matthew j. dovey oxford university computing service longhorn brief overview
Post on 22-Dec-2015
214 Views
Preview:
TRANSCRIPT
Matthew J. DoveyOxford University Computing Service
Longhorn
Brief overview
2
LonghornLonghorn
Codename for the next major version of WindowsMajor release (although most technologies have been seen before)Currently in alpha technical previewsDue for release 2005-2006? (when ready!)Interim updates
e.g. Windows XP Service Pack 2Windows 2003 Server “SE”
Codename for the next major version of WindowsMajor release (although most technologies have been seen before)Currently in alpha technical previewsDue for release 2005-2006? (when ready!)Interim updates
e.g. Windows XP Service Pack 2Windows 2003 Server “SE”
3
Longhorn ArchitectureLonghorn Architecture
Hardware Abstraction LayerHardware Abstraction Layer
Fram
ew
ork
Models
Kern
el M
ode
Desktop ServicesDesktop Services Desktop WindowManagerDesktop WindowManager
Presentation Object ManagerPresentation Object Manager
Desktop CompositionEngineDesktop CompositionEngine
Animation andCompositionAnimation andComposition
Media Services
DocumentDocument UIUI MediaMedia
Hardware RenderingHardware Rendering
MediaProcessingMediaProcessing
Capture and SourcingCapture and Sourcing
Software Renderingand SinksSoftware Renderingand Sinks W
indow
s Fo
rms
Adaptive UIEngineAdaptive UIEngine
Page/SiteCompositionPage/SiteComposition
Personalization &Profiling ServicesPersonalization &Profiling Services
Membership and Security ServicesMembership and Security Services
ASP.NET
Health Monitoring/Recovery EngineHealth Monitoring/Recovery Engine
CLR
Transactions Storage
Protocols
Networking
Network Services
Base Class LibrariesBase Class Libraries
Memory ManagerMemory Manager
Hosting LayerHosting Layer
Code ExecutionCode Execution LoaderLoader SecuritySecurity SerializationSerialization
LightweightTransaction ManagerLightweightTransaction Manager
TransactionCoordinatorTransactionCoordinator
KernelTransactionManager
KernelTransactionManager
CommonLoggingFile System
CommonLoggingFile System
TransactedFile SystemTransactedFile System
ProcessManagerProcessManager
SecurityReference Monitor
SecurityReference Monitor
LPCFacilityLPCFacility
MemoryManagerMemoryManager
PowerManagerPowerManager
Config.ManagerConfig.Manager
Plug andPlayPlug andPlay
KernelKernel
File System CacheFile System Cache IO ManagerIO Manager
NTFSNTFS FAT 16/32FAT 16/32FilterEngineFilterEngine
TPC, UDPIPV4, IPV6TPC, UDPIPV4, IPV6 IPSECIPSEC QOSQOS HTTP
ListenerHTTPListener
Internet Connection FirewallInternet Connection Firewall
Demand Activation and Protocol HealthDemand Activation and Protocol Health
PNRPPNRP NativeWIