matthew j. dovey oxford university computing service longhorn brief overview

Matthew J. DoveyOxford University Computing Service

Longhorn

Brief overview

2

LonghornLonghorn

Codename for the next major version of WindowsMajor release (although most technologies have been seen before)Currently in alpha technical previewsDue for release 2005-2006? (when ready!)Interim updates

e.g. Windows XP Service Pack 2Windows 2003 Server “SE”

Codename for the next major version of WindowsMajor release (although most technologies have been seen before)Currently in alpha technical previewsDue for release 2005-2006? (when ready!)Interim updates

e.g. Windows XP Service Pack 2Windows 2003 Server “SE”

3

Longhorn ArchitectureLonghorn Architecture

Hardware Abstraction LayerHardware Abstraction Layer

Fram

ew

ork

Models

Kern

el M

ode

Desktop ServicesDesktop Services Desktop WindowManagerDesktop WindowManager

Presentation Object ManagerPresentation Object Manager

Desktop CompositionEngineDesktop CompositionEngine

Animation andCompositionAnimation andComposition

Media Services

DocumentDocument UIUI MediaMedia

Hardware RenderingHardware Rendering

MediaProcessingMediaProcessing

Capture and SourcingCapture and Sourcing

Software Renderingand SinksSoftware Renderingand Sinks W

indow

s Fo

rms

Adaptive UIEngineAdaptive UIEngine

Page/SiteCompositionPage/SiteComposition

Personalization &Profiling ServicesPersonalization &Profiling Services

Membership and Security ServicesMembership and Security Services

ASP.NET

Health Monitoring/Recovery EngineHealth Monitoring/Recovery Engine

CLR

Transactions Storage

Protocols

Networking

Network Services

Base Class LibrariesBase Class Libraries

Memory ManagerMemory Manager

Hosting LayerHosting Layer

Code ExecutionCode Execution LoaderLoader SecuritySecurity SerializationSerialization

LightweightTransaction ManagerLightweightTransaction Manager

TransactionCoordinatorTransactionCoordinator

KernelTransactionManager

KernelTransactionManager

CommonLoggingFile System

CommonLoggingFile System

TransactedFile SystemTransactedFile System

ProcessManagerProcessManager

SecurityReference Monitor

SecurityReference Monitor

LPCFacilityLPCFacility

MemoryManagerMemoryManager

PowerManagerPowerManager

Config.ManagerConfig.Manager

Plug andPlayPlug andPlay

KernelKernel

File System CacheFile System Cache IO ManagerIO Manager

NTFSNTFS FAT 16/32FAT 16/32FilterEngineFilterEngine

TPC, UDPIPV4, IPV6TPC, UDPIPV4, IPV6 IPSECIPSEC QOSQOS HTTP

ListenerHTTPListener

Internet Connection FirewallInternet Connection Firewall

Demand Activation and Protocol HealthDemand Activation and Protocol Health

PNRPPNRP NativeWIRNativeWIR SIPSIP TCP ListenerTCP Listener UDP ListenerUDP Listener IPC ListenerIPC Listener

Network Class LibraryNetwork Class Library

GDI/GDI+GDI/GDI+ WindowManagerWindowManager

GlobalAudio Engine

GlobalAudio Engine

DirectXGraphicsDirectXGraphicsGraphics driversGraphics drivers

DDIDDI InputManagerInputManager

AudioDriversAudioDrivers

DirectX GraphicsMini port

DirectX GraphicsMini port

RedirectionsRedirections

.... WIRWIR NDISNDIS ....Device and File SystemDrivers

Services Schemas

Data Model

ADO.NET

Synchronization(WinFS, Win32..)Synchronization(WinFS, Win32..)

InfoAgent(PreferenceRules..)InfoAgent(PreferenceRules..)

FileSystem Services(MetaDataHandlers..)FileSystem Services(MetaDataHandlers..)

ContactsContacts MediaMedia

DocumentsDocuments ....

ItemsItems

RelationshipsRelationships

ExtensionsExtensions

ObjectSpacesObjectSpaces

DataSetDataSet

SQL XMLSQL XML

ProvidersProviders

ObjectsObjects T/SQLT/SQL XMLXML

Collaboration

Connector

Communications Manager (Port)Communications Manager (Port)

Transport Channels (IPC, HTTP, TCP…)Transport Channels (IPC, HTTP, TCP…)

Message Exchange Channels (Stream, Reliable…)Message Exchange Channels (Stream, Reliable…)

Common Services (Router, Queue, Topic…)Common Services (Router, Queue, Topic…) Policy EnginePolicy Engine

ChannelSecurity Provider

ChannelSecurity Provider

People People GroupsGroups ControlsControls SignalingSignaling

RemotingRemoting PeerStorePeerStore SchedulesSchedules

Presentation Storage Communication

Base Operating System Services

Avalon WinFS Indigo

Location Service

4

WinFXWinFXClient Application Model

Avalon Windows Forms

Web & Service Application Model

ASP.NET / Indigo Win FSCompact

FrameworkYukon Mobile PC Optimized

System.HelpSystem.Help

System.DrawingSystem.Drawing

System.NaturalLanguageServicesSystem.NaturalLanguageServices

Data Systems Application Model

Presentation Data

Mobile PC & Devices Application Model

Communication

Command Line

NT Service

DataSetDataSet

MappingMapping

ObjectSpacesObjectSpaces

ObjectSpaceObjectSpace

QueryQuery

SchemaSchema

ItemItem

RelationshipRelationship

MediaMedia

AudioAudio

VideoVideo

ImagesImages

System.MessagingSystem.Messaging System.DiscoverySystem.Discovery

System.DirectoryServicesSystem.DirectoryServices

System.RemotingSystem.Remoting

System.Runtime.RemotingSystem.Runtime.Remoting

ActiveDirectoryActiveDirectory

UddiUddi

System.Web.ServicesSystem.Web.Services

Web.ServiceWeb.Service

DescriptionDescription

DiscoveryDiscovery

ProtocolsProtocols

System.MessageBusSystem.MessageBus

TransportTransport

PortPort

ChannelChannel

ServiceService

QueueQueue

PubSubPubSub

RouterRouter

System.TimersSystem.Timers

System.GlobalizationSystem.Globalization

System.SerializationSystem.Serialization

System.ThreadingSystem.Threading

System.TextSystem.Text

Base & Application Services

Fundamentals

System.ComponentModelSystem.ComponentModel

System.CodeDomSystem.CodeDom

System.ReflectionSystem.Reflection

System.EnterpriseServicesSystem.EnterpriseServices

System.TransactionsSystem.Transactions

Security

System.Windows.TrustManagementSystem.Windows.TrustManagement

System.Web.SecuritySystem.Web.Security

System.MessageBus.SecuritySystem.MessageBus.Security

AuthorizationAuthorization

AccessControlAccessControl

CredentialsCredentials

CryptographyCryptography

System.Web.ConfigurationSystem.Web.Configuration

System.MessageBus.ConfigurationSystem.MessageBus.Configuration

System.ConfigurationSystem.Configuration

System.ResourcesSystem.ResourcesSystem.ManagementSystem.Management

System.DeploymentSystem.Deployment

System.DiagnosticsSystem.Diagnostics

Configuration Deployment/Management

System.WindowsSystem.Windows System.WindowsSystem.WindowsSystem.Windows.FormsSystem.Windows.Forms

