[FAQ] ReHIPS isolation and AppContainer

Started by fixer, July 29, 2017, 01:26:13 PM

Previous topic - Next topic


I often get questions like what's better, ReHIPS isolation or AppContainer? Does ReHIPS use this feature? Should I isolate Chrome, if it's already in AppContainer? Let's figure it out.

AppContainer is a Windows sandbox introduced in Windows 8. In low-level details it's some security add-on on top of existing tokens and access rights.

So what's more secure, ReHIPS isolation or AppContainer? Short answer is AppContainer. Why? Because it appeared later (Windows Vista SP 1 for ReHIPS vs Windows 8 for AppContainer), it roots deep in Windows core with more capabilities than any 3rd party software and it's more specific while ReHIPS is more wide-oriented. Though the basics they're both based on are the same. But that specificness (is there such a word?) is also a disadvantage of AppContainer. You can't just take some random program, put it into AppContainer and expect it to work. The program should be AppContainer-aware from the very beginning on the development stage. That's why ReHIPS doesn't use AppContainer feature. But as they're more secure, ReHIPS doesn't isolate AppContainer programs. But make no mistake, I don't mean Chrome or Internet Explorer here as they have some AppContainer processes, but some processes are still without isolation. I mean purely AppContainer immersive programs here.

So what about Chrome and other AppContainer-using programs? That's a different story. To exploit them, you don't necessarily have to bypass AppContainer, sometimes it's enough to attack their communication protocol with another non-isolated process. And that's the catch. If this exploit is successful, some code with non-isolated process privileges can be executed. But if this process is ReHIPS isolated, malicious code will remain in isolation. So yes, it's a good idea to ReHIPS isolate programs that already implement AppContainer feature, but have some processes non-isolated.