Application Sandboxing in Windows 8

On first sight, Windows 8 might not appear to offer much in the way of new security features. The press is largely focusing on the new Metro style interface and applications, which provide the biggest visual differentiator between Windows 8 and its predecessor. In this and upcoming blog posts, I want to pick out some changes that will impact security in Windows 8 and what we need to understand to work with the new security model.

Metro apps in Windows 8 are based on a new development environment, Windows Runtime, and applications are based on Javascript (HTML5), C++, C# or VB.NET. Along with the new runtime come some low-level changes to improve application security. AppContainer is a new isolation method applied to Metro apps, which by default prevents them from reading and writing to most of the Operating System, with the exception of the app’s own AppData folder.

Metro applications can make declarations in their application manifest file about which OS capabilities they need to access. There are 10 capabilities that applications can declare as required, including musicLibrary for access to a user’s Music folder and enterpriseAuthentication which allows the app to impersonate the logged in user when accessing network resources. More details about capabilities can be found here: http://msdn.microsoft.com/en-us/library/windows/apps/br211423.aspx. In addition to Metro apps, tabs in the desktop version of IE10 will also run in an AppContainer sandbox when Enhanced Protected Mode (EPM) is enabled.

AppContainer is implemented through a new integrity level in Windows 8, supported by some additional changes to the OS. The AppContainer integrity level blocks read and write access to objects marked with a higher integrity level. Vista and Windows 7 processes running with low integrity could read objects marked with medium or high integrity, but were prevented from modifying them.

In Windows 7, separate kernel namespaces for each user session allow applications to run without conflicts if more than one user is logged in. For instance, both UserA and UserB can start Microsoft Word in their respective desktop sessions. This is taken one step further in Windows 8, and processes with the AppContainer integrity level create named kernel objects in a separate namespace from the user session.

Unlike their unnamed counterparts, named kernel objects allow interprocess communication (IPC) in standard Windows desktop applications. The sandboxed environment provided by the AppContainer integrity level in Windows 8 will block interprocess communications, apart from some limited capabilities as described earlier.

All Metro apps use the AppContainer sandbox except IE10, which runs with medium integrity. On the Windows 8 desktop, it can be seen that the AppContainer integrity level is accessible, as IE10 tabs in EPM mode use it for sandboxing. So while it should be possible to run standard desktop applications in Windows 8 using the new sandbox, unless specifically designed to work with AppContainer, only the most basic of programs are likely to run without severely compromised functionality.