System.ConsoleSystem.Console

System.ServiceProcessSystem.ServiceProcess

System.Windows.FormsSystem.Windows.Forms System.WebSystem.Web System.StorageSystem.Storage System.Data.SqlServ

erSystem.Data.SqlServer

AnimationAnimation

ControlsControls

ControlControl

DesignDesign

PanelPanel

ControlsControls

DialogsDialogs

SideBarSideBar

NotificationNotification

System.WindowsSystem.Windows

DocumentsDocuments

Text ElementText Element

ShapesShapes

ShapeShape

InkInk

UI ElementUI Element ExplorerExplorer MediaMedia

System.Windows.FormsSystem.Windows.Forms

FormsForms

ControlControl

Print DialogPrint Dialog

DesignDesign

System.Web.UISystem.Web.UI

PagePage

ControlControl

HtmlControlsHtmlControls

MobileControlsMobileControls

WebControlsWebControls

AdaptorsAdaptors

DesignDesign

ExtensionExtension

InteropServicesInteropServices

System.RuntimeSystem.Runtime

System.LocationSystem.Location

System.CollectionsSystem.Collections

GenericGeneric

System.SearchSystem.Search

AnnotationsAnnotations

MonitoringMonitoring

LoggingLogging

RelevanceRelevance

System.DataSystem.Data

SqlClientSqlClient

SqlTypesSqlTypes

SqlXMLSqlXML

OdbcClientOdbcClient

OleDbClientOleDbClient

OracleClientOracleClient

CoreCore

ContactContact

LocationLocation

MessageMessage

DocumentDocument

EventEvent

System.StorageSystem.Storage

System.WebSystem.Web

PersonalizationPersonalization

CachingCaching

SessionStateSessionState

System.XmlSystem.Xml

SchemaSchema

SerializationSerialization

XpathXpath

QueryQuery

PermissionsPermissions

PolicyPolicy

PrincipalPrincipal

TokenToken

System.SecuritySystem.Security

System.CollaborationSystem.Collaboration

RealTimeEndpointRealTimeEndpoint

TransientDataSessionTransientDataSession

SignalingSessionSignalingSession

MediaMedia

ActivitiesActivities

HttpWebRequestHttpWebRequest

FtpWebListenerFtpWebListener

SslClientStreamSslClientStream

WebClientWebClient

System.NetSystem.Net

NetworkInformationNetworkInformation

SocketsSockets

CacheCache

System.WebSystem.Web

AdministrationAdministration

ManagementManagement

NavigationNavigation

Peer GroupPeer Group

PolicyPolicy

SerializationSerialization

CompilerServicesCompilerServices

RecognitionRecognition

System.SpeechSystem.Speech

SynthesisSynthesis

ManagementManagement


Longhorn

Aero


Longhorn

Avalon

10

The Avalon ApproachThe Avalon Approach

Unified approach to UI, Documents, and Media

Integration as part of development and experience

Integrated, vector-based composition engine

Utilizing the power of the PC throughout the graphics stack

Declarative programmingBringing designers directly into application development

Unified approach to UI, Documents, and Media

Integration as part of development and experience

Integrated, vector-based composition engine

Utilizing the power of the PC throughout the graphics stack

Declarative programmingBringing designers directly into application development

11

Integration – The Guiding VisionAvalon - the integrated platform for UI, Media, and Documents

UI, Media, and Documents share the benefits of a new stack built from the bottom upAnchored on the .NET Framework and Direct3DParallel procedural and declarative models

UIFlexible component architectureLayout servicesTwo-way transformable data binding

MediaGraphicsAudio, video, animation

DocumentsFixed, flow, and adaptive layoutsPagination/printingRights management

12

Developer ExperienceBest of Web, Best of Windows

Webseamless deployment, update, and administrationflowable layoutprogressive download and renderingdeclarative model (text-based markup)

Windowsunrestricted functionalityintegration with Windows desktopgood offline supportscalability/performancebroad developer language and tools support

Bringing together the advantages from both worlds

13

Developer ExperienceDeclarative ProgrammingDeveloper ExperienceDeclarative Programming

Extensible Application Markup – codenamed XAML

One-to-one correspondence with object modelKey role in enabling interoperation between UI authoring tools and developer tools

Fundamental XAML concepts:Markup can contain codeMarkup can be compiled for executionMarkup and procedural code are peers in functionality and performance

Extensible Application Markup – codenamed XAML

One-to-one correspondence with object modelKey role in enabling interoperation between UI authoring tools and developer tools

Fundamental XAML concepts:Markup can contain codeMarkup can be compiled for executionMarkup and procedural code are peers in functionality and performance

14

XAMLXAML

<Canvas xmlns="http://schemas.microsoft.com/2003/xaml" Background="LightCyan" Width="100%" Height="100%">

<Image Source="lh.bmp" Canvas.Left="5" Canvas.Top="5" />

<Text Canvas.Left="90" Canvas.Top="20" FontSize="36">Hello, Longhorn! </Text>

</Canvas>

<Canvas xmlns="http://schemas.microsoft.com/2003/xaml" Background="LightCyan" Width="100%" Height="100%">

<Image Source="lh.bmp" Canvas.Left="5" Canvas.Top="5" />

<Text Canvas.Left="90" Canvas.Top="20" FontSize="36">Hello, Longhorn! </Text>

</Canvas>


Longhorn

Indigo

16

Indigo ArchitectureIndigo Architecture

Connector

Communications Manager (Port)Communications Manager (Port)

Transport Channels(IPC, HTTP, TCP…)Transport Channels(IPC, HTTP, TCP…)

Channels (Datagram, Reliable, Peer, …)Channels (Datagram, Reliable, Peer, …)

Policy EnginePolicy Engine

MessageEncoderMessageEncoder

ChannelSecurityChannelSecurity

Service Model

Hosting Environments

Instance ManagerInstance Manager

Context ManagerContext Manager

TypeIntegrationTypeIntegration

ServiceMethodsServiceMethods

DeclarativeBehaviorsDeclarativeBehaviors

TransactedMethodsTransactedMethods

ASP.NETASP.NET .container.container .exe.exe NT ServiceNT Service DllHostDllHost

Messaging Services

System Services

QueuingQueuing

RoutingRouting

EventingEventing

……

Transaction Transaction

Federation Federation

……

17

“Indigo” Security Goals“Indigo” Security Goals

Provide message-based security leveraging Web Service Security standardsProvide simple, constrained, out-of-box security solutions that meet most application security requirementsProvide adequate flexibility for customizing security solutionsProvide extensibility for authentication, authorization, token types, security providers

Provide message-based security leveraging Web Service Security standardsProvide simple, constrained, out-of-box security solutions that meet most application security requirementsProvide adequate flexibility for customizing security solutionsProvide extensibility for authentication, authorization, token types, security providers

18

Turn-Key DeploymentConfiguration and ProfilesTurn-Key DeploymentConfiguration and Profiles

Define security profiles which indicate how security requirements are to be satisfiedDeveloper or deployer may define their own security profilesCommon security profiles are predefined in machine.configA scope of messages are bound to a security profile

Define security profiles which indicate how security requirements are to be satisfiedDeveloper or deployer may define their own security profilesCommon security profiles are predefined in machine.configA scope of messages are bound to a security profile


Longhorn

WinFS

20

WinFS IsWinFS Is

All end-user data lives in LonghornNew user experience in Longhorn ShellA trustworthy place to store dataData model built on relational database technology Filesystem capabilities built on NTFS Everyday Information - domain-specific schemasServices that make data active

All end-user data lives in LonghornNew user experience in Longhorn ShellA trustworthy place to store dataData model built on relational database technology Filesystem capabilities built on NTFS Everyday Information - domain-specific schemasServices that make data active

21

WinFS Data Model WinFS Data Model Items

The new atomic unit of dataItems have subsumed FilesCopy, put in Folders, etc.

A group of simple and complex types that represent data

Defined in a schema, arranged in types

Structured, Semi-Structured, and, OpaquePersisted

RelationshipsExplicitly relate Items together

E.g.; Author binds Document to ContactSchema can model complex itemsContainment, reference, embedding, categories, etc.

ExtensionsProvide ability to add new data to existing Item types

ItemsThe new atomic unit of data

Items have subsumed FilesCopy, put in Folders, etc.

A group of simple and complex types that represent data

Defined in a schema, arranged in types

Structured, Semi-Structured, and, OpaquePersisted

RelationshipsExplicitly relate Items together

E.g.; Author binds Document to ContactSchema can model complex itemsContainment, reference, embedding, categories, etc.

