7

On a Windows 10 machine, is it safer to run the Linux version of a browser using Windows Subsystem for Linux instead of running the Windows version?

I'm asking because I've read the Wikipedia article on Windows Subsystem for Linux (WSL), and I'm not sure of how it works security-wise. It says that

WSL provides a Linux-compatible kernel interface developed by Microsoft (containing no Linux kernel code), which can then run a Linux userland on top of it

and

WSL uses fewer resources than a fully virtualized machine

Is this Linux userland well separated from the Windows one? That is, is the WSL a sort of virtual machine, isolated from the rest of the system? Assuming I use the Linux version of Firefox to visit a malicious website which fully compromises it, would the malware's effectiveness be reduced by being confined in this WSL, or would the result be the same as having the native Firefox for Windows compromised?
Or, to put it differently: if I want an isolated system that I can use to visit potentially insecure sites, is it enough to use WSL, or do I need a full-fledged virtual machine?

I've found a similar question, but it is about the attack surface, that is, before the system is compromised. Instead, I'm asking whether WSL implies any mitigations after the system has been compromised. Moreover, that question was asked before WSL was released, and some details weren't clear back then.

  • For the question, "Or, to put it differently: if I want an isolated system that I can use to visit potentially insecure sites, is it enough to use WSL, or do I need a full-fledged virtual machine?", I recommend you to use https://www.robolinux.org/ when visiting potentially insecure websites. – JackSparrow Jan 22 '18 at 12:24

2 Answers2

4

In a nutshell, WSL is just a Linux ABI compatibility layer, i.e. a set of libraries that translate a Linux system call into something Windows kernel is able to do.

The general idea is to have this compatibility layer as thin as possible to ensure Linux binaries run under Windows almost as fast as natively. Thus it's nowhere near a virtual machine. E.g. all Windows filesystems get mounted in WSL under /mnt for your convenience, and so on. Except for limiting the attack surface somewhat (as you've pointed out already), WSL doesn't provide any secure isolation.

ximaera
  • 3,395
  • 8
  • 23
  • 2
    I believe it actually increases attack surface in many areas due to the extra complexity. – forest Jan 23 '18 at 02:45
2

It's actually bad as far as current security tools are concerned according to this research.

Any Linux binary directly interacts with a kernel driver without going through the normal Win32 or NT APIs which security software normally intercepts. They also don't show up in Win32 process tables so less visibility...

billc.cn
  • 3,852
  • 1
  • 16
  • 24