Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Announces Windows Sandbox, a Desktop Environment For Running Applications in Isolation (betanews.com)

Posted by msmash on from the nifty-features dept.

Microsoft has officially unveiled "Windows Sandbox," a feature that was expected to be unveiled next year. Windows Sandbox, the company says, creates "an isolated, temporary desktop environment" where users can run potentially suspicious software. From a report: Windows Sandbox is an isolated desktop environment which functions much like a virtual machine; any software installed to it is completely sandboxed from the host operating system. Aimed at businesses, enterprises and security-conscious home users, Windows Sandbox will be part of Windows 10 Pro and Windows 10 Enterprise. It is not clear exactly when the feature will debut, but it could make an appearance in Windows 10 19H1 next year.

The company touts the following features of Windows Sandbox in a detailed blog post introducing the new feature:
Part of Windows -- everything required for this feature ships with Windows 10 Pro and Enterprise. No need to download a VHD!
Pristine -- every time Windows Sandbox runs, it's as clean as a brand-new installation of Windows.
Disposable -- nothing persists on the device; everything is discarded after you close the application.
Secure -- uses hardware-based virtualization for kernel isolation, which relies on the Microsoft's hypervisor to run a separate kernel which isolates Windows Sandbox from the host.
Efficient -- uses integrated kernel scheduler, smart memory management, and virtual GPU.

21 of 116 comments (clear)

  1. Sandboxie by Anonymous Coward · · Score: 5, Informative

    Or use Sandboxie, which has been out for over a decade.

    https://www.sandboxie.com/

  2. The expected work-around.... by Anonymous Coward · · Score: 3, Insightful

    Of course "bad guys" will figure out some way to detect that they are running inside a pristine sand-box and behave differently, ie, non-malicious. The user/tester runs that application, nothing bad happens, certifies that it is safe and releases it to the rest of the business population. Once it's out in the open the application acts maliciously and does it's dirty work.

    1. Re:The expected work-around.... by ctilsie242 · · Score: 5, Informative

      This is already done. A lot of malware checks for drivers and won't run if it sees a VMWare driver, 3 CPU cores, or an oddball amount of RAM. This is a good thing, in a way, if one uses VMs for partitioning tasks (for example QuickBooks goes into its own virtual machine, so it is isolated and protected from malware for the most part. You can also add encryption, either in the VM via BitLocker or store the VM files somewhere secure (VeraCrypt volume), to ensure better protection when the machine isn't in use.

      I'm hoping Microsoft starts moving more towards a QubesOS model.

    2. Re:The expected work-around.... by Seven+Spirals · · Score: 4, Interesting

      Your solution is a good one, but it's a lot of hassle. QubesOS has it all streamlined, but using paravirt with Xen is a bit of a misfit when I've used it. I'd rather see a solution built around LXC or OpenVZ. However, I guess there already are some efforts in this direction that have made progress. I suppose it's mostly a matter of preference in terms of what method to implement the key is making sure no trace is left for the bad guys to follow.

  3. True browser sandboxing yet with this feature? by Seven+Spirals · · Score: 4, Insightful

    I want every single tab I open to be like a baby finding itself in a brand new world every time. I want no cookies to cross reference (yes, I am willing to login every time). I wish for no resources available for Javascript trying to find clever ways to spy and screw with things outside of that "sandbox". I want that tab to feel like it's running on a computer that was just whisked into existence for that one task only. When I close that tab I want (at least on the local system) for it to be like that never happened. Don't leave cache files, ghost cookies, cookies, or alter the system in one single goddamn binary bit that can be tracked later on. I know "private browsing" claims to do a lot of these things, but then you find out later that it really doesn't or that there is some tracking. However, I gotta say, my current method works pretty well. I just keep a bookmarks file that I occasionally import/export when needed. Then I use 'srm' (secure rm) to wipe every file and directory that the browser altered when it was running (inside of a jail, usually). It's not that I have all kinds of stuff to hide, I just hate being spied on by automated "eyes".

    1. Re:True browser sandboxing yet with this feature? by Opportunist · · Score: 3, Interesting

      Have you tried epic browser?

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:True browser sandboxing yet with this feature? by Provocateur · · Score: 2

      Years of watching Jurassic Park and I almost forgot the name Ian Malcolm, who is quite astute.

      --
      WARNING: Smartphones have side effects--most of them undocumented.
    3. Re:True browser sandboxing yet with this feature? by Blue+Stone · · Score: 2

      Installed and tried it.

      Tested one website to try it out and it broke the website quite comprehensively, with no way to get it to work (no plugins I could disable, no scripts or permissions I could grant to get it to work (as I do when using firefox with ublock and umatrix).

      It also inserts 'epicupdater' into my startup without permission, which I DO NOT like.

      That's just my first impression. Not *that* great.

      --
      Corporation, n. An ingenious device for obtaining individual profit without individual responsibility. - Ambrose Bierce
  4. Jailbreak by Scutter · · Score: 4, Insightful

    I'm putting money on "under 24 hours" before the first proof-of-concept malware is written that can escape the sandbox, followed by years of bug-fixing whack-a-mole before this is anywhere close to secure.

    --

    "Tell me doctor, with all of your defenses, are there any provisions for an attack by killer bees?"
    1. Re:Jailbreak by ctilsie242 · · Score: 2

      Even if someone does break it, I applaud Microsoft for having this in the first place. Running a Web browser in a VM, sandbox, or isolated environment, where it has no access to documents is a step forward.

  5. Pristine by blavallee · · Score: 2

    Clean as a brand-new installation of Windows.
    I'm sure it will include all the annoying notifications!

    1. Re:Pristine by MagicM · · Score: 4, Funny

      And Candy Crush!

    2. Re:Pristine by Opportunist · · Score: 2

      With all telemetry turned back on that you painstakingly ripped out, using various third party tools and registry hacks.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  6. great in theory by fred6666 · · Score: 2

    but in practice, let say you need to open a file, how does it work? And then save it? Will they allow SMB file transfers between the host and the sandbox? Couldn't viruses spread this way?

  7. Obligatory xkcd by aitikin · · Score: 5, Funny

    https://xkcd.com/2044/

    --
    "Don't meddle in the affairs of a patent dragon, for thou art tasty and good with ketchup." ~ohcrapitssteve
  8. How much overhead and virtual GPU? by Joe_Dragon · · Score: 2

    On the virtual GPU is it based on your card? or is it some low end basic card?

  9. Re:Getting Close by Seven+Spirals · · Score: 4, Interesting

    The thing that stands out as being most effective in that bevy of countermeasures is NoScript. It's amazing how willing folks are to run un-trusted code from people with strong motivation to track and monetize you. You've just described what I do already, now. The only difference is that, in addition to the measures you describe, I have a script that removes the entire ~/.mozilla directory and then re-creates it from a minimal backup that just restores my bookmarks and the aforementioned security plugins. I had to go that far because I was still finding turdlets even after all that. It's frustrating that even the efforts at sandboxing I've seen so far aren't as complete as this psuedo-manual "browsing rig" we are doing now.

  10. Can I run windows in the sandbox? by AmazingRuss · · Score: 2

    I'd feel a lot safer...

  11. They just invented chroot and containers! by aglider · · Score: 2, Insightful

    Cool!

    --
    Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
  12. My cat by PPH · · Score: 2

    ... thanks you.

    --
    Have gnu, will travel.
  13. VMWare by darkain · · Score: 2

    "uses hardware-based virtualization for kernel isolation, which relies on the Microsoft's hypervisor" Hyper-V and VMWare Workstation cannot operate on the same Windows box. This is another case of Microsoft bundling software that forces out competition. As someone in a full VMWare environment, features like this scare me. I don't want to have to hack my windows just to keep my current tool set operational.