Does Windows Subsystem for Linux provide additional security (VM-like isolation) over running native Windows programs?

In a nutshell, WSL is just a Linux ABI compatibility layer, i.e. a set of libraries that translate a Linux system call into something Windows kernel is able to do.

The general idea is to have this compatibility layer as thin as possible to ensure Linux binaries run under Windows almost as fast as natively. Thus it's nowhere near a virtual machine. E.g. all Windows filesystems get mounted in WSL under /mnt for your convenience, and so on. Except for limiting the attack surface somewhat (as you've pointed out already), WSL doesn't provide any secure isolation.


It's actually bad as far as current security tools are concerned according to this research.

Any Linux binary directly interacts with a kernel driver without going through the normal Win32 or NT APIs which security software normally intercepts. They also don't show up in Win32 process tables so less visibility...