Edge browser will be placed in a virtual machine inside Windows 10

Above - a protected Edge process in a Hyper-V virtual machine under Windows 10, from the bottom - a regular Edge. Image: Microsoft

Yesterday at the technical conference Microsoft Ignite, the Redmond company announced a number of new software solutions and services for IT-professionals . The most interesting among them is the Windows Defender Application Guard technology, which will be rolled out in early 2017 with the next major Windows 10 Enterprise update. It is Enterprise. Microsoft decided that browser protection should work only in the corporate version .

Windows Defender Application Guard is a special “protected” mode. In this mode, Edge processes run inside a virtual machine based on the Hyper-V hypervisor.

Why do you need it?

The new process protection system Edge operates on a virtualization system called Virtualization Based Security (VBS), which Microsoft introduced in June .
')
VBS isolates critical data and processes from the rest of the system. Thus, programs running in the unprotected part do not have access to confidential data hidden in the container. For example, the MimiKatz program for collecting password hashes, certificates and other useful information from the victim’s machine should not just access the data inside the Credential Guard container in Windows 10, but under Windows 7 the program works great.



Isolating Edge processes will make it more difficult for attackers to launch an exploit through a browser. You will need to first go beyond the virtual machine.

In fact, Edge and now processes are running in a relatively isolated sandbox, which has limited access to other resources in the system. In the same “sandbox”, processes are launched in Chrome (it is generally the first among browsers to implement a sandbox for individual processes) and in other browsers. As practice shows, to exit the sandbox and successfully run the code on the victim's computer, the hacker has to use a chain of exploits, sometimes with several 0day vulnerabilities. But this is quite realistic, especially since new 0day vulnerabilities in browsers, plugins and operating systems are found almost every day.

Windows Defender Application Guard will be a much more serious obstacle than the sandbox in the browser. There are no other processes visible from the virtual machine, no access to the drive, installed applications and files, and, most importantly, no access to the operating system kernel.

When closing a “protected” process, the virtual machine is guaranteed to be destroyed, along with all the cookies and other data. In terms of security, this is ideal.

Obviously, in the virtual environment, the program will run slower than usual, but Microsoft does not yet provide detailed information on this matter.

Hyper-v

Hyper-V hardware virtualization technology works in server Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, as well as in desktop 64-bit Pro and Enterprise versions of Windows 8, Windows 8.1, Windows 10.

According to the Hyper-V architecture, in each instance of the hypervisor there is a parent partition running the operating system. It runs the virtualization stack. After that, the parent partition spawns the child partitions using the API hypervisor introduced in Hyper-V. Each child section can generate its own child sections.

Child partitions do not have direct access to hardware resources, but they do get a virtual view of resources, called virtual devices. Any attempt to access the virtual devices is redirected through the VMBus logical channel to the devices of the parent partition, which will process this request.

In the case of Windows Defender Application Guard, the Edge browser in the virtual machine is running, as well as those operating system modules that are required to launch the browser.


Officially, Edge virtualization will only be available in Windows 10 Enterprise. Like other VBS functions, it is available along with administrative functions through group policies.

Hyper-V virtualization also works in 64-bit Pro versions of Windows 8, Windows 8.1 and Windows 10 operating systems. Theoretically, nothing prevents you from running Edge with a hypervisor on Windows 10 Pro, if this component is installed in the operating system , but officially this configuration not supported

Hyper-V requires a x64-compatible processor with hardware support for virtualization, such as Intel VT or AMD Virtualization. That is, Edge in the new mode will not work on every computer.

Users should also be aware that after installing Hyper-V, there may be problems with the work of other hypervisors, such as VMware Workstation or Virtual Box.

Microsoft does not provide an API for other applications to use OS-level virtualization. So far this exclusive feature is left only for Microsoft programs. Therefore, the browser from Microsoft will receive a privileged position in the operating system from Microsoft. It is not surprising if this fact arouses the interest of antitrust authorities.



Previously, everyone installed Windows in the maximum configuration, even on home computers. Judging by the latest actions of Microsoft, now the "professional" version is inferior in functionality to the corporate version. Do you really have to install Windows 10 Enterprise on home computers and laptops in the future - and pay $ 7 per month for each workplace?