Supporting Helium Silos (a while back)

Don’t even know how I managed to miss this from my earlier posts. One of my former directs, Istvan Farmosi, did start a discussion with Microsoft nearly a decade ago on better isolating processes, similar to how Edge is doing it, but for desktop applications. Took a while, but with the help of many people from Microsoft, we managed to set up a new technology, now part of Windows natively, that do enable security isolation for desktop processes while keeping the performance intact and not to significantly affect how the process is able to interact with the operating system itself.

So, what is this new isolation model look like?

  • Win32 App Isolation: A new security feature for Windows clients, aiming to be the default isolation standard built on AppContainers with added security features1.
  • Limiting Damage: It restricts app privileges to limit the impact of compromised apps, requiring multi-step attacks for breaches.
  • Developer Tools: Microsoft provides tools like MSIX packaging and Application Capability Profiler (based on tech like ETL and WPA) to ease the update process for developers.
  • User Experience: Ensures seamless integration with Windows interfaces without confusing security prompts, maintaining application compatibility.

Win32 app isolation stands out as a new security feature designed to enhance the security of Windows clients. Let’s delve into how it differs from other existing security features:

  1. Foundation:
    • Win32 app isolation is built on the foundation of AppContainers. These containers encapsulate and restrict the execution of processes, ensuring they operate with limited privileges (commonly referred to as low integrity levels).
    • In contrast, other Windows sandbox options, such as Windows Sandbox and Microsoft Defender Application Guard, rely on virtualization-based security.
  2. Purpose:
    • Win32 app isolation aims to be the default isolation standard for Windows clients.
    • It offers several added security features to defend against attacks that exploit vulnerabilities in applications (including third-party libraries).
    • The goal is to limit damage in case apps are compromised.
  3. Developer Experience:
    • Application developers can update their apps using the tools provided by Microsoft to isolate their applications.
    • For more details on the developer experience, you can visit the GitHub page.
  4. Privacy Considerations:
    • Isolation also helps safeguard end-user privacy choices. When a Win32 app runs with the same privilege as the user, it can potentially access user information without consent.
    • By isolating apps, unauthorized access to user privacy data by malicious actors is minimized.

It combines preventive and containment strategies, making it a powerful addition to Windows security. Also, it does employ several mechanisms to protect against attacks on third-party libraries:

  1. Isolation Boundaries:
    • When an app runs in an isolated environment, it operates within strict boundaries. This containment prevents it from directly interacting with other processes or libraries outside its designated scope.
    • Third-party libraries are encapsulated within the same isolation boundary, reducing their exposure to potential attacks.
  2. Privilege Separation:
    • Win32 app isolation ensures that each app runs with the minimum necessary privileges. This principle extends to third-party libraries.
    • Even if a library is compromised, its impact is limited due to the restricted privileges within the isolation boundary.
  3. AppContainer Restrictions:
    • AppContainers are used to confine apps and libraries. These containers enforce fine-grained permissions and works together with Smart App Control effectively.
    • Third-party libraries are subject to the same restrictions as the app itself. They cannot perform actions beyond their allowed capabilities.
  4. Multi-Step Attacks:
    • Win32 app isolation raises the bar for attackers. To breach an isolated app and its associated libraries, they must execute multi-step attacks.
    • This complexity deters casual exploitation and provides additional layers of defense.
  5. Reduced Attack Surface:
    • By isolating third-party libraries, the overall attack surface is minimized.
    • Vulnerabilities in libraries are less likely to propagate to other parts of the system.
  6. Secure Development Practices:
    • Developers can leverage MSIX packaging and Application Capability Profiler to ensure secure deployment.
    • These tools help identify dependencies and ensure that third-party libraries comply with security best practices.

In summary, Win32 app isolation combines privilege separation, isolation boundaries, and secure development practices to safeguard against attacks on third-party libraries, enhancing overall system security.

Leave a Reply

Your email address will not be published. Required fields are marked *