Windows 8 App Container Security Notes

http://recxltd.blogspot.co.uk/2012/03/windows-8-app-container-security-notes.html

App Container is a new sandbox for Windows 8. It's very impressive, seemingly adding much more finely grained controls to the sandbox.

If it works how I hope it does Windows will finally have a strong sandbox.

 

If I understand this correctly, browsers such as Firefox and Opera can use this for sandboxing, which means not setting aside development time/resources to develop one themselves has paid off.

This is going to be a BIG boon for privacy, AppContainer alone is shaping up to be enough reason for me to use Windows 8! It sounds like permanent InPrivate (incognito) mode!

 

Will it only be available for Metro-style applications... or, because all Metro-style apps run in AppContainers there simply isn't much documention, as stated?

Considering EPM is only available for Internet Explorer Metro version, then it means the Desktop version will have no AppContainer? Why not?

There's also something that's confusing me as well. Microsoft's blog article says On Windows 7 and Windows Server 2008 R2, AppContainer does not exist, so EPM only enables 64bit tabs on a 64bit OS. (That also means that enabling EPM on a 32bit Windows 7 system doesn’t do anything, because a 32bit Windows 7 system supports neither 64bit nor AppContainer).

Is this a choice? Is it simply a limitation or they simply don't want to support 32bit? According to the image I've attached, Process Explorer reveals Chromium running @ an explicit low integrity level (applied by me) and the renderer processes/tabs as AppContainer, which is more restricted than low.

I'm asking because of the following:

 

If it's available for desktop IE, why wouldn't it be available for (at least) other browsers?

m00n, did you read the blog? EPM is available for the desktop version, you just need to turn it on. Half the blog is practically describing the use of AppContainer on desktop IE's tabs and the benefits of doing so.

Most enhancements that EPM bring are dependant on 64bit, e.g. improved ASLR having access to more maps. So yes, it's a limitation.

Uhm, a display bug? No idea why it's recognized as AppContainer :s

 

I was actually wondering if it was available for Internet Explorer Desktop Mode. Not if it was going to available for other web browsers.

I suppose I got initially confused by all that Metro-style apps running in AppContainers talk, which lead to me wonder if it was going to be working for Internet Explorer Desktop Mode as well. Although, it does come disabled by default.

That's actually what I don't understand. Why not enabled by default in Internet Explorer Desktop Mode as well?

Well, ASLR is independent of Integrity Levels (including AppContainer)/Integrity levels (AppContainer) are independent of ASLR , so saying it's a limitation due to ASLR is not valid, IMHO.

My guess is a good as yours, but the AppContainer is practically a more restricted low integrity level. It's simply using NoReadUp and NoWriteUp (unless I'm wrong ), something already present in Windows MIC.

But, there's also another confusing part (to me, anyway) in the blog:

By default, Desktop IE’s tabs run in the Low Integrity Protected Mode at 32bit. Only if you enable Enhanced Protected Mode using the Internet Options control panel will Desktop IE’s tabs run in AppContainer (and 64bit, if available).

I actually missed this part before, otherwise I'd have my answer to EPM running in Desktop Mode as well. Anyway, according to that paragraph, in Desktop Mode, tabs will run by default @ low integrity level, but if the user enables EPM, then it will run in AppContainer (and 64bit, if available)...

So... does it or does it not (AppContainer) work in 32bit? I'm finding the and 64bit, if available a bit confusing.

 

Does AppContainer work on 32bit? I can confidently say yes, otherwise, how would there be a 32bit Windows with Metro support? Metro apps would need to run in a 32bit AppContainer.

I think you're confusing it a bit with EPM. EPM uses AppContainer as an additional layer, however, AppContainer doesn't use/need EPM, because that's an IE feature.

No idea how to explain it better. The improved ASLR requires more memory maps that only 64bit systems can provide. I believe the same holds true for some of the other "beefed up" anti exploit technologies that are applied by EPM.

 

I decided to dive into EPM and test it, here is my experience/what I've noticed.

I can browse ~80% of the websites I visit without plugins, so EPM works fine on them.

For the sites that require flash, a little popunder appears at which point you can click "disable". What does this do? The average user will noticed nothing, the page will "re-load" and will be side-by-side with your other tabs.

In reality, that specific tab will be running in 32bit mode without EPM, alongside the 64bit tabs with EPM. IE appears to store some internal "whitelist" (not found where yet) of websites it should run in 32bit mode. So when you re-visit them, they are loaded in 32bit mode, and there is no popunder displayed.
Basically if you "build your whitelist" by clicking disable on the sites that need flash, you can then browse peacefully without intervention, but at the same time, loading some of your websites with EPM and some without. A process that is completely invisible to the user.

Basically if you image a browser with 10 tabs open, 5 might be protected by EPM and 5 might not (because they have flash loaded). You wouldn't really know which was which. I can live with this for now as you only need to "build the whitelist" once, so it is much more useable than I originally anticipated. But obviously (ideally) I'm hoping for the next flash beta to support EPM.

 

According to the article, the user does need to enable EPM to enable AppContainer for the tabs.

Only if you enable Enhanced Protected Mode using the Internet Options control panel will Desktop IE’s tabs run in AppContainer...

Otherwise, they'll run @ low integrity level, by default. No AppContainer will be available to the tabs processes.

