zlacker

I'm very excited that Microsoft is moving in the same direction. The feature Windows Defender Application Guard (WDAG) runs Windows applications, right now only the Edge browser, in a virtualization isolated container[1]. Under the hood it's using what Microsoft calls "Hyper-V Containers", which are lightweight virtual machines that share some host resources such as a read-only filesystem. The closest open source analogues to that are Intel(R) Clear Containers[2] and Qubes.

The closest you can get to Qubes on Windows would be to follow Microsoft's Privileged Access Workstation (PAW) guide, but it requires a lot of additional infrastructure[3]. That infrastructure allows you to do remote attestation of the virtual machines, but makes it costly to deploy in a SMB or homelab environment.

I don't expect it'll be very long before PAW and WDAG are usable at the same time, with colored window borders indicating the origin virtual machine. I hope this is on Microsoft's roadmap.

Video on privileged access workstation use, starting at a demo: https://youtu.be/3v8yQz2GWZw?t=41m48s

Video on privileged access workstation setup: https://www.youtube.com/watch?v=aPhfRTLXk_k

[1] https://docs.microsoft.com/en-us/windows/threat-protection/w...

[2] https://clearlinux.org/features/intel®-clear-containers

[3] https://docs.microsoft.com/en-us/windows-server/identity/sec...

>>AaronF+(OP)
HP has virt isolation for Chromium & IE, via Xen derivative from Bromium: http://www8.hp.com/us/en/hp-news/press-release.html?id=24054...

>>AaronF+(OP)
https://cappsule.github.io/

It's unmaintained now, but it is basically the same idea as WDAG. Essentially similar to firejail but the container gets its own lightweight kernel and runs in a stripped down VM, so the attack surface is KVM, not all parts of the kernel that aren't firewalled off by SECCOMP.

>>AaronF+(OP)
> right now only the Edge browser

Did you know if you force remove Edge from Windows 10 it will forever after ignore the "always use this" checkbox and prompt you to choose your default browser every time the browser is called from a link in an application?

>>AaronF+(OP)
I'm only half-excited about this because I worry Microsoft has no intention to do either one of these:

1) Support anything other than Edge/its own apps

2) Allow the feature to be accessed by users of all Windows editions

I understand for now it's still experimental and whatnot, but I'm not getting my hopes up.

>>AaronF+(OP)
I think that "The closest you can get to Qubes on Windows" is what https://www.hysolate.com/ are building

>>michae+Ve
>Virtual Air Gap

lol. the whole point of an airgap is that you can very easily -at a glace- verify that the system is secure because there's no inputs/outputs to/from it (air gapped). trying to implement it using a hypervisor turns it into a buzzword.

>>gruez+Mf
Facts are lost in the world of marketing, all that matters is ctr and conversion. I wonder if we can do something about this?

>>gruez+Mf
It might no longer be as simple as at a glance in a world with ubiquitous wireless. You'd have to take special care to disable or disconnect all wireless chips in your system. And that might be hard for laptops and impossible in lower form factors.

>>Santos+Kt
Even without radios, there are lots of different ways to get data in and out of an airgapped system. Examples include everything from sound (especially ultrasonic beacons etc. as these are used for cellphone marketing today) to more esoteric stuff like flashing the LEDs in a specific pattern or even changing the cpu temperature to specific levels.

>>alasda+9v
Or how about the AM radio transmitter that is built into all x86 hardware - https://github.com/fulldecent/system-bus-radio

>>Pharao+fh
Make people care more about reason and logic than emotion when making product purchasing decisions? I don't think we'll get very far with that goal.