Categories: world

Microsoft unveils Windows Sandbox: Run any app in a disposable virtual machine

A few months ago, Microsoft released a forthcoming Windows 10 feature that was called At InTrivate Desktop: a lightweight virtual machine for running untrusted applications in an isolated environment. Windows 10 gebruikt alvast virtuele machines om de isolatie tussen bepaalde componenten te beschermen en het besturingssysteem te beschermen. These World Cups have been used in a few different ways. Siden den første udgivelsen, for eksempel, passende konfigurerede systemer har brugt en lille virtuel maskine, der kører sammen med det primære operativsystem til værtsportioner eller LSASS. LSASS is a critical Windows subsystem that, among other things, knows various secrets, such as password hashes, encryption keys, and Kerberos tickets. Here, the VM is used to protect LSASS from hacking tools such that even if the base operating system is compromised, these critical secrets may be kept safe. In the other direction, Microsoft added the ability to run Edge tabs within a virtual machine to reduce the risk of compromise when visiting a hostile website. Målet er det motsatte av LSASS virtuell maskin, det er designet til at stoppe alt nasty fra breaking out eller den virtuelle maskinen og kontaminerer hovedoperativsystemet, snarere enn at forhindre et allerede kontamineret hovedoperationssystem fra breaking into the virtual machine. Windows Sandbox is similar to the Edge virtual machine but designed for arbitrary applications. VMware has done this on Windows for two decades now, but Windows Sandbox is using a number of techniques to reduce the overhead of the virtual machine while it also integrates that software into…

 Microsoft unveils Windows Sandbox: Run any app in a disposable virtual machine

A few months ago, Microsoft released a forthcoming Windows 10 feature that was called At InTrivate Desktop: a lightweight virtual machine for running untrusted applications in an isolated environment.

Windows 10 gebruikt alvast virtuele machines om de isolatie tussen bepaalde componenten te beschermen en het besturingssysteem te beschermen. These World Cups have been used in a few different ways. Siden den første udgivelsen, for eksempel, passende konfigurerede systemer har brugt en lille virtuel maskine, der kører sammen med det primære operativsystem til værtsportioner eller LSASS. LSASS is a critical Windows subsystem that, among other things, knows various secrets, such as password hashes, encryption keys, and Kerberos tickets. Here, the VM is used to protect LSASS from hacking tools such that even if the base operating system is compromised, these critical secrets may be kept safe.

In the other direction, Microsoft added the ability to run Edge tabs within a virtual machine to reduce the risk of compromise when visiting a hostile website. Målet er det motsatte av LSASS virtuell maskin, det er designet til at stoppe alt nasty fra breaking out eller den virtuelle maskinen og kontaminerer hovedoperativsystemet, snarere enn at forhindre et allerede kontamineret hovedoperationssystem fra breaking into the virtual machine.

Windows Sandbox is similar to the Edge virtual machine but designed for arbitrary applications. VMware has done this on Windows for two decades now, but Windows Sandbox is using a number of techniques to reduce the overhead of the virtual machine while it also integrates that software into the main operating system. maximizing the performance of software running within the VM, without compromising the isolation it offers.

Enlarge / The sandbox depends on operating system files resident in the host.

Traditional virtual machines have their own operating system installation stored on a virtual disk image , og det operativsystem skal opdateres og vedligeholdes separat fra værtssystemet m. The disk image used by Windows Sandbox, by contrast, shares the majority of its files with the host operating system; it contains a small amount of mutable data, the rest being immutable references to host OS files. Dette betyder at det alltid løser samme versjon av Windows som værten, og da den er opdateret og patched, er sandboxen OS også opdateret og patched.

Delning er også brugt til minne; operating system executables and libraries loaded within the VM use the same physical memory as those same executables and libraries loaded into the host OS.

Enlarge / That sharing of the host’s operating system files even occurs when

Standard virtual machines running a complete operating system include their own process scheduler that carries up processor time between all the running threads and processes. For regular VMs, this scheduler is opaque; The host weet net dat de gast OS is draait, en het heeft geen inzicht in de processors en threads binnen die gast. The sandbox virtual machine is different; sine processer og tråde er direkte udsat for værten OS ‘scheduler, og de er planlagt ligesom alle andre tråde på maskinen. Dette betyr at hvis den sandbox har en lav prioritet tråd, kan den blive forskudt af en højere prioritet tråd fra værten. The result is that the host is generally more responsive, and the sandbox behaves like a regular application, not a blackbox virtual machine.

On top of this, video cards with WDDM 2.5 drivers can offer hardware-accelerated graphics to software running within the sandbox. Med eldre drivere, vil sandboxen køre med den slags software-emulerede grafikk som er typiske for virtuelle maskiner.

Together, Windows Sandbox combines elements of virtual machines and containers. De beveiligingsgrens tussen de sandbox en het hostbesturingssysteem is een hardware-enforced grens, zoals het geval is met virtuele machines, en de sandbox heeft virtualized hardware veel als een VM. At the same time, other aspects, such as sharing executables, both on-disk and in-memory with the host, as well as running an identical operating system version as the host-use technology from Windows Containers.

At least for now, The Sandbox appears to be entirely ephemeral. Det blir ødelagt og reset når det lukkes, så ingen endringer kan vare mellom løpene. The Edge virtual machines worked similarly in their first incarnation; In subsequent releases, Microsoft heeft ondersteuning toegevoegd voor overdrachtsbestanden van de virtuele machine naar de host, zodat ze kunnen worden opgeslagen persistently. We would expect a similar kind of evolution for the Sandbox.

Windows Sandbox will be available in Insider builds or Windows 10 Pro and Enterprise starting with build 18305. At the time of writing, that build has not been shipped to insiders, men vi forventer at det kommer snart.

Share
Published by
Faela