I have to salute the Baseshields for their imagination. Originally the virtualization sw was going to be the product. Might still be. But then they realized that, having built it, they could basically take over the delivery of software on Windows. I was blown away when Patrick came by YC to give me a demo. I thought I was going to be seeing a demo of virtualization sw, which, frankly, is not that interesting, and instead they'd built the Windows App Store.
They could turn it into even more than delivering software on Windows. I'd pay to have a virtualization layer that transports settings/environments across my computers. For example, I like to set up custom keyboard shortcuts in my text editor, but every time I set up a new computer I have to reconfigure all of those settings. That shouldn't be necessary.
BTW I feel like the TC article didn't communicate the key point very well. They didn't mention virtualization until eight sentences in.
Hmm, combine BaseShield with DropBox and you might have a winner...
You should also add a way for developers to bundle their software directly with the BaseShield so they can distribute the bundle as a single package on their website. This will save small developers a ton of effort in writing an automatic software updater, they'll be able to simply rely on your mechanism.
This would be a lot easier if EVERYTHING that you've ever done is stored in your home directory because you can't write anywhere else (and neither can apps you're running) as your own user. On Windows this is a problem because sometimes apps write to the application folder in Program Files, then there are registry changes, sometimes stuff is stored in Application Data, and some stuff is stored in hidden directories that are, by default, invisible.
I've moved the entire home directory between installs of different versions of linux distributions and between entirely different distributions with only minor issues (related mostly to an old format of a config file not being recognized by the newer application). I've had the same .opera directory for years.
Running applications in their own VM is a good idea for security. It's a good idea to work around system and file management deficiencies in the operating system and the application itself also.
> I don't understand the purpose of a virtualization layer on top of Windows.
To maintain the integrity of your computer in the face of potentially untrustworthy third party applications. You could compare BaseShield to a dating service (app store) that enforces the use of condoms (virtualization). Not that I'm recommending the BS'ers use that analogy though.
Why would anyone need or want this? Running Windows as a standard user and/or Vista's UAC mechanism seems to provide the same functionality.
I can see that the virtualization layer is more beneficial if you were trying to make it so applications behaved the same when running on Windows, Mac, or Linux. In this case, you'd be expanding on existing things like Apache's Portable Runtime, Wine or Parallels. However, the business case for your Windows sand boxing system is not something that makes sense to me.
"Running Windows as a standard user and/or Vista's UAC mechanism seems to provide the same functionality."
This isn't true under Windows. It's not true under Linux or OSX either.
Think of your software security boundaries as an onion. In the middle you have kernel mode, then system services, then the administrator user land, followed by a common user. Application virtualization adds one more layer to the onion. Not only are applications insulated from your system, but they are also insulated from other applications.
The ultimate model is much closer to that of a web browser with domain restrictions on cookies and the like. This is the next logical step in fighting malware.
There are a number of companies offering this Windows app virtualization layer today in different ways (they actually have a lot of patents on this). Softricity did this and was acquired by Microsoft. Citrix also has their own app virtualization technologies. Symantec acquired AppStream which does this, too. There are some large existing markets for this, though it's vastly enterprise-based.
Streaming apps to your company desktops instead of worrying about what they have installed and how it might conflict is extremely compelling to large corporations, governments, etc.
Baseshield is aiming at the consumer side, probably, but the technology seems very similar to what these other companies provide for the enterprise.
Installing an app on Vista/XP almost always requires administrative privileges even if the only need stems from writing into the C:\program files\ directory.
And frankly once you give an application Admin privileges once, it doesn't matter anymore it can do whatever the hell it wants. Sandboxing is a much better mechanism from a security perspective
Plus uninstalling a program is always problematic under the existing Windows mechanisms, basically it is every programmers duty to write an uninstaller for his own software, many of which are buggy, leave trash on the computer and so on. Sandboxing an installation makes the uninstall automatically easy & fool proof.
