Microsoft Announces Windows Sandbox, a Desktop Environment For Running Applications in Isolation (betanews.com)

← Back to Stories (view on slashdot.org)

Microsoft Announces Windows Sandbox, a Desktop Environment For Running Applications in Isolation (betanews.com)

Posted by msmash on Wednesday December 19, 2018 @02:47AM from the nifty-features dept.

Microsoft has officially unveiled "Windows Sandbox," a feature that was expected to be unveiled next year. Windows Sandbox, the company says, creates "an isolated, temporary desktop environment" where users can run potentially suspicious software. From a report: Windows Sandbox is an isolated desktop environment which functions much like a virtual machine; any software installed to it is completely sandboxed from the host operating system. Aimed at businesses, enterprises and security-conscious home users, Windows Sandbox will be part of Windows 10 Pro and Windows 10 Enterprise. It is not clear exactly when the feature will debut, but it could make an appearance in Windows 10 19H1 next year.

The company touts the following features of Windows Sandbox in a detailed blog post introducing the new feature:
Part of Windows -- everything required for this feature ships with Windows 10 Pro and Enterprise. No need to download a VHD!
Pristine -- every time Windows Sandbox runs, it's as clean as a brand-new installation of Windows.
Disposable -- nothing persists on the device; everything is discarded after you close the application.
Secure -- uses hardware-based virtualization for kernel isolation, which relies on the Microsoft's hypervisor to run a separate kernel which isolates Windows Sandbox from the host.
Efficient -- uses integrated kernel scheduler, smart memory management, and virtual GPU.

59 of 116 comments (clear)

Min score:

Reason:

Sort:

Sandboxie by Anonymous Coward · 2018-12-19 02:53 · Score: 5, Informative

Or use Sandboxie, which has been out for over a decade.
https://www.sandboxie.com/
1. Re: Sandboxie by TJHook3r · 2018-12-20 08:13 · Score: 1
  
  Good shout AC, Sandboxie is the same product, with almost the same name.
The expected work-around.... by Anonymous Coward · 2018-12-19 02:55 · Score: 3, Insightful

Of course "bad guys" will figure out some way to detect that they are running inside a pristine sand-box and behave differently, ie, non-malicious. The user/tester runs that application, nothing bad happens, certifies that it is safe and releases it to the rest of the business population. Once it's out in the open the application acts maliciously and does it's dirty work.
1. Re:The expected work-around.... by ctilsie242 · 2018-12-19 03:22 · Score: 5, Informative
  
  This is already done. A lot of malware checks for drivers and won't run if it sees a VMWare driver, 3 CPU cores, or an oddball amount of RAM. This is a good thing, in a way, if one uses VMs for partitioning tasks (for example QuickBooks goes into its own virtual machine, so it is isolated and protected from malware for the most part. You can also add encryption, either in the VM via BitLocker or store the VM files somewhere secure (VeraCrypt volume), to ensure better protection when the machine isn't in use.
  I'm hoping Microsoft starts moving more towards a QubesOS model.
2. Re:The expected work-around.... by Seven+Spirals · 2018-12-19 03:47 · Score: 4, Interesting
  
  Your solution is a good one, but it's a lot of hassle. QubesOS has it all streamlined, but using paravirt with Xen is a bit of a misfit when I've used it. I'd rather see a solution built around LXC or OpenVZ. However, I guess there already are some efforts in this direction that have made progress. I suppose it's mostly a matter of preference in terms of what method to implement the key is making sure no trace is left for the bad guys to follow.
3. Re:The expected work-around.... by bill_mcgonigle · 2018-12-19 09:37 · Score: 1
  
  using paravirt with Xen is a bit of a misfit when I've used it
  Xen pvh2 is almost done, and should remove the last technical reasons to use paravirt.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
4. Re:The expected work-around.... by Seven+Spirals · 2018-12-19 10:49 · Score: 1
  
  Sweet, that made me go refresh my Xen news buffer. Lots of cool developments and the near-arrival of pvh2 is definitely one of them.
5. Re: The expected work-around.... by zaphirplane · 2018-12-20 02:49 · Score: 1
  
  There will be ways to detect gmtge sandbox, the ms sandbox isnâ(TM)t a pristine installation, itâ(TM)s on top of your current system
True browser sandboxing yet with this feature? by Seven+Spirals · 2018-12-19 02:57 · Score: 4, Insightful

I want every single tab I open to be like a baby finding itself in a brand new world every time. I want no cookies to cross reference (yes, I am willing to login every time). I wish for no resources available for Javascript trying to find clever ways to spy and screw with things outside of that "sandbox". I want that tab to feel like it's running on a computer that was just whisked into existence for that one task only. When I close that tab I want (at least on the local system) for it to be like that never happened. Don't leave cache files, ghost cookies, cookies, or alter the system in one single goddamn binary bit that can be tracked later on. I know "private browsing" claims to do a lot of these things, but then you find out later that it really doesn't or that there is some tracking. However, I gotta say, my current method works pretty well. I just keep a bookmarks file that I occasionally import/export when needed. Then I use 'srm' (secure rm) to wipe every file and directory that the browser altered when it was running (inside of a jail, usually). It's not that I have all kinds of stuff to hide, I just hate being spied on by automated "eyes".
1. Re:True browser sandboxing yet with this feature? by Seven+Spirals · 2018-12-19 03:09 · Score: 1
  
  Yeah, I'm sure low-level file and cross-tab Javascript security in all browsers are just a matter of learning hotkeys. Garsh, why didn't we all just ask you to fix the issue for us?
2. Re:True browser sandboxing yet with this feature? by Seven+Spirals · 2018-12-19 03:17 · Score: 1
  
  Years of watching various "sandboxing" fails has convinced me that you are probably right.
3. Re:True browser sandboxing yet with this feature? by Opportunist · 2018-12-19 03:18 · Score: 3, Interesting
  
  Have you tried epic browser?
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
4. Re:True browser sandboxing yet with this feature? by Seven+Spirals · 2018-12-19 03:22 · Score: 1
  
  No, but it looks like they have the right idea. I'm just not on Windows very often but I will give it a shot sometime when I am. Thanks for the pointer. After years of just using NoScript and 'rm -rf ~/.mozilla' there has to be some kinda better way. However, my ability to trust a browser at this point will have to be after several test browsing sessions to see what turdlets it leaves afterwards when I examine the filesystem (and registry if it's Windows).
5. Re:True browser sandboxing yet with this feature? by Provocateur · 2018-12-19 03:47 · Score: 2
  
  Years of watching Jurassic Park and I almost forgot the name Ian Malcolm, who is quite astute.
  
  --
  WARNING: Smartphones have side effects--most of them undocumented.
6. Re:True browser sandboxing yet with this feature? by Seven+Spirals · 2018-12-19 04:18 · Score: 1
  
  Years of watching Jurassic Park and I still love Silicon Graphics (it's a Crimson they have there - I have a Tezro and 3 other SGIs), the Mac Quadra 700 (I have two of them), and Thinking Machines supercomputers (hehe, I don't own one of these!). I love that freakin' movie.
7. Re:True browser sandboxing yet with this feature? by Blue+Stone · 2018-12-19 05:23 · Score: 2
  
  Installed and tried it.
  Tested one website to try it out and it broke the website quite comprehensively, with no way to get it to work (no plugins I could disable, no scripts or permissions I could grant to get it to work (as I do when using firefox with ublock and umatrix).
  It also inserts 'epicupdater' into my startup without permission, which I DO NOT like.
  That's just my first impression. Not *that* great.
  
  --
  Corporation, n. An ingenious device for obtaining individual profit without individual responsibility. - Ambrose Bierce
8. Re:True browser sandboxing yet with this feature? by fahrbot-bot · 2018-12-19 06:00 · Score: 1
  
  I want every single tab I open to be like a baby finding itself in a brand new world every time.
  So... crying, covered in blood and mucus... What freakin' browser are you running?
  
  --
  It must have been something you assimilated. . . .
9. Re:True browser sandboxing yet with this feature? by dargaud · 2018-12-19 06:09 · Score: 1
  
  Browser fingerprinting techniques can still identify you this way.
  
  --
  Non-Linux Penguins ?
10. Re:True browser sandboxing yet with this feature? by Seven+Spirals · 2018-12-19 06:30 · Score: 1
  
  If the sandboxed processes scream and thrash while covered in goo, that'll just add to my satisfaction that they've been shown their proper place in the world. :-)
11. Re:True browser sandboxing yet with this feature? by Seven+Spirals · 2018-12-19 06:38 · Score: 1
  
  You're right. However, doing something feels better than just laying down and letting the big-brother corporate feudal lords just monetize my existence at every opportunity. IMO, "Defense-in-Depth" still applies to an individual trying to be left alone, even if their countermeasures aren't 100% effective and they aren't sitting in a missile control silo.
12. Re:True browser sandboxing yet with this feature? by jimbo · 2018-12-19 06:39 · Score: 1
  
  Firefox with Temporary Containers add-on takes you quite far in that direction. Each tab is a new container and all data, except bookmarks, is wiped after closing the tab.
13. Re:True browser sandboxing yet with this feature? by Seven+Spirals · 2018-12-19 06:55 · Score: 1
  
  I haven't tried that one. Just NoScript, Ghostery, and a few others. It sounds promising. I'll give it a shot.
14. Re:True browser sandboxing yet with this feature? by Blue+Stone · 2018-12-19 09:44 · Score: 1
  
  Well shit. Google altered the deal, eh? Damn.
  
  --
  Corporation, n. An ingenious device for obtaining individual profit without individual responsibility. - Ambrose Bierce
Jailbreak by Scutter · 2018-12-19 02:57 · Score: 4, Insightful

I'm putting money on "under 24 hours" before the first proof-of-concept malware is written that can escape the sandbox, followed by years of bug-fixing whack-a-mole before this is anywhere close to secure.

--

"Tell me doctor, with all of your defenses, are there any provisions for an attack by killer bees?"
1. Re:Jailbreak by pgmrdlm · 2018-12-19 03:14 · Score: 1
  
  This type of technology has been around for a long time. I use to use sandboxie. Where we are working, we are using a solution like this to isolate all Java applications. This is not anything new other than Microsoft is finally offering it.
  
  --
  Anonymous comments are as pathetic as the anonymous "sources" that contaminate gutless journalism from the New York Time
2. Re:Jailbreak by bobbied · 2018-12-19 03:15 · Score: 1
  
  I'm putting money on "under 24 hours" before the first proof-of-concept malware is written that can escape the sandbox, followed by years of bug-fixing whack-a-mole before this is anywhere close to secure.
  But... Edge is faster! Just ask us, or read all the popup ads we send you with every OS update..
  Seriously, ANY operating system software plays whack-a-mole with security holes. MS isn't any exception.
  
  --
  "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
3. Re:Jailbreak by ctilsie242 · 2018-12-19 03:25 · Score: 2
  
  Even if someone does break it, I applaud Microsoft for having this in the first place. Running a Web browser in a VM, sandbox, or isolated environment, where it has no access to documents is a step forward.
4. Re: Jailbreak by eneville · 2018-12-19 09:35 · Score: 1
  
  Been ctrl-alt-f2'ing to another user to browse for a while. Nothing new in multiuser os, just a lot less of an issue in one.
  
  --
  Why UNIX?
telemetry by Sperbels · 2018-12-19 02:57 · Score: 1

nothing persists
Except the telemetry sent back to MS.
Pristine by blavallee · 2018-12-19 03:13 · Score: 2

Clean as a brand-new installation of Windows.
I'm sure it will include all the annoying notifications!
1. Re:Pristine by MagicM · 2018-12-19 03:18 · Score: 4, Funny
  
  And Candy Crush!
2. Re:Pristine by Opportunist · 2018-12-19 03:19 · Score: 2
  
  With all telemetry turned back on that you painstakingly ripped out, using various third party tools and registry hacks.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
great in theory by fred6666 · 2018-12-19 03:16 · Score: 2

but in practice, let say you need to open a file, how does it work? And then save it? Will they allow SMB file transfers between the host and the sandbox? Couldn't viruses spread this way?
1. Re:great in theory by thepigwanker · 2018-12-19 04:38 · Score: 1
  
  If this is based on Hyper-V, then probably something like enabling the Guest Service so you can use PS Direct (i.e. not SMB).
2. Re:great in theory by fred6666 · 2018-12-19 04:43 · Score: 1
  
  But how good is the sandbox if the application can access all your files?
  It can still mine bitcoins and waste your CPU/GPU.
  It can still send all your files to some scamers and then encrypt your local copy.
  The only thing is that it won't have admin rights so it won't be able to delete the OS or mess with other users' files. Just like any non-sandboxed application, isn't it?
3. Re:great in theory by Seven+Spirals · 2018-12-19 05:20 · Score: 1
  
  Exactly. Put in a "backdoor" (ala VMware tools, memory balloon drivers, or other such stuff that can talk to the host-side) and sooner or later someone will find a way to escape. Virtual machines can be cool and useful but there can be situations where they complicate the security threats you face versus bare metal. Spectre, Meltdown, and lots of side-channel low level CPU flaws have shown us that it's at least possible. If it's possible, then there is always the threat of really nasty exploit giving folks the ability to pwn the host machine or alter and/or read info/data/files in another VM. You also make the point about Bitcoin mining. There's a new threat that is somewhat resistant to traditional security measures. Sandboxing doesn't really have a well-cured answer there, either.
Obligatory xkcd by aitikin · 2018-12-19 03:16 · Score: 5, Funny

https://xkcd.com/2044/

--
"Don't meddle in the affairs of a patent dragon, for thou art tasty and good with ketchup." ~ohcrapitssteve
1. Re:Obligatory xkcd by jfdavis668 · 2018-12-19 03:26 · Score: 1
  
  Yes! All our problems started when we let computers communicate with each other.
2. Re:Obligatory xkcd by aitikin · 2018-12-19 08:51 · Score: 1
  
  It's relatively new. Latest is 2087 and this one is 2044.
  
  --
  "Don't meddle in the affairs of a patent dragon, for thou art tasty and good with ketchup." ~ohcrapitssteve
Truth in advertizing by gtall · 2018-12-19 03:19 · Score: 1

If this were really a Windows Sandbox, we could stick Windows in it and be so much more safer. I don't think they are shooting high enough here.
How much overhead and virtual GPU? by Joe_Dragon · 2018-12-19 03:23 · Score: 2

On the virtual GPU is it based on your card? or is it some low end basic card?
1. Re:How much overhead and virtual GPU? by dissy · 2018-12-19 06:45 · Score: 1
  
  On the virtual GPU is it based on your card? or is it some low end basic card?
  The Windows Kernel Internals descriptions say that 'windows sandbox' is put on top of the previous 'windows containers' software, which basically uses Hyper-V.
  With virtualization options enabled in the CPU, it uses "RemoteFX vGPU"
  I didn't know what RemoteFX was but there was a reference link to here:
  https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-remotefx-vgpu
  From the description this is the same virtual GPU sharing used in the remote application part of remote desktop.
  I'm not sure how similar it works behind the scenes, but vGPU with Hyper-V actually seemed to be designed in a sane way.
  So you now how Intel CPUs have VT-D instructions in them? Nvidia cards have something similar called vPC (gtx series) or vDWS (quadro series)
  Hyper-V uses that to virtualize all the GPU processing cores, and it can partition video ram.
  So it all depends on your hardware really. Most people using or playing with Hyper-V tend to spec out the hardware it runs on at the server level specifically for running VMs.
  I guess if you put this sandbox feature on a high end gaming rig level PC hardware it should be near native speed.
  If you put it on a 6 year old laptop with a non-vt core i3 and on-board intel graphics though, everything GPU related will be done in software and likely be super crap.
2. Re:How much overhead and virtual GPU? by dissy · 2018-12-19 08:52 · Score: 1
  
  It's interesting you say that as from everything I've read, vPC is part of Nvidia GRID which is specifically different hardware than consumer GTX cards. Do you have anything point to some examples of consumer GTX cards actually have vPC support?
  Actually no, and now quite the opposite. I stand corrected.
  I misread the Nvidia page listing of cards with vGPU support. What it actually says is:
  "NVIDIA Virtual GPU software runs on NVIDIA Tesla GPU based on the NVIDIA Volta, NVIDIA Pascal and NVIDIA Maxwell GPU architectures."
  I read that as a list of 4 separate architectures, instead of Tesla GPUs specifically on one of those 3.
  That combined with knowing the GTX 1080 uses the Pascal arch, presumed it was included.
  Sorry about that.
I used to do this on Abandonware sites by rsilvergun · 2018-12-19 03:23 · Score: 1

with dodgy adverts on them. I'd run a Linux VM to browse them. Most of my fav abandonware sites started hosting warez though and got shut down (snesorama, I miss you, you're beloved community found me a full version of X-Tom 3D, which I wasn't even convinced existed).

--
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
Re:Getting Close by Seven+Spirals · 2018-12-19 03:53 · Score: 4, Interesting

The thing that stands out as being most effective in that bevy of countermeasures is NoScript. It's amazing how willing folks are to run un-trusted code from people with strong motivation to track and monetize you. You've just described what I do already, now. The only difference is that, in addition to the measures you describe, I have a script that removes the entire ~/.mozilla directory and then re-creates it from a minimal backup that just restores my bookmarks and the aforementioned security plugins. I had to go that far because I was still finding turdlets even after all that. It's frustrating that even the efforts at sandboxing I've seen so far aren't as complete as this psuedo-manual "browsing rig" we are doing now.
Can I run windows in the sandbox? by AmazingRuss · 2018-12-19 03:55 · Score: 2

I'd feel a lot safer...
1. Re:Can I run windows in the sandbox? by thegarbz · 2018-12-19 08:45 · Score: 1
  
  Don't you already run it in a sandbox known as your computer? Or are you playing in the cloud?
They just invented chroot and containers! by aglider · 2018-12-19 04:13 · Score: 2, Insightful

Cool!

--
Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
1. Re:They just invented chroot and containers! by thegarbz · 2018-12-19 08:46 · Score: 1
  
  Nice modpoint whoring and playing the crowd, but no. They haven't done that even remotely. Try again but this time make a reference to KVM.
My cat by PPH · 2018-12-19 04:16 · Score: 2

... thanks you.

--
Have gnu, will travel.
How this is different than a regular VM by darkwing_bmf · 2018-12-19 05:28 · Score: 1

From Microsoft:
Integrated kernel scheduler - With ordinary virtual machines, Microsoft's hypervisor controls the scheduling of the virtual processors running in the VMs. However, for Windows Sandbox we use a new technology called "integrated scheduler" which allows the host to decide when the sandbox runs. For Windows Sandbox we employ a unique scheduling policy that allows the virtual processors of the sandbox to be scheduled in the same way as threads would be scheduled for a process. High-priority tasks on the host can preempt less important work in the sandbox. The benefit of using the integrated scheduler is that the host manages Windows Sandbox as a process rather than a virtual machine which results in a much more responsive host, similar to Linux KVM. The whole goal here is to treat the Sandbox like an app but with the security guarantees of a Virtual Machine.
VMWare by darkain · 2018-12-19 05:41 · Score: 2

"uses hardware-based virtualization for kernel isolation, which relies on the Microsoft's hypervisor" Hyper-V and VMWare Workstation cannot operate on the same Windows box. This is another case of Microsoft bundling software that forces out competition. As someone in a full VMWare environment, features like this scare me. I don't want to have to hack my windows just to keep my current tool set operational.
"Pristine" by ilsaloving · 2018-12-19 07:04 · Score: 1

every time Windows Sandbox runs, it's as clean as a brand-new installation of Windows.

So it's going to preinstall a whole bunch of crap (Candy Crush Saga, Solitaire Collection, Photoshop elements, etc) I didn't asked for or want?
A brand new install of Windows 10 is about as pristine as a snow pile in a dog park.
Re:Getting Close by thegarbz · 2018-12-19 08:43 · Score: 1

It's amazing how willing folks are to run un-trusted code from people with strong motivation to track and monetize you.

Why is it amazing given the level of actual personal risk people face on common websites as a result of tracking? The direct impact to people's lives by corporations hoovering up their data can be likened to dying in a terrorist attack. There are literally billions of people whose data has been harvested and who are being tracked yet the vast majority don't care precisely because nearly everyone has been completely unaffected by it.
Now breaking the web by micromanaging scripts on the other hand *that* affects people. Can I interest you in my 100% proven terrorist preventing pet rock? It will prevent terrorists but you need to water it twice a day and sing it a lullaby or it doesn't work.
Re:Getting Close by Seven+Spirals · 2018-12-19 09:07 · Score: 1

Hey, if you or others want to be involuntary Bitcoin miners, unwitting DDoS zombies, or a test-bed for CPU flaws, go ahead. Your right about one thing though: that won't be amazing, it'll just be normal behavior. People do it all the time. Your comment on breaking the web also makes you sound like Jquery/Angular/Axios developer. As if nobody has the "right" to view a website with Javascript turned off.
Virtual machines with live migration very often by Joe_Dragon · 2018-12-19 13:03 · Score: 1

Virtual machines with live migration very often may help cut that down.
1. Re:Virtual machines with live migration very often by Seven+Spirals · 2018-12-20 03:09 · Score: 1
  
  Well, I know VMware guests which are going to use "Vmotion" will need to migrate between machines with similar CPUs often will "dumb down" the instruction set to whatever they have in common. Are you saying that process or something like it is mitigating things like Spectre? I haven't heard that before, but I suppose it's possible. Since VMware virtualization is a layer between the OS and the CPU, I suppose it's possible to use that to your advantage.
Re:Getting Close by iMadeGhostzilla · 2018-12-19 16:56 · Score: 1

I only run NoScript browsers outside of Sandbox (with a handful of urls whitelisted). Email, banking etc. Everything else that would be OK if hacked I browse inside Sandboxie. Bit of a hassle sometimes (copy link from email in no-sandbox browser), paste into sandboxed browser, but worth the additional peace of mind.
default by sad_ · 2018-12-20 00:08 · Score: 1

they should use this as the defaut option to run any windows application, and make it a special option to NOT run in a sandbox.

--
On a long enough timeline, the survival rate for everyone drops to zero.