๐ Advanced Desktop Application Sandboxing via AppContainer
๐ก Newskategorie: Video
๐ Quelle: malwaretech.com
AppContainer was a fairly quietly introduced feature in Windows 8, which is a shame as it provides some great features which can be used for desktop application security too (Few people are aware that it's not just used for Apps as the name might suggest). I'll go over some of the features which stood out to me.
Network Restrictions
A feature previously lacking in the Windows integrity mechanism was proper network restrictions. Low integrity processes could still freely create sockets, which would allow malicious code to escape a sandbox by exploiting a vulnerable higher integrity process listening on the host.
AppContainer introduces some new network restrictions such as:
- WinCapabilityInternetClientSid - Application can make outbound connections but not listen on sockets.
- WinCapabilityInternetClientServerSid - Application can create listening sockets but not make outbound connections.
- WinCapabilityPrivateNetworkClientServerSid - Application can listen or make outbound connections to IPs within the host's local network (not to external networks i.e the internet), but only if the network is set to Work or Private.