ExtensionsProvide ability to add new data to existing Item types

Fram

ework

Models

Core WinFS ItemsItems


ExtensionsExtensionsFilesystem Srvcs (Handlers, …)Filesystem Srvcs (Handlers, …)

OperationsOperations

Data Model

NTFSNTFS

Relational EngineRelational Engine

ServicesPeoplePeople

DocumentsDocuments

……InfoAgent (Rules, …)InfoAgent (Rules, …)

Synchronization(WinFS, …)Synchronization(WinFS, …)

Schemas

XMLXMLAPIs

T/SQLT/SQLObjectsObjects

22

WinFS Schemas WinFS Schemas

Windows Everyday Information

Documents, Messages, Annotations, NotesMedia, Audio, Video, ImagesEvents, Appointments, Locations, UserTask

Windows SystemSystemTasks, Config, ProgramsExplorer, Help, Security

New SchemasDevelopers can define own data shapeComprised of

ScalarsComplex TypesXMLBinary/Filestream

Windows Everyday Information

Documents, Messages, Annotations, NotesMedia, Audio, Video, ImagesEvents, Appointments, Locations, UserTask

Windows SystemSystemTasks, Config, ProgramsExplorer, Help, Security

New SchemasDevelopers can define own data shapeComprised of

ScalarsComplex TypesXMLBinary/Filestream

Fram

ework

Models





Data Model

NTFSNTFS



DocumentsDocuments



Schemas

XMLXMLAPIs


23

<ItemType Name="Person” BaseType="Core.Contact" ... > <Property Name="PersonalNames” Type="MultiSet“ MultiSetOfType="FullName“ Nullable="true"> <Property Name="AddressLine“ Type="WinFS.String" Nullable="true"> <RelationshipType Name="Employment“ BaseType="WinFS.Relationship“ AllowsHolding="true“ AllowsEmbedding="false“ AllowsReference="true"> <Property Name=“IrisScan” Type=“WinFS.FileStream” …/></ItemType>

WinFS Schema

ItemId Name Addresses

Street City State Zip



IrisScan

FirstName LastName

Table View of Person

NTFS stream

ExampleExample

ItemId Name Addresses




IrisScan

FirstName LastName

Table View of Person

NTFS stream

ExampleExample

24

Longhorn And FilesystemsLonghorn And Filesystems

Files can live solely in an NTFS volumeAvailable for boot

E.g., C:\Windows is in NTFS

Volume can be mounted on down level machine

E.g., Firewire drive on both XP and Longhorn

Items can live solely in WinFSFile-backed Items

Accessible through standard Win32 APIsMetadata Handlers get data in and out of file streams

User data moved into WinFSI.e., C:\Documents and Settings

Has Import/Export utilities

Files can live solely in an NTFS volumeAvailable for boot

E.g., C:\Windows is in NTFS

Volume can be mounted on down level machine

E.g., Firewire drive on both XP and Longhorn

Items can live solely in WinFSFile-backed Items

Accessible through standard Win32 APIsMetadata Handlers get data in and out of file streams

User data moved into WinFSI.e., C:\Documents and Settings

Has Import/Export utilities

25

WinFS ServicesSynchronizationWinFS ServicesSynchronization

Synchronize one WinFS with another

Keep My Contacts and My Files in sync across my home machinesPeer to Peer sharing

Synchronize WinFS with other data sources

Keep My Contacts in sync with online email contacts, enterprise CRM, etc.

Synchronize one WinFS with another

Keep My Contacts and My Files in sync across my home machinesPeer to Peer sharing

Synchronize WinFS with other data sources

Keep My Contacts in sync with online email contacts, enterprise CRM, etc.

Fram

ework

Models





Data Model

NTFSNTFS



DocumentsDocuments



Schemas

XMLXMLAPIs


26

Synchronization OverviewSynchronization Overview

ApproachMulti-master replication

Replicas make changes independently

Net-change synchronizationLooking at cumulative changes, not logs

A set of common services for all data sources and all schemas

Change tracking, change enumeration, conflict handling, etc.

ExtendingSchema design

Granularity of change units is declared in the WinFS schemas

Custom conflict resolution handlersExtend the system conflict policies with code

Synchronization AdaptorsOutside datasources for one way or bidirectional synchronization

ApproachMulti-master replication

Replicas make changes independently

Net-change synchronizationLooking at cumulative changes, not logs

A set of common services for all data sources and all schemas

Change tracking, change enumeration, conflict handling, etc.

ExtendingSchema design

Granularity of change units is declared in the WinFS schemas

Custom conflict resolution handlersExtend the system conflict policies with code

Synchronization AdaptorsOutside datasources for one way or bidirectional synchronization

27

Synchronization ManagerSynchronization Manager

28

WinFS ServicesInfoAgent WinFS ServicesInfoAgent

Users want to control how their PCs behave

It’s called a personal computer after allEvery aspect of the system can be personalized

InfoAgent enables rich, flexible customization

“When I receive a high priority email from a customer, show me a popup message if I’m at my desk, otherwise forward it to my cell phone”“When I download new photos from my camera, relates them to the events on my calendar”

Users want to control how their PCs behave

It’s called a personal computer after allEvery aspect of the system can be personalized

InfoAgent enables rich, flexible customization

“When I receive a high priority email from a customer, show me a popup message if I’m at my desk, otherwise forward it to my cell phone”“When I download new photos from my camera, relates them to the events on my calendar”

Fram

ework

Models





Data Model

NTFSNTFS



DocumentsDocuments



Schemas

XMLXMLAPIs


29

Notifications And InfoAgentNotifications And InfoAgent‘Active Data’ – Subscribe to WinFS

changesItem change subscriptions Item Domain containment/query subscriptions

InfoAgent IntegrationInclusive set of events, contexts, and actionsPreferences stored as WinFS itemsUnified management of notification rules

‘Active Data’ – Subscribe to WinFS changesItem change subscriptions Item Domain containment/query subscriptions

InfoAgent IntegrationInclusive set of events, contexts, and actionsPreferences stored as WinFS itemsUnified management of notification rules

ActionsActionsPreferencesPreferences

EventsEvents

ContextsContexts


Longhorn

Microsoft Shell

31

Microsoft ShellMicrosoft Shell

Weak cmd shellWeak languagespotty coverage

GUI focusHard to automate

SDK FocusProgrammers

Weak cmd shellWeak languagespotty coverage

GUI focusHard to automate

SDK FocusProgrammers

Foundation for task-based managementFocused on power users and adminsProvides:

Interactive shellCmdletsUtilitiesScripting language Remote scripting

Foundation for task-based managementFocused on power users and adminsProvides:

Interactive shellCmdletsUtilitiesScripting language Remote scripting

Solution: MSHProblem

32

Core ConceptsCore Concepts

Command line scripting languageBest of sh/ksh, Perl/Ruby, DCL/CL

Commands are classes (Cmdlets)Hosting model

Command line scripting languageBest of sh/ksh, Perl/Ruby, DCL/CL

Commands are classes (Cmdlets)Hosting model

33

How It WorksHow It Works

MSH Engine

Core Command Base Classes

Core Commands(get, set, rename, move, push, pop, …)

FileSysProvider

Cmdlet Cmdlet Cmdlet …

RegistryProvider

ADProvider

34

Parameters And ConfirmationParameters And Confirmation[CommandDeclaration("stop", "ps")]public class StopPs: Cmdlet{

public string ProcessName; public override void ProcessRecord() { Process [ ]ps; ps = Process.GetProcessesByName(ProcessName); foreach (Process p in ps) {

{ p.Kill(); } } }}

[CommandDeclaration("stop", "ps")]public class StopPs: Cmdlet{

public string ProcessName; public override void ProcessRecord() { Process [ ]ps; ps = Process.GetProcessesByName(ProcessName); foreach (Process p in ps) {

{ p.Kill(); } } }}

[ParsingMandatoryParameter][ParsingPromptString(“Name of the process")]

if (ConfirmProcessing(p.ProcessName))

