Demystifying AppContainers (Part II)

In my previous post I explained how Windows 8 uses AppContainers to create a sandbox for Modern UI Apps. Capabilities define what an App can do outside of the sandbox. An app is required to use use specific API calls and broker processes for its actions outside of the sandbox.

Anyone who will ever create a Modern UI App for the Windows Store has to obey Microsoft rules for app development. Rule #1 is that the app will run in an AppContainer and must declare only the minimum list of capabilities that your app needs for its core functionality. Some capabilities appear to be more special than others. If your Modern UI App requires capabilities like enterpriseAuthentication, sharedUserCertificates, or documentsLibrary, you are subject to even more strict rules and additional review and testing.

Internet Explorer appears to be a special case when you look at its capabilities. Internet Explorer is Trusted and allowed to use all System capabilities. At least, that is what the UI says…

Being trusted and able to use all system capabilities doesn’t sound like the minimum list of capabilities for Internet Explorer. Is this true?

Internet Explorer Architecture before Windows 8

Let’s first look at a little history of Internet Explorer before Windows 8
Internet Explorer has its own sandbox infrastructure since Windows Vista. It runs in Protected Mode while you are surfing the Internet. When you start Internet Explorer, two processes are created:

  1. The frame process that contains the address bar and manages the content processes
  2. The content process that show the web content to the end user

The frame process runs at the same security level as your other processes. It can access every resource just like any other application. The content process on the other hand is started in Protected Mode and runs at the low integrity level. Processes running at the low integrity level have limited write access to the system. Only objects (for instance files or registry keys) that have the low integrity level can be changed by low integrity level processes. This is one of the reasons that you will find the LocalLow folder in the user profile under %userprofile%\AppData. This is one of the specific locations where Internet Explorer in Protected Mode can write data, because the folder has the Low integrity level.

Internet Explorer in Protected Mode also has limited options to communicate with higher level processes. User Interface Privilege Isolation (UIPI) filters its communication to make sure that only specific information can be passed to specific other processes. This allows you to download data from the Internet to a folder that does not have the low integrity level. When you download a file iexplore.exe calls a broker process IEUser.exe that runs at the Medium integrity level to save the file in the correct location.

Enhanced Protected Mode

Windows 8 introduces Enhanced Protected Mode. This is the default behavior for Internet Explorer in its Modern UI appearance on Windows 8. Enhanced Protected Mode means that iexplore.exe is not only running at the Low integrity level, but also that it runs in an AppContainer. Internet Explorer on the Desktop by default runs in Protected Mode at Low integrity level, like in previous Windows versions.

Enhanced Protected Mode is more secure, because it removes unlimited read access to the system. In the hypothetical case that some malware injects the Internet Explorer process, a Low integrity level process can virtually read all the data on your system and get away with it. With Enhanced Protected Mode, such a malicious piece of code cannot access resources outside of the AppContainer.

On 64-bit systems, Internet Explorer in Protected Mode is always running as a 32-bit process. This allows for better compatibility with add-ons and plug-ins. On 64-bit Windows, Internet Explorer with Enhanced Protected Mode always runs as a 64-bit process.

Enhanced Protected mode can be enabled for Internet Explorer on the Desktop. When Enhanced Protected Mode is enabled, Internet Explorer runs in an AppContainer.

IE 10 in Windows 8 Pre-RTM

In the blog on Enhanced Protected Mode in Internet Explorer by Eric Law [ex-MSFT], Eric describes how Internet Explorer in Enhanced Protected Mode in Windows 8 Release Preview runs in an AppContainer that lacks the following capabilities:

  • privateNetworkClientServer
  • enterpriseAuthentication
  • Music Library
  • Pictures Library
  • Video Library

These missing capabilities seriously limited the use of Internet Explorer in Enhanced Protected Mode. As Enhanced Protected Mode is the default for the Internet Explorer running with the Modern UI, it invalidated the Modern UI for use in corporate networks where integrated authentication is a common practice. Eric also describes how Enhanced Protected Mode disables access to private networks, like when trying to access the management site of an internal router on a home network.

