Yunhai Zhang is a security researcher of NSFOCUS security team. He has worked on information security for more than a decade. He has spoken at BlackHat, DefCon, BlueHat, POC, CSS, XCon. He has won Microsoft Mitigation Bypass Bounty 5 years in a row since 2014.
[Abstract]
==========
With the release of Windows 10 RS3, a unique hardware-based isolation technique, called Windows Defender Application Guard (WDAG), was introduced. With the use of the native Windows Hypervisor, WDAG aims to isolate untrusted websites and PDF documents inside a lightweight container that is separated from the operating system, keeping the desktop PC protected.
In this presentation, we will delving deep into the internals of WDAG. The first part will focus on the inner workings of WDAG where topics such as how the container is created, how app is launched in the container, the security mechanism of the container, and more are discussed. The second part will show how to modify the container to build a debug environment inside the container. Finally, the last part will discuss the attack surface of WDAG.