35

Navigation ProviderNavigation Provider

[ProviderDeclaration("REG", "Registry",ProviderCapabilityFlags.None)]public class RegistryProvider : NavigationCmdletBase{ protected override void GetItem(string path) { RegistryKey key = GetRegkeyForPath(path, false);

if (key == null) { WriteErrorObject(path,

new ArgumentException("does not exist")); } WriteObject(key); } ....}

[ProviderDeclaration("REG", "Registry",ProviderCapabilityFlags.None)]public class RegistryProvider : NavigationCmdletBase{ protected override void GetItem(string path) { RegistryKey key = GetRegkeyForPath(path, false);

if (key == null) { WriteErrorObject(path,

new ArgumentException("does not exist")); } WriteObject(key); } ....}


Longhorn

Application Automation

37

“UI Automation” defined“UI Automation” defined

Gather information about the UIDynamically discover UI structureExtract property information Receive event notifications when UI changesQuery an element for its behavior

Interact with UI elementsClick a button, scroll a list, move a window, etc.Inject keystrokes and mouse input

Gather information about the UIDynamically discover UI structureExtract property information Receive event notifications when UI changesQuery an element for its behavior

Interact with UI elementsClick a button, scroll a list, move a window, etc.Inject keystrokes and mouse input

– code that programmatically drives another application’s UI to yield a desired

result

38

UI Automation ClientsUI Automation Clients

UI Automation Providers

Windows UI Automation Core

Longhorn Model: UI AutomationLonghorn Model: UI Automation

Assistive TechnologyProducts

ScriptingUtilities

TestingFramework

“Avalon”Implementation

Control Proxy CustomImplementation

…InteropProvider…Provider

MSAvalon.Windows.Automation

Leg

acy C

on

trol

ISV

Ob

ject

Mod

el

Atu

om

ate

d T

est

…InteropProvider

39

Windows UI AutomationWindows UI AutomationAutomation framework built into Longhorn

Platform-level support for automating all UI elements

Avalon, WinForms, Win32, Visual Basic, etc.

Exposes a consistent object model for all controls

3rd party controls easily integrate into model

Security Model – client must be trustedLocale, machine, and resolution independent

Creates new opportunities for innovation in:

Automated UI TestingAssistive Technology ProductsCommand-and-Control Utilities

Automation framework built into Longhorn

Platform-level support for automating all UI elements

Avalon, WinForms, Win32, Visual Basic, etc.

Exposes a consistent object model for all controls

3rd party controls easily integrate into model

Security Model – client must be trustedLocale, machine, and resolution independent

Creates new opportunities for innovation in:

Automated UI TestingAssistive Technology ProductsCommand-and-Control Utilities

40

UI Automation OverviewUI Automation OverviewLogical Tree – structure of the UI

Stitches all UI trees into one coherent structureEliminates unnecessary elementsResembles the structure perceived by an end user

Properties – important UI informationName, Bounding Rectangle, Persistent ID, etc.

Events – notification of UI changes Window creation, change in focus or selection, etc

Control Patterns – control behavior Scroll, Selection, Window, ExpandCollapse, etc.

Input – simple mouse and keyboard input

Logical Tree – structure of the UI Stitches all UI trees into one coherent structureEliminates unnecessary elementsResembles the structure perceived by an end user

Properties – important UI informationName, Bounding Rectangle, Persistent ID, etc.

Events – notification of UI changes Window creation, change in focus or selection, etc

Control Patterns – control behavior Scroll, Selection, Window, ExpandCollapse, etc.

Input – simple mouse and keyboard input

41

UI Automation Control PatternsUI Automation Control Patterns

Mutually exclusive classes of control behaviorControl developers (providers) expose these patterns for new or existing controlsAutomation developers (clients) use patterns to

Discover what functionality a control offersGather pattern-specific property informationReceive pattern-specific eventsProgrammatically manipulate the control

Examples: Button: InvokeListBox: Scroll, SelectionComboBox: Scroll, Selection, ExpandCollapse

Mutually exclusive classes of control behaviorControl developers (providers) expose these patterns for new or existing controlsAutomation developers (clients) use patterns to

Discover what functionality a control offersGather pattern-specific property informationReceive pattern-specific eventsProgrammatically manipulate the control

Examples: Button: InvokeListBox: Scroll, SelectionComboBox: Scroll, Selection, ExpandCollapse

42

Security ModelSecurity Model

No default automation permissions UI Automation functionality is protected according to the following permissions:

Read – Navigate tree, get properties, receive eventsWrite – Call control pattern methodsInput – Call methods in the Input class

Access to Rights Managed requires additional permissions

No default automation permissions UI Automation functionality is protected according to the following permissions:

Read – Navigate tree, get properties, receive eventsWrite – Call control pattern methodsInput – Call methods in the Input class

Access to Rights Managed requires additional permissions


Longhorn

Deployment

44

ClickOnce VisionClickOnce Vision

Bring the ease & reliability of web application deployment to client applications.

Bring the ease & reliability of web application deployment to client applications.

45

The Best of the Client & WebThe Best of the Client & Web

Web ClickOnce

MSI Client

Reach Y

No Touch Deployment Y Y

Low System Impact Y Y

Install/Run Per-User Y Y

Rich / Interactive Y Y

Offline Y Y

Windows Shell Integration Y Y

Per-Machine/Shared Components

Y

Unrestricted Install Y

46

Install GoalsInstall GoalsReduce install fragility

Allow what’s low impactEx. App file copy, start menu integration, etc…

Can always undo what was installed

Disallow what’s not low impactApps never run with admin rights (LUA)

Driver registration, COM objects, etc..

Custom actions; large source of install uncertainty

Expand the definition of “low impact”

Requires OS Changes. Starts with Longhorn

Reduce install fragility

Allow what’s low impactEx. App file copy, start menu integration, etc…

Can always undo what was installed

Disallow what’s not low impactApps never run with admin rights (LUA)

Driver registration, COM objects, etc..

Custom actions; large source of install uncertainty

Expand the definition of “low impact”

Requires OS Changes. Starts with Longhorn

47

Declarative InstallDeclarative Install

Application ManifestDescribes the applicationEx.. What assemblies constitute the appAuthored by the developer

Deployment ManifestDescribes the application deploymentEx.. What version clients should runAuthored by the administrator

Application ManifestDescribes the applicationEx.. What assemblies constitute the appAuthored by the developer

Deployment ManifestDescribes the application deploymentEx.. What version clients should runAuthored by the administrator

48

Deployment ManifestDeployment Manifest

Identity

<assemblyIdentity name="TaskVision.deploy" version="1.0.0.0" publicKeyToken=“…" processorArchitecture="x86" asmv2:culture="en-US" />

<description asmv2:publisher="Microsoft" asmv2:product="TaskVision"> </description>

MyApp.Deploy

49


Identity

Deployment

<deployment isRequiredUpdate="false" >

<install shellVisible="true" />

<subscription> <update> <beforeApplicationStartup /> <periodic> <minElapsedTimeAllowed time="0" unit="hours" /> </periodic> </update> </subscription>

</deployment>

MyApp.Deploy

50


Identity

Deployment

App Ref

<dependency>

<dependentAssembly> <assemblyIdentity name="TaskVision.manifest"

version="1.0.0.0" publicKeyToken=“…" processorArchitecture="x86" asmv2:culture="en-US" /> </dependentAssembly>

<asmv2:installFrom codebase="1.0.0.0/TV.manifest" />

</dependency>

MyApp.Deploy

51


Identity

Deployment

App Ref

Signature

MyApp.Deploy <Signature > <SignedInfo> <Reference URI=""> <DigestMethod Algorithm=“http://…" /> <DigestValue>2xKk…</DigestValue> </Reference> </SignedInfo>

<SignatureValue>vNTBod96H7k…</SignatureValue>

<KeyInfo> <KeyValue> <RSAKeyValue> <Modulus>+Wnh5RN9…</Modulus> <Exponent>AQAB</Exponent> </RSAKeyValue> </KeyValue> </KeyInfo> </Signature>