IE 10 in Windows 8 RTM

Microsoft made some interesting changes to Internet Explorer when RTM was released. Enhanced Protected Mode is still there. But the Modern UI Internet Explorer behaves much more like its desktop UI processes.

When a user starts Internet Explorer in the Modern UI, it creates a minimum of two process. The frame process and one or more content processes. The frame process manages stopping and starting of content processes when required. The Internet Explorer frame process runs at the Medium integrity level. This is default behavior for processes running on the desktop, but absolutely not done for applications running as a Modern UI app. When you start Internet Explorer in the Modern UI, two processes are created:

  1. The frame process, running at the Medium integrity level
  2. A content processes running in an AppContainer (Enhanced Protected Mode) when browsing the Internet

The question now is: What capabilities are there for Internet Explorer in Enhanced Protected Mode?

Process Explorer provides the answer.

The following capabilities are listed for the content process:

Capability Friendly name
Your Internet conection Your Internet connection
S-1-15-3-3215430884-1339816292-89257616-1145831019 Your location
S-1-15-3-3845273463-1331427702-1186551195-1148109977 Show Status on your lock screen and/or Show notifications
S-1-15-3-4096 <no friendly name available>
S-1-15-3-787448254-1207972858-3558633622-1059886964 Your Webcam and/or your Microphone
Software and hardware certificates or a smart card Software and hardware certificates or a smart card

This list is not even near the complete list of available capabilities on the system. It seems as if Internet Explorer in Enhanced Protected Mode has the same restrictions as described for Windows 8 RC.

But wait a second. Can’t we use Internet Explorer in Enhanced protected mode to browse on the internal network at home?

Let’s give that one a try and watch the result.

Internet Explorer in Enhanced Protected Mode does not have the privateNetworkClientServer capability. When you select “Turn on access” Internet Explorer will start a new process with added capabilities.

In the new process the following capabilities are added:

  • Your home or work networks
  • Your Windows credentials

This is still not quite the complete list of capabilities.

Jumping out of the AppContainer

Things get freaky when you are running the Modern UI Internet Explorer on a system that is a domain member. When you now browse to site on the Internal network, no questions are asked and you will get a new content process that does not run in an AppContainer.

Yes, it is true. You will get a Modern UI Internet Explorer session running at Medium integrity level without an AppContainer! This is when Internet Explorer is trusted and able to use all system capabilities…

This is the same behavior we know from Internet Explorer on the desktop. When browsing the Intranet zone, Internet Explorer is not running in Protected Mode. This is the default configuration for the Intranet zone.

The frame process running at the Medium integrity level already is a curiosity on Windows 8 as every other Modern UI app will always start in an AppContainer at the Low integrity level. With a content process running at the Medium mandatory level, Internet Explorer appears to cross the borders that Microsoft created for Modern UI apps.

Internet Explorer requires the Medium integrity level on the intranet when you use it to open Office documents from SharePoint for instance. Running at the mandatory level allows IE to do all sorts of stuff that you do in a trusted environment. Things like starting a new process for about any application at the medium mandatory level cannot be done from a Low integrity level process. And processes in an AppContainer are running at the Low integrity level.

The behavior of Internet Explorer drove the people at Mozilla crazy when they tried to create a Modern UI version of their browser. Mozilla wants to be able to browse the Internet from a browser at the Medium integrity level. This is something that is considered as an unsafe practice by Microsoft. And Microsoft is not willing to change the rules for Modern UI apps. The people at Mozilla state that they require the Medium Integrity Level to load their large range of browser plugins and that the browser plugins cannot run at the Low integrity Level.

I think Microsoft has a case. Especially when you know that Google Chrome runs perfectly at the Low integrity level with even less privileges than Internet Explorer. Unfortunately Google has not yet announced a Modern UI version of their browser.

This entry was posted in Internet Explorer, Security, Windows 8. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s