Am I reading correctly: WDAGfME (for lack of a better acronum) is essentially starting a VM with a fresh copy of Windows <i>for every site that it is protecting</i>? Does this happen for every open & protected tab/window? What kind of overhead does it have?<p>The idea sounds similar to Qubes OS, with the exception that it's transparent to the user and doesn't have to be configured by the end-user.<p>I presume this kills any of the offline-storage approaches?
Fewest vulnerabilities: I suspect that Chrome and Firefox being open source is a factor here. Thus it seems possible to me that they actually have <i>fewer</i> vulnerabilities than Edge—Edge’s just haven’t been found yet.<p>This is pure speculation on my part; I have no evidence nor any investigation, deep or otherwise.
Two related projects, both with copy-on-write "forks" of disk storage and OS memory, creating disposable VMs with hardware-enforced memory isolation.<p>Cappsule (open-source for Linux), <a href="https://cappsule.github.io" rel="nofollow">https://cappsule.github.io</a><p><pre><code> virtualize any software on the fly (e.g. web browser,
office suite, media player) into lightweight VMs called
cappsules. Attacks are confined inside cappsules and
therefore don’t have any impact on the host OS.
Applications don’t need to be repackaged, and their usage
remain the same for the end user: it’s completely
transparent. Moreover, the OS doesn’t need to be
reinstalled nor modified.
</code></pre>
Bromium (proprietary for Windows, based on open-source Xen), <a href="https://blogs.bromium.com/2016/09/26/introducing-virtualization-based-security-next/" rel="nofollow">https://blogs.bromium.com/2016/09/26/introducing-virtualizat...</a><p><pre><code> Bromium and Microsoft partnered in 2015
.. extends VBS – isolating the execution of targeted
applications such as the browser, documents, executables,
downloads, attachments and media files .. to all
vulnerable applications on all Windows 7, 8 and 10
endpoints</code></pre>
"We’re determined to make Microsoft Edge the safest and most secure browser."<p>Then open source the whole thing, not just little parts of it. It has the lowest number of vulnerabilities in the National Vulnerability Database because it has the least number of eyes able to look for them.
I sense this is the same feature that is used to implement Docker containers. Possibly browser isolation was the primary driver and it got co-opted for the server.
The one good thing about this is that they're relying on Hyper-V. It <i>may</i> end up much more secure than solutions like Xen simply because Microsoft is investing in so much verification. That started with Verisoft project where they started using their VCC tool to verify the C-level source against specifications. They later extended the tool for assembly. The first report I saw indicated 20% was verified against its spec. So, it should get more robust overtime.<p>People interested in Microsoft Research's work on secure browsers should look at Gazelle browser and Xax plugin architecture:<p><a href="https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/gazelle.pdf" rel="nofollow">https://www.microsoft.com/en-us/research/wp-content/uploads/...</a><p><a href="https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/xax-osdi08.pdf" rel="nofollow">https://www.microsoft.com/en-us/research/wp-content/uploads/...</a>
Why is this an enterprise-only feature? Do regular user not deserve the same level of security for their browsers? Will this tech even be available to non-Microsoft apps in the future?
So just to be clear, this is basically another sandbox, which starts a private browsing session implicitly for each site and disables the entire password manager?
> We’re determined to make Microsoft Edge the safest and most secure browser.<p>You should enable Ad/tracker-block by default and across the board.