The introduction of Modern UI apps in Windows 8 has added a whole new layer of security in the operating system. Modern UI apps can be installed by standard users. In order to keep the system secure with all this added functionality, Microsoft created a sandbox architecture that is primarily used for Modern UI apps. Modern UI Apps live in an AppContainer. The AppContainer defines the sandbox and the identity of the App.

Microsoft published very little information about AppContainers. One of the most detailed articles on the Microsoft site is a blog on Enhanced Protected Mode in Internet Explorer by Eric Law [ex-MSFT]. The article was written in the Windows 8 Release Preview time frame and partly contains outdated information about IE10. Eric Law mentions the following on AppContainers: “Windows 8 introduces a new process isolation mechanism, called AppContainer, that offers more fine-grained security permissions and which blocks Write and Read Access to most of the system. There’s not a lot of documentation specifically about AppContainer because all Metro-style applications run in AppContainers, so most of the documentation is written from that point of view.”

Running in an AppContainer means that a process can by default only access its install folder and subfolders without user interaction. Other areas of the system can only be accessed after explicit user interaction or when this is defined during install with specific capabilities. This means that a Modern UI app like Adobe Reader requires no system capabilities to let you browse to a PDF. The Music app for instance requires a capability to access the Music Library and create an index of your music. Capabilities are also required for Modern UI apps to make use of specific hardware like the camera or microphone on the system.

A new SID on the block

The AppContainer in Windows 8 is defined as a Security Identifier (SID). Before Windows Vista, only users and groups on Windows Systems had a SID. Group and User SIDs are found in the process token of each process that runs in the context of the user. SIDs are then used in Access Control Lists (ACLs) to evaluate what level of access a user gets to a resource in Windows. In Windows Vista Microsoft introduced the notion of a Services SID. Specifying a SID for a service provided new possibilities to enable a service to exclusively access certain resources. Windows Vista and later actively use the Services SID for the Windows Installer service. Due to ACLs defined on Windows system files, this is the only SID that is able to make changes to the Operating System. When a hotfix or Service Pack is installed in Windows Vista and later, this is done by the Windows Installer service. No other entity in Windows, not even SYSTEM or Administrator is able to do this without changing the ACLs of the OS system files. Doing this made it harder for malware to take over the system.
Windows Vista also introduced Integrity Levels. Integrity levels introduce mandatory access control for write access. With integrity levels it’s no longer just the user and group membership that define if a process can make changes to an object. The process must also have an integrity level that has at least the same level as the object in order to write a file or change a registry key. Windows uses the following five integrity levels:

• System
• High
• Medium
• Low
• Untrusted

The Medium integrity level is defined as default for standard user process and objects created by the user. Elevated Administrator processes run with the high integrity level. System processes can run with the system integrity level. The low integrity level is used for Internet Explorer when browsing the Internet and Untrusted is used by Google Chrome.

Windows 8 complements the integrity levels with a new concept that blocks processes from both writing and reading outside of its boundaries: the AppContainer. The AppContainer is primarily used by Modern UI Apps. This ensures that these apps can do nothing outside their AppContainer unless they are explicitly allowed to. The AppContainer is not just there for Modern UI apps, but can also be used for Desktop applications. Currently only Internet Explorer 10 uses the AppContainer on the desktop when Enhanced Protected Mode is enabled.

Every Modern UI app gets its own AppContainer. Just like users, each AppContainer gets a unique SID. Analogous to users, Apps can be members of built-in groups that enable the app to access certain resources on a systems. For AppContainers these built-in groups are called Capabilities.

An App shows its capabilities in the Permissions section of the settings pane.

Capabilities exist in four categories:

• Library Capabilities
  

  These capabilities allow an application autonomous access to a specific library. The Music app for examples requires the capability to access the Music library to create its index.
  

• Device Capabilities
  

  Device Capabilities provide access to the microphone, camera, GPS and removable storage. Device capabilities can be interactively switched by the end user.
  

• Network Capabilities
  

  Network capabilities allow the app access to the internal network or the Internet for outgoing or both outgoing and incoming traffic.
  

• Identity Capabilities
  

  Identity capabilities allow an app to use the users credentials
  

• System Capabilities
  

  System capabilities allow an app to show notifications, show status in the background and run in the background when the system is locked.
  

While investigating AppContainers in Windows 8 I was able to identify the following Capabilities:

• Library Capabilities:
  
  • Your pictures library
    
  • Your music library
    
  • Your videos library
    
• Device Capabilities:
  
  • Removable Storage
    
  • Your Webcam and/or Microphone
    
  • Your Location
    
• Network Capabilities:
  
  • Your home or work networks
    
  • Your Internet Connection, including incoming connections from the Internet
    
  • Your Internet connection
    
• Identity Capabilities:
  
  • Your Windows credentials
    
  • Software and hardware certificates or smartcard
    
• System Capabilities:
  
  • Run in the background and show status on lock screen and notifications
    
• Trusted (only in IE10)
  

Observations of app capabilities on Windows 8

The previous screenshot shows the capabilities of the built-in messaging app of Windows 8. The app has the following capabilities:

• Software and hardware certificates or smartcard
  
• Run in the background and show status on lock screen and notifications
  
• Your Webcam and/or Microphone
  
• Your home or work networks
  
• Your Internet connection
  

Most capabilities seem very logical for this app, though I have no idea why the app requires access to the local network.

Now, let’s have a look at the capabilities of the Adobe Reader app.

Even without any capabilities this app is able to open your PDF documents. In order to do so the app calls a broker process, PickerHost.exe to show the files outside of the AppContainer to the end user and select the file. It is NOT Adobe Reader that loads your documents, it’s a trusted broker that is a part of the operating system that does so.

A Windows App in an AppContainer has access to a selection of broker processes to execute certain operations outside of the AppContainers boundaries.

The dark horse among Windows 8 Modern UI Apps is Internet Explorer 10. Its capabilities look like this.

Now that is a special capability! Internet Explorer is trusted and can use all system capabilities? This begs for some extra investigation.

In my next article I will write about Internet Explorer 10 in Windows 8. How I analyzed parts of its behavior and why Mozilla is angry with Microsoft.