52

Application ManifestApplication Manifest

Identity

Entry Point

Security

File List

Assembly List

MyApp.Manifest

Signature

<assemblyIdentity name="TaskVision.deploy" version="1.0.0.0" publicKeyToken=“…" processorArchitecture="x86" asmv2:culture="en-US" />

53

Deployment OptionsDeployment Options

‘Installed’ ApplicationsFrom Web, UNC or CDStart Menu, Add/Remove ProgramsVaried update options

‘Launched' ApplicationsApp launches but doesn’t “install”No Start Menu, Add/Remove ProgramsAlways update on launch

‘Installed’ ApplicationsFrom Web, UNC or CDStart Menu, Add/Remove ProgramsVaried update options

‘Launched' ApplicationsApp launches but doesn’t “install”No Start Menu, Add/Remove ProgramsAlways update on launch

54

Update OptionsUpdate OptionsOn App Startup

If found, ask user to update app

After App StartupIf found, ask user to update on next run

ProgrammaticIntegrate update experience into app

Required Update can specify minimum version required

Background UpdatesUpdates drizzle in silently – like Windows Updates“Longhorn” only

On App StartupIf found, ask user to update app

After App StartupIf found, ask user to update on next run

ProgrammaticIntegrate update experience into app

Required Update can specify minimum version required

Background UpdatesUpdates drizzle in silently – like Windows Updates“Longhorn” only

55

Secure UpdatesSecure Updates

Only the original deployer can updateNo auto-deployment of viruses

Manifests are signedXMLDSIGDeployer key needed to publish updates

Only the original deployer can updateNo auto-deployment of viruses

Manifests are signedXMLDSIGDeployer key needed to publish updates

56

“Longhorn Web” Apps“Longhorn Web” Apps

Integrated with BrowserInstall UI built into browser Best possible user experienceLeverages Avalon app/navigation modelNo shell presence (ex. Start Menu shortcut)Runs in semi-trust

Progressive InstallApp automatically installs as it’s usedFile level install

Integrated with BrowserInstall UI built into browser Best possible user experienceLeverages Avalon app/navigation modelNo shell presence (ex. Start Menu shortcut)Runs in semi-trust

Progressive InstallApp automatically installs as it’s usedFile level install

57

When Should I Use The Windows Installer (MSI) ?When Should I Use The Windows Installer (MSI) ?

ClickOnce is the solution for new self-contained applications

Low System ImpactNo Touch DeploymentInstall / Run Per-UserRich Interactive applications

Use Windows Installer if you need toInstall Shared ResourcesInstall Win32 Applications Perform custom actions during installation

ClickOnce is the solution for new self-contained applications

Low System ImpactNo Touch DeploymentInstall / Run Per-UserRich Interactive applications

Use Windows Installer if you need toInstall Shared ResourcesInstall Win32 Applications Perform custom actions during installation

58

ClickOnce And Windows Installer (MSI)ClickOnce And Windows Installer (MSI)

ClickOnce

MSI Client

No Touch Deployment Y

Low System Impact Y Y*Install/Run Per-User Y YRich / Interactive Y YOffline Y YWindows Shell Integration Y YPer-Machine/Shared Components

Y

Unrestricted Install Y

* MSI applications can be authored for “low system impact”

59

Windows Installer Basics.MSI Windows Installer Basics.MSI

Features

Components

Shortcuts

Action

Files

Optional Internal CAB

Summary Information Assemblies

Pointers to source files

MSI databasePopulated by setup developer.MSI file extensionOne per productDescribed in relational tables

Products haveFeaturesComponentsInstallable resourcesEntry points

Other Tables...

60

Windows Installer Basics.MSP Windows Installer Basics.MSP

MSP is a Windows Installer patch packagePatches make changes to the configuration information database and resources (files, registry)Patch package (MSP) contains

Summary Information StreamTransformsCabinet file

MSP is a Windows Installer patch packagePatches make changes to the configuration information database and resources (files, registry)Patch package (MSP) contains

Summary Information StreamTransformsCabinet file

61

Windows Installer v4.0MSI 40Windows Installer v4.0MSI 40

Longhorn extensionsMSI will support new Longhorn shell extension manifest

No-Reboot support for setup / updates

MSI detects processes holding files in useSends notification to processesDesign your applications to save state, shutdown and resume

Longhorn extensionsMSI will support new Longhorn shell extension manifest

No-Reboot support for setup / updates

MSI detects processes holding files in useSends notification to processesDesign your applications to save state, shutdown and resume

62

Windows Installer v4.0Image Based SetupWindows Installer v4.0Image Based Setup

Longhorn uses a new Image Based Setup model

Minimizes number of imagesDeployment of Windows + Applications is fasterImages can be maintained, serviced &modified offline/online

MSI applications can be deployed with Images

FASTOEM property is used by major OEMs to speed up factory floor setupFiles copied with the OS image Installation and configuration are done on first boot

Longhorn uses a new Image Based Setup model

Minimizes number of imagesDeployment of Windows + Applications is fasterImages can be maintained, serviced &modified offline/online

MSI applications can be deployed with Images

FASTOEM property is used by major OEMs to speed up factory floor setupFiles copied with the OS image Installation and configuration are done on first boot


Longhorn

Identity

64

The Identity SystemThe Identity System

Ubiquitous store, development platform for applications that consume identity

Built on “WinFS” storage subsystem (CLI201)Schema for unified representation of identityAPI with specialized types, methods for principals

Provides recognition between principalsBootstrap and manage recognition between people, computers, groups, organizationsExtends Windows security services, can be used by existing applications

Principals can be serialized, exchanged using document we call an”Information Card”

Ubiquitous store, development platform for applications that consume identity

Built on “WinFS” storage subsystem (CLI201)Schema for unified representation of identityAPI with specialized types, methods for principals

Provides recognition between principalsBootstrap and manage recognition between people, computers, groups, organizationsExtends Windows security services, can be used by existing applications

Principals can be serialized, exchanged using document we call an”Information Card”

65

What is an Information Card?What is an Information Card?

Exchangeable identity statement allowing verification of signatureExchangeable identity statement allowing verification of signature

Display name

Identity claims

Disclosed information

Certificate

Use p

olicy

Unique identifier(s)For a person: email addressFor organization: web site

Unique identifier(s)For a person: email addressFor organization: web siteData I choose to discloseHome addressPhone number

Data I choose to discloseHome addressPhone number

Public key certificateLocal account: self-signedDomain account: signed by CA in Active Directory

Public key certificateLocal account: self-signedDomain account: signed by CA in Active Directory

66

How Are Information Cards Used?How Are Information Cards Used?

Information Cards are used to manage secure digital relationships with people and organizationsWhen an Information Card is imported, it becomes a contact in the contact explorer

Can be recognized using Windows security services (SSPI)Can be granted access to shared spaces

Will seek broad adoption of Information Card, encourage others to implement

Information Cards are used to manage secure digital relationships with people and organizationsWhen an Information Card is imported, it becomes a contact in the contact explorer

Can be recognized using Windows security services (SSPI)Can be granted access to shared spaces

Will seek broad adoption of Information Card, encourage others to implement

68

Identity-Based Host FirewallIdentity-Based Host Firewall

Only people you recognize and to whom granted access can make inbound connections to your computerOther callers see IPSEC negotiation port, nothing elseGreatly reduces exposed attack surface of a Windows computer on a network

Only people you recognize and to whom granted access can make inbound connections to your computerOther callers see IPSEC negotiation port, nothing elseGreatly reduces exposed attack surface of a Windows computer on a network

69

Authentication Versus AuthorizationAuthentication Versus Authorization

Accepting an Information Card does not grant a contact access to the computer

Recognition only – clear separation of authentication, authorizationA contact must have no implicit access

To revoke someone’s access to computerRemove from access policies on resourcesOptionally, delete contact object, no longer recognize that person

E.g. Person to Person - WinFS Sync with “Castle”sPerson to OrganisationOrganisation to Organisation

