Microsoft's Midori to Sandbox Apps for Increased Security

CHANNELS

ON THE WEB

PRINT EDITION

BZ MEDIA

AS OF 8/20/2008 9:17AM EST

Microsoft's Midori to Sandbox Apps for Increased Security
By David Worthington, special to Systems Management News

August 5, 2008 — Security is a watchword for Midori, the operating system that Microsoft is incubating in hopes of freeing itself from its legacy Windows software architecture.

SD Times has viewed internal Microsoft documents that detail Midori’s security proposition. The highlights include memory safety and type safety, and a least-privileged mode. As well, hardware support may enable a secure boot mechanism and a remote chain of trust on top of secure booting.

For additional coverage on Midori, read "Microsoft maps out migration from Windows" and "Microsoft's plans for post-Windows OS revealed."

Midori’s memory safety and type safety features will eliminate the potential for buffer overruns, perform heap deletes more frequently to avoid stack and heap corruption, and possibly offer some guarantees around fine-grained locking to prevent data race conditions, the documents indicate.

Applications and system services in Midori will run with the least authority necessary for their purposes. A standard declarative policy will be used for configuring component isolation, elevating code privileges, evaluating code identity and managing system state.

“From a software architecture standpoint,” wrote Yankee Group program manager Andrew Jaquith in an e-mail, Midori’s approach “is a very good one. The big idea here is to enumerate, and then enshrine in policy, all of the things a program can and cannot do. By combining declarative security policies with runtime enforcement mechanisms, Midori should be able to effectively ‘sandbox’ applications in a fairly bulletproof way.”

Jaquith noted that what Microsoft is doing is a form of mandatory access control, a concept that intelligence agencies adopted many years ago.

Microsoft is trying to keep up with the Joneses, Jaquith noted, pointing out that Apple’s Mac OS X Leopard, Novell’s AppArmor (which ships with Ubuntu) and SELinux (which ships with Red Hat Enterprise Linux) all provide implementations of mandatory access control.

Another Midori design objective is to reduce the risk of cross-process elevation attacks by using application manifests and eliminating dynamic code loading, in order to regulate what execution is possible in a process.

With those protections in place, if a process is compromised, malicious code will be restricted to the appropriate process subsets.

But in this model, policies need to be easily updateable by trusted sources, wrote Jaquith. He explained that it is difficult for a developer to foresee all of the potential privileges that a program would require, and that the application manifests would have to change as programs are added and updated.

Microsoft maps out migration from Windows

Microsoft's plans for post-Windows OS revealed

Windows 7 May Borrow From .NET

“It's a great idea in theory, but in practice, application sandboxing (which is the generic term for what they are doing) has some practical problems that lead deployers to scale back their ambitions.” But his concerns are far outweighed by the benefit of having sandboxing built into the operating system.

There may be one flaw at the core of Midori’s scheme: The presence of defects in Microsoft’s implementation that enforce security policies at the kernel-runtime level would undermine the effectiveness of Midori's security, Jaquith said.

Good security is crucial to run the type of distributed applications that Microsoft is designing Midori for, experts agree. “Security is really important in distributed applications … you have to be very careful,” noted John Manferdelli, a distinguished engineer at Microsoft and the general manager of the incubation team led by Craig Mundie, chief research and strategy officer.

The Midori documents indicate that the OS will also have hardware support for secure boot mechanisms as specified in the company’s Next-Generation Secure Computing Base, formerly known as “Palladium.”

Related Search Term(s): security, Microsoft

EMAIL THIS ARTICLE

SEND FEEDBACK