problems and potential lost sales. Steve
Lipner... who did high-assurance security with legendary Paul Karger... came
in to turn it around with the SDL. Massive investment in professional
programmers to find quality issues across the lifecycle implies it would have
fewer issues than average software.

[https://msdn.microsoft.com/en-
us/library/ms995349.aspx](https://msdn.microsoft.com/en-
us/library/ms995349.aspx)

""one programmer" commenting about 30+ million lines of code. Yeah. uh-huh."

You can tell a lot by glancing at random samples while digging into a bit
fewer. Good, well-commented code with various security checks stands out for
people that spend years looking at the opposite. All such a review could say,
though, was that people were putting in effort. Actual security would need
thorough review.

"Anyway, you can still find the kernel's source if you care to dig around. Its
the Windows Research Kernel but it's mostly unchanged from the commercial
codebase."

Will do. Appreciate the tip.

~~~
ksk
>Will do. Appreciate the tip.

CDCFKW.zip not saying anything.. just sayin :P

------
bboreham
I sense this is the same feature that is used to implement Docker containers.
Possibly browser isolation was the primary driver and it got co-opted for the
server.

------
nickpsecurity
The one good thing about this is that they're relying on Hyper-V. It _may_ end
up much more secure than solutions like Xen simply because Microsoft is
investing in so much verification. That started with Verisoft project where
they started using their VCC tool to verify the C-level source against
specifications. They later extended the tool for assembly. The first report I
saw indicated 20% was verified against its spec. So, it should get more robust
overtime.

People interested in Microsoft Research's work on secure browsers should look
at Gazelle browser and Xax plugin architecture:

[https://www.microsoft.com/en-us/research/wp-
content/uploads/...](https://www.microsoft.com/en-us/research/wp-
content/uploads/2016/02/gazelle.pdf)

[https://www.microsoft.com/en-us/research/wp-
content/uploads/...](https://www.microsoft.com/en-us/research/wp-
content/uploads/2016/02/xax-osdi08.pdf)

------
kenrick95
It's using Hyper-V, so does that mean this only applies to Pro and Enterprise
edition of Windows 10?

~~~
wyattjoh
Considering the product video described it as being a tool for system
administrators, I'd hazard a guess at yes.

------
mtgx
Why is this an enterprise-only feature? Do regular user not deserve the same
level of security for their browsers? Will this tech even be available to non-
Microsoft apps in the future?

~~~
nneonneo
It's not very useful for regular users outside of private browsing - the WDAG
windows are unable to persist any state at all since their container is
discarded at the end of the browsing session to thwart malware persistence.

It does sound like an interesting capability for private browsing, but
existing mechanisms mostly cover that. Even if WDAG applied to private
Windows, ordinary users aren't so likely to open private browser windows just
to check a link from an email.

I expect that if you had a copy of Win10 Enterprise you could configure the
feature yourself for added security in paranoid cases (e.g. journalist
covering abusive regimes who might be targeted by state-level malware).

------
behm
So just to be clear, this is basically another sandbox, which starts a private
browsing session implicitly for each site and disables the entire password
manager?

------
webwanderings
> We’re determined to make Microsoft Edge the safest and most secure browser.

You should enable Ad/tracker-block by default and across the board.

------
lawnchair_larry
Ugh, they should know better than to use CVE as a metric. Should we assume
that Opera is the most secure browser then?

------
zmanian
Why is this enterprise only?