Accepting an Information Card does not grant a contact access to the computer

Recognition only – clear separation of authentication, authorizationA contact must have no implicit access

To revoke someone’s access to computerRemove from access policies on resourcesOptionally, delete contact object, no longer recognize that person

E.g. Person to Person - WinFS Sync with “Castle”sPerson to OrganisationOrganisation to Organisation

70

Tracking Disclosed InformationTracking Disclosed Information

Identity system tracks Information Card disclosure

To whom Information Cards were sentWhat information was sent

If information changes, can selectively or automatically send updates

Updates signed thus known to be from you, can process automatically at destinationFor example: your mailing address changes – automatically update magazine subscriptions

Identity system tracks Information Card disclosure

To whom Information Cards were sentWhat information was sent

If information changes, can selectively or automatically send updates

Updates signed thus known to be from you, can process automatically at destinationFor example: your mailing address changes – automatically update magazine subscriptions

71

RoamingRoaming

Within home: “Castle” replicates dataWithin organization

Credentials, data stored in Active DirectoryDownload to Identity System on clients

To arbitrary other computersIdentity system data can be backed up, encrypted, and stored in vault in “cloud”

Can also use combination smartcard storage “dongle” for any of the above

Within home: “Castle” replicates dataWithin organization

Credentials, data stored in Active DirectoryDownload to Identity System on clients

To arbitrary other computersIdentity system data can be backed up, encrypted, and stored in vault in “cloud”

Can also use combination smartcard storage “dongle” for any of the above

72

Identity Loss and RecoveryIdentity Loss and Recovery

What happens if your computer dies?If a “Castle”, data is on other computer(s)Or, restore from system backup

Mechanisms used for roaming can also apply to recovery

Upload from smart dongleDownload from vault in cloud or from Active Directory

What happens if your computer dies?If a “Castle”, data is on other computer(s)Or, restore from system backup

Mechanisms used for roaming can also apply to recovery

Upload from smart dongleDownload from vault in cloud or from Active Directory

73

Identity TheftIdentity Theft

What if computer, smart dongle is stolen?

Send signed revocation message to people you have sent an Information CardIf backup in cloud vault, service could send revocation for you, like canceling credit cardBootstrap replacement identity using disclosure information from backup

How know if identity has been stolen?How discover this today? For example, by checking credit card statementMay need similar mechanisms online

What if computer, smart dongle is stolen?

Send signed revocation message to people you have sent an Information CardIf backup in cloud vault, service could send revocation for you, like canceling credit cardBootstrap replacement identity using disclosure information from backup

How know if identity has been stolen?How discover this today? For example, by checking credit card statementMay need similar mechanisms online


Longhorn

Trustworthiness and Security

75

Trustworthy CommitmentTrustworthy Commitment

Microsoft Cultural ShiftThousands of hours spent in security reviews on .NET Framework to dateFoundstone, @Stake security reviews

“Hardening” the .NET FrameworkMaking Security Easier for Customers

Prescriptive Architectural GuidanceFeature changes in .NET Framework

Microsoft Cultural ShiftThousands of hours spent in security reviews on .NET Framework to dateFoundstone, @Stake security reviews

“Hardening” the .NET FrameworkMaking Security Easier for Customers

Prescriptive Architectural GuidanceFeature changes in .NET Framework

SECSYM: Security SymposiumARC340: CLR Under the Covers: .Net Framework Application Security

76

Right Privilege At The Right TimeRight Privilege At The Right Time

User accounts (Only two account types)

Normal users runs with least-privilegedAdmin users runs with least-privileged

Admin applications need privilege elevationOnly trusted applications get to run with elevated privilege

User accounts (Only two account types)

Normal users runs with least-privilegedAdmin users runs with least-privileged

Admin applications need privilege elevationOnly trusted applications get to run with elevated privilege

77

Trust Application Execution OverviewTrust Application Execution Overview

<trustInfo>..

</trustInfo>

Author manifest with a trustInfo section

Make a strong name and sign the manifest

Validate Certificate and Signature

Developer/Administrator

Manifest

System

Enterprise Certificate

StoreSystem

Certificate Store

Make a trust action based on the Manifest data and Policies

Strong name/signature secured

Local Certificate

Store

Signing authority

78

Trust Evaluation ProcessTrust Evaluation Process

Code validation is a human decisionAuthenticode signed manifests

Certificate in the store

Domain administrators signed Deployment manifest

Local administrators blessed All machine have a signing key

Default behavior changed by policy

Code validation is a human decisionAuthenticode signed manifests

Certificate in the store

Domain administrators signed Deployment manifest

Local administrators blessed All machine have a signing key

Default behavior changed by policy

79

Security: The Sandbox (SEE)Security: The Sandbox (SEE)

Apps run in secure sandbox by default

Similar to IE javascriptEnsures applications are safe to run

Increased sandbox size“Longhorn” > “Whidbey” > .NET V1.1

VS helps author for the sandboxDebug in ZonePermissionCalcSecurity Exception helper

Apps run in secure sandbox by default

Similar to IE javascriptEnsures applications are safe to run

Increased sandbox size“Longhorn” > “Whidbey” > .NET V1.1

VS helps author for the sandboxDebug in ZonePermissionCalcSecurity Exception helper

80

Security: Sandbox Restrictions Security: Sandbox Restrictions

Some apps need more permissionUn-managed code access

Export to Excel or any MS Office integration

Un-restricted file accessUn-restricted network access

Some apps need more permissionUn-managed code access

Export to Excel or any MS Office integration

Un-restricted file accessUn-restricted network access

81

Security: Policy DeploymentSecurity: Policy Deployment

Application level policy“Trust this app”“App” defined by it’s app manifestBaked into core CLR security

Trust LicensesLicense issued by admin, deployed with appLicense indicates admin says app is trustedRequires only one-time (ever) client touch

To configure trusted license issuer

Application level policy“Trust this app”“App” defined by it’s app manifestBaked into core CLR security

Trust LicensesLicense issued by admin, deployed with appLicense indicates admin says app is trustedRequires only one-time (ever) client touch

To configure trusted license issuer

82

TrustManagerTrustManager

Decides if app needs additional trustRequested permissions beyond defaultNo previous trusted versionNo admin policy

Display user prompt if necessaryITrustManagerConfig

Control when / how prompting happens

Decides if app needs additional trustRequested permissions beyond defaultNo previous trusted versionNo admin policy

Display user prompt if necessaryITrustManagerConfig

Control when / how prompting happens

83

User ConsentUser Consent

Admins should make trust decisions, but…

Not always possibleHome users are their own admin

Users make trust decisions all the time

Putting a CD in their computerInstalling softwareSubmitting a Credit card to a web page

Admins should make trust decisions, but…

Not always possibleHome users are their own admin

Users make trust decisions all the time

Putting a CD in their computerInstalling softwareSubmitting a Credit card to a web page

84

User Consent DesignUser Consent Design

App request permissions neededRequests specified in app manifestVS helps identify needed permissions

Prompt is simple & binaryHappens at install / 1st launchCombined Install & Trust Prompt

User prompted if:App needs permissions above the sandboxAdmin has configured to allow prompting

App request permissions neededRequests specified in app manifestVS helps identify needed permissions

Prompt is simple & binaryHappens at install / 1st launchCombined Install & Trust Prompt

User prompted if:App needs permissions above the sandboxAdmin has configured to allow prompting

85

Code Access Security (CAS)Code Access Security (CAS)

Based on trust of codeRecognizes that trusted users (e.g. admin) run less trusted code (e.g. browsing the web)System intersects rights of code with rights of user = 2 levels of defense

Key featuresEvidence (location, signature, etc.) is combined with policy to grant permissions to codeProtected operations require permissionsAll callers must have permissions so bad code cannot “trick” good code and be exploited

Based on trust of codeRecognizes that trusted users (e.g. admin) run less trusted code (e.g. browsing the web)System intersects rights of code with rights of user = 2 levels of defense

Key featuresEvidence (location, signature, etc.) is combined with policy to grant permissions to codeProtected operations require permissionsAll callers must have permissions so bad code cannot “trick” good code and be exploited

86

CAS: How It WorksCAS: How It Works

Managed code verifiably robustNo buffer overruns! No unsafe casting!Only well-defined interactions (no ptrs)Components can protect their interfaces

Trusted libraries as security gate keepers

Before doing a protected operations, library demands permission of its callersStack walk – all callers must have permission to proceed; otherwise exception prevents itWhen demand succeeds the library can override (Assert) and do the operation safely

Managed code verifiably robustNo buffer overruns! No unsafe casting!Only well-defined interactions (no ptrs)Components can protect their interfaces

Trusted libraries as security gate keepers

Before doing a protected operations, library demands permission of its callersStack walk – all callers must have permission to proceed; otherwise exception prevents itWhen demand succeeds the library can override (Assert) and do the operation safely

87

Code Access Security (CAS)Code Access Security (CAS)

Demand must be satisfied by all callers

Ensures all code in causal chain is authorizedCannot exploit other code with more privilege

Demand must be satisfied by all callers

Ensures all code in causal chain is authorizedCannot exploit other code with more privilege

calls

Code B

Code C

B has P?

