Alex is right, i promise you if it made sense to do seccomp-bpf like things for Windows we would have done it by now. Windows is a different beast entirely. Hyper-v/WDAG containers are the best way we currently have to abstract away attack kernel surface.https://twitter.com/aionescu/status/1092263015699730437 …
Not significantly, miniscule load time overhead and then miniscule syscall overhead. The alternative being pitched here is spinning up a HV container.... now that's overhead 
-
-
doesn't that depend on whether it's a full HV VM for the container or a minimal process with no HV services like LSASS or shared memory and scheduling like the new Sandbox (where the overhead is *installing the whole damn app* every time)
-
I'd really like a version of the sandbox that completely isolated an app from Windows so it can't dig its tentacles in but also doesn't have to be installed from scratch every time
- 2 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.