So, how come are you saying it doesn't need EPM? All indicates that it needs. The article says it so... without it, no AppContainer. So, even if they're independent from each other, they're tied to each other. So, it basically makes AppContainer dependent of EPM.

Another confusion, and that's something that you're probably confused about, is that, part of the article, and that's something I already mentioned before, says 32bit Windows 7 system supports neither 64bit nor AppContainer.

Of course, Windows 32bit doesn't support 64bit... But, it also mentions that 32bit won't support AppContainer either. So... how can you confidently say yes, otherwise, how would there be a 32bit Windows with Metro support?

Anyway, the article seems to have a few contradictions. First they say 32bit Windows 7 system supports neither 64bit nor AppContainer, but then they say By default, Desktop IE’s tabs run in the Low Integrity Protected Mode at 32bit. Only if you enable Enhanced Protected Mode using the Internet Options control panel will Desktop IE’s tabs run in AppContainer (and 64bit, if available)

I mean, you're also confused about it... I am confused about it as well.

OK. For the EPM itself, as a whole, what you're saying makes sense. Although, my aim is AppContainer.

 

-edit-

Just to add that I previously thought they were mentioning Windows 8. They were mentioning Windows 7. I thought they were mentioning Windows 8. This about being or not enabled for 32bit.

Anyway, and this was my initial wondering, I'm intrigued to understand why Chromium tabs, on Windows 7 32bit, is running as AppContainer.

I'll need to dig further. Maybe it's a bug or not with Process Explorer... I'll see if I can find more.

 

I think we are seriously crossing our conversations together and confusing each other.

Tabs? I was talking about AppContainer full stop, not IE. I thought that was what you were asking. AppContainer has nothing to do with IE, it's just used by IE.

All perfectly true. Here's my guess: Because EPM mixes together both AppContainer and the 64bit anti exploit technologies. On a 64bit system, only a 64bit version of AppContainer exists, so when running 32bit IE, AppContainer can't be used (doesn't exist). On a 32bit system, only a 32bit version of AppContainer exists, but no 64bit anti exploit technologies, so EPM again can't be used. This is why EPM will only run on 64bit mode. Keep in mind, this is complete assumption.

My other guess is that the 32bit version of Windows has a vastly different AppContainer which doesn't have the 64bit protections directly build into it.

I was trying to separate AppContainer completely. For example, a metro app running in an AppContainer would not "run in EPM". I was speaking purely in general and not in specific towards IE.

That sentence is worded badly, it means no version of Windows 7 supports AppContainer ( how could it? It's brand new to Windows 8 ), the architecture doesn't matter at all.


FYI, Re: my previous post about IE EPM, a picture paints a thousand words:

This shows how the standard tabs (LOW IL) and EPM tabs (AppContainer) run side-by-side.

 

It's probably not for 32bit because people shouldn't be using 32bit anymore - especially if they're looking for security.

Perhaps the lack of actual ASLR would defeat the sandbox easily? Maybe there is overhead that they feel is only worth taking for 64bit? Maybe they just don't care to support 32bit anymore as much as 64bit?

No idea. I'd be fine if they did it just to get people to upgrade frankly.

KPP is 64bit too.

 

Personally, I got nothing against 64bit. If I had such a machine, I'd run 64bit. My laptop is x86, though. It's still kicking... I'm actually going to upgrade the HDD (placing a 250GB) and place 4GB of memory. This should give it more power. I only got 2GB of memory and 60GB HDD. (It's a kinda old laptop... but robust... )

It runs light and fast, but I want to work with virtual machines. Not heavy stuff... but the system needs more "juice". lol

 

Yeah, unfortunately upgrading costs money. I saved for ages before I could buy my (64bit compatible) computer.

 

That sounds more than adequate to me for a laptop to be honest (considering what laptops are used for), it should easily last you a few more years. Though I personally wouldn't use money on upgrading it knowing it has a 32bit CPU.

You know sometimes I wish I could buy lower spec laptops if it knocked off more from the cost. I feel silly when a relative asks me to recommend a laptop and I'm trying to browse the limited choice available, of which most seem to have crazy 4GB RAM and 500GB HDD for someone who will... browse the internet. I think cheap Windows 8 tablets might be the perfect solution there. As of now the advice generally extends as far as "pick the color you want", because it's highly doubtful they'll find one with sub-par specs.

 

I agree, instead of upgrading the RAM (2GB is fine tbh and it's probably DDR2, which is in shorter supply) I would just save up for later. Eve netbooks are 64bit now,

 

I still don't know that much about it, but I've discovered the following.

Process Explorer was upgraded in December 5, 2011, to support App Container. Source: -http://technet.microsoft.com/en-us/sysinternals/bb545021

I don't remember when I started seeing AppContainer in Chromium's renderer processes, but it was pratically around that time... maybe a bit later.

I did find this Chromium issue page, where one developer mentions some bug in App Container... something tested in OS X only. I don't know what the heck they're talking about. But, I don't think this "app container" is the same I'm experiencing, though. lol Just thought of mentioning it as a reference.
I can't find any other sources mentioning "app container" either.

All I know is I see them in Process Explorer for Chromium processes. Process Explorer does not show them for Google Chrome - it shows them as Low. Or, it did in the previous version. I didn't check the recent one.

This makes one scratch his head. lol

 

I'd be willing to be it's a Process Explorer display bug, wouldn't be the first time.