A has P?

calls

Code A

demand

88

What Is The Secure Execution Environment?What Is The Secure Execution Environment?

A new platform for secure applicationsCode written to the SEE is inherently more secure because only safe operations are possible within itSecurity restrictions are enforced by CLRPermission Elevation is possible in a declarative and predictable way, and there is a user experience.

The SEE is simply a default grant set of Code Access Security permissions

A new platform for secure applicationsCode written to the SEE is inherently more secure because only safe operations are possible within itSecurity restrictions are enforced by CLRPermission Elevation is possible in a declarative and predictable way, and there is a user experience.

The SEE is simply a default grant set of Code Access Security permissions

89

Why Code To The SEE?Why Code To The SEE?

Deploy without Trust Dialogs!Reduce test surfaceYou know that your code cannot harm users machineReduce TCO

Business: admin doesn’t have to worry about what the code might do.Home: SEE app cannot harm your machine

Deploy without Trust Dialogs!Reduce test surfaceYou know that your code cannot harm users machineReduce TCO

Business: admin doesn’t have to worry about what the code might do.Home: SEE app cannot harm your machine

90

Why The SEE Is SafeWhy The SEE Is Safe

SEE applicationsAll code has only limited safe permissionsCan only use SEE-approved trusted libraries

Security principlesCode can further restrict self to least privilegeApplication isolationLibrary code is limited to a known safe set

SEE applicationsAll code has only limited safe permissionsCan only use SEE-approved trusted libraries

Security principlesCode can further restrict self to least privilegeApplication isolationLibrary code is limited to a known safe set

91

Limited User Account(LUA)

Protected Admin (PA)

Application Impact Management

Limited User Account(LUA)

Protected Admin (PA)

Application Impact Management

92

LUA Problem StatementLUA Problem StatementRunning with elevated privilege leads to disasters

One reason why viruses can cause damaged is because too many people run with full privilegeWash Post even is telling us to run without privilegeEvery Admin tells us they want to limit users, but…

Most people demand to run as admin because:Rich web experience, dependant on ActiveX installation, currently requires admin privilege“If we don’t run as admin, stuff breaks”Testing is really easy when everyone’s an admin!Everything works including malicious code!

Customers want tools and help “Please help us to get applications that run with Least Privilege”Win98 & XP users are admin, so apps are built for adminThis is the vicious circle that we must break

Running with elevated privilege leads to disastersOne reason why viruses can cause damaged is because too many people run with full privilegeWash Post even is telling us to run without privilegeEvery Admin tells us they want to limit users, but…

Most people demand to run as admin because:Rich web experience, dependant on ActiveX installation, currently requires admin privilege“If we don’t run as admin, stuff breaks”Testing is really easy when everyone’s an admin!Everything works including malicious code!

Customers want tools and help “Please help us to get applications that run with Least Privilege”Win98 & XP users are admin, so apps are built for adminThis is the vicious circle that we must break

93

LUA – The Good And The BadLUA – The Good And The Bad

Long term: we will greatly improve the TCO and “Secure by Deployment” story with Limited UserLUA apps have no legitimate reason to ask for admin privilegeGood LUA apps do not try to change system or domain state – they work on XP today as LUABad LUA apps (the majority) inadvertently change system stateShort term: some LUA apps will not be fixable by Application Impact Management

The target is to have only 20% of apps in this categoryThe expected behavior is that these apps will fail for Longhorn

Long term: we will greatly improve the TCO and “Secure by Deployment” story with Limited UserLUA apps have no legitimate reason to ask for admin privilegeGood LUA apps do not try to change system or domain state – they work on XP today as LUABad LUA apps (the majority) inadvertently change system stateShort term: some LUA apps will not be fixable by Application Impact Management

The target is to have only 20% of apps in this categoryThe expected behavior is that these apps will fail for Longhorn

94

Three Customers For LUAThree Customers For LUA

Fully locked down corporationsLots of research shows that the enterprise admin wants this featureReduce security threatsReduce number of apps loadedReduce TCO

Admins that need a safe place to run appsShould have the least privilege needed by app

At Home where the admin wants to increase security

Parental controls, so that the child uses only age-appropriate appsUser self lockdown to protect PC from security problems

Fully locked down corporationsLots of research shows that the enterprise admin wants this featureReduce security threatsReduce number of apps loadedReduce TCO

Admins that need a safe place to run appsShould have the least privilege needed by app

At Home where the admin wants to increase security

Parental controls, so that the child uses only age-appropriate appsUser self lockdown to protect PC from security problems

95

LUA In LonghornLUA In Longhorn

All applications will have a manifest listing the application parts

Enabling Windows to provide a safe environment for the application to run.All applications will undergo a Trust Evaluation

Contain applications to limit potential damageCreate Compartments where code can run

Least-privileged User Account (LUA)Most apps can run with user privileges in user spaceApps run in LUA space by default in LH

Admin Privilege (Protected Admin)Only trusted applications will run with admin privilege in admin spaceAdmins will not enable PA if LUA is not useful

All applications will have a manifest listing the application parts

Enabling Windows to provide a safe environment for the application to run.All applications will undergo a Trust Evaluation

Contain applications to limit potential damageCreate Compartments where code can run

Least-privileged User Account (LUA)Most apps can run with user privileges in user spaceApps run in LUA space by default in LH

Admin Privilege (Protected Admin)Only trusted applications will run with admin privilege in admin spaceAdmins will not enable PA if LUA is not useful

96

App OperationsApp Operations

Full Admin Full Admin AppsApps

SEE SEE AppsApps

Built for Built for LUA AppsLUA Apps

Fixable Admin Fixable Admin LUA Apps LUA Apps(AIM)(AIM)

97

Code Validation ProcessCode Validation Process

All code validation is a human decisionPublishers can get signed app manifest (need to be in cert store)Domain admins can sign deployment manifest (enterprise store)Local admins can “bless” appsBy policy user can decide to change default behavior

All local validation decisions are preserved in App ContextCode Integrity is assured by checking every .EXE and .DLL for validityApplication trust is assured at Runtime

All code validation is a human decisionPublishers can get signed app manifest (need to be in cert store)Domain admins can sign deployment manifest (enterprise store)Local admins can “bless” appsBy policy user can decide to change default behavior

All local validation decisions are preserved in App ContextCode Integrity is assured by checking every .EXE and .DLL for validityApplication trust is assured at Runtime

98

Application Impact Management And LUA/PAApplication Impact Management And LUA/PA

All system impact changes are logged for potential rollback on uninstallLUA & Admin apps will have their impactful registry writes monitored as wellApps are given their own view of certain files & regkeys

All system impact changes are logged for potential rollback on uninstallLUA & Admin apps will have their impactful registry writes monitored as wellApps are given their own view of certain files & regkeys

99

User Experience GoalsUser Experience Goals

Longhorn is Secure by Default yet the system is as flexible and easy to use as Windows XPUsers know when they are about to do something potentially unsafe and are able to make an informed decision

Longhorn always gives strong Security recommendationsUsers can undo damaging changes

Users feel confident they can install or run any program without compromising their data or their PCs

They feel that, compared to previous versions of Windows, Longhorn is much safer. They trust Longhorn more than any other OS

Users do not need to learn any major new concepts or procedures to be protected

Longhorn is Secure by Default yet the system is as flexible and easy to use as Windows XPUsers know when they are about to do something potentially unsafe and are able to make an informed decision

Longhorn always gives strong Security recommendationsUsers can undo damaging changes

Users feel confident they can install or run any program without compromising their data or their PCs

They feel that, compared to previous versions of Windows, Longhorn is much safer. They trust Longhorn more than any other OS

Users do not need to learn any major new concepts or procedures to be protected

100

Other Big ChangesOther Big Changes

Winlogon is being rewritten for Longhorn

Addressing reliability issues - too many unnecessary processes in WinlogonAddressing performance issues - too many unnecessary components loaded in Winlogon

Winlogon in Longhorn will no longer support replaceable GINAs, new mechanisms provide existing functionality

New, simpler Credential Provider modelEventing mechanismStacking/chaining

Winlogon is being rewritten for Longhorn

Addressing reliability issues - too many unnecessary processes in WinlogonAddressing performance issues - too many unnecessary components loaded in Winlogon

Winlogon in Longhorn will no longer support replaceable GINAs, new mechanisms provide existing functionality

New, simpler Credential Provider modelEventing mechanismStacking/chaining


Longhorn

Next Generation Secure Computing Base

102

Next Generation Secure Computing Base DefinedNext Generation Secure Computing Base Defined

Microsoft’s Next-Generation Secure Computing Base (NGSCB) is a new security technology for the Microsoft Windows platform

Uses both hardware and software to protect dataOffers new kinds of security and privacy protections in an interconnected world

Microsoft’s Next-Generation Secure Computing Base (NGSCB) is a new security technology for the Microsoft Windows platform

Uses both hardware and software to protect dataOffers new kinds of security and privacy protections in an interconnected world

103

Threats Mitigated in V1Threats Mitigated in V1

Tampering with DataStrong process isolation prevents rogue applications from changing our data or code while it is runningSealed storage verifies the integrity of data when unsealing it

Information DisclosureSealed storage prevents rogue applications from getting at your encrypted data

RepudiationAttestation enables you to verify that you are dealing with an application and machine configuration you trust

Spoofing IdentitySecure path enables you to be sure that you’re dealing with the real user, not an application spoofing the user

Tampering with DataStrong process isolation prevents rogue applications from changing our data or code while it is runningSealed storage verifies the integrity of data when unsealing it

Information DisclosureSealed storage prevents rogue applications from getting at your encrypted data

RepudiationAttestation enables you to verify that you are dealing with an application and machine configuration you trust

Spoofing IdentitySecure path enables you to be sure that you’re dealing with the real user, not an application spoofing the user

104

Version 1 DetailsVersion 1 Details

Fully aligned with LonghornShips as part of LonghornBetas and other releases in synch with and delivered with Longhorn’s

Focused on enterprise applicationsExample opportunities:

Document signingSecure IMInternal applications for viewing secure dataSecure email plug-in

Hardware based onTrusted Computer Group (https://www.trustedcomputinggroup.org/home)Memory protection (AMD and Intel Prescott CPUs)

Fully aligned with LonghornShips as part of LonghornBetas and other releases in synch with and delivered with Longhorn’s

Focused on enterprise applicationsExample opportunities:

Document signingSecure IMInternal applications for viewing secure dataSecure email plug-in

Hardware based onTrusted Computer Group (https://www.trustedcomputinggroup.org/home)Memory protection (AMD and Intel Prescott CPUs)

105

TPM 1.2TPM 1.2

Nexus-ModeNexus-Mode

NexusNexus

NALNAL

AgentAgent

NCA Runtime LibraryNCA Runtime Library

Trusted UITrusted UIEngine (TUE)Engine (TUE)

TSPTSP TSPTSP TSPTSP

AgentAgentAgentAgent

UserUser

KernelKernel

HardwareHardware Secure InputSecure Input ChipsetChipsetCPUCPUSecure VideoSecure Video

NGSCB

Main OSMain OS

USBUSBDriverDriver

Nexus-Mode (RHS)Nexus-Mode (RHS)

NexusNexus

NexusMgr.sysNexusMgr.sys

HALHAL

NALNAL

User Apps.User Apps.

AgentAgent

NCA Runtime LibraryNCA Runtime Library

Trusted UITrusted UIEngine (TUE)Engine (TUE)

TSPTSP TSPTSP TSPTSP

AgentAgentAgentAgent

Standard-Mode (“std-mode” / LHS)Standard-Mode (“std-mode” / LHS)

106

Nexus Mode EnvironmentNexus Mode Environment

Basic Operating System FunctionsProcess and Thread Loader/ManagerMemory ManagerI/O ManagerSecurity Reference MonitorInterrupt handling/Hardware abstraction

But not a complete Operating SystemNo File SystemNo NetworkingNo Kernel Mode/Privileged Device DriversNo Direct XNo SchedulingNo…

Kernel mode has no pluggablesAll of the kernel loaded at boot and in the PCR

Basic Operating System FunctionsProcess and Thread Loader/ManagerMemory ManagerI/O ManagerSecurity Reference MonitorInterrupt handling/Hardware abstraction

But not a complete Operating SystemNo File SystemNo NetworkingNo Kernel Mode/Privileged Device DriversNo Direct XNo SchedulingNo…

Kernel mode has no pluggablesAll of the kernel loaded at boot and in the PCR

107

NGSCB FeaturesNGSCB Features

All NGSCB-enabled application capabilities build off of four key features

Strong process isolationSealed storageSecure pathAttestation

The first three are needed to protect against malicious code Attestation breaks new ground in distributed computing

“Subjects” (software, machines, services) can be securely authenticatedThis is separate from user authentication

All NGSCB-enabled application capabilities build off of four key features

Strong process isolationSealed storageSecure pathAttestation

The first three are needed to protect against malicious code Attestation breaks new ground in distributed computing

“Subjects” (software, machines, services) can be securely authenticatedThis is separate from user authentication

108

SummarySummary

NGSCB ships as part of LonghornNGSCB is a combination of

New hardware which creates a secure environment for……A new kernel, called the Nexus, which……Will run agents in a secure memory partition, and which……Will provide these agents with security services so that they can……Provide users with trustworthy computing

Remember that:When the Nexus is turned off, literally everything runs just like beforeWhen the Nexus is on, the LHS runs very close to everything that ever ranThe Nexus makes no claims about what runs on the LHSThe hardware should run any Nexus, and give full function to any Nexus (with, at most, an admin step by the user)The Nexus will run any software the user tells it to

NGSCB ships as part of LonghornNGSCB is a combination of

New hardware which creates a secure environment for……A new kernel, called the Nexus, which……Will run agents in a secure memory partition, and which……Will provide these agents with security services so that they can……Provide users with trustworthy computing

Remember that:When the Nexus is turned off, literally everything runs just like beforeWhen the Nexus is on, the LHS runs very close to everything that ever ranThe Nexus makes no claims about what runs on the LHSThe hardware should run any Nexus, and give full function to any Nexus (with, at most, an admin step by the user)The Nexus will run any software the user tells it to


Longhorn

Questions

110

SourcesSources

Longhorn Development Centrehttp://msdn.microsoft.com/longhorn/

Trusted Computer Grouphttps://www.trustedcomputinggroup.org/home

Longhorn Development Centrehttp://msdn.microsoft.com/longhorn/

Trusted Computer Grouphttps://www.trustedcomputinggroup.org/home

http://msdn.microsoft.com/longhorn/

https://www.trustedcomputinggroup.org/home


http://msdn.microsoft.com/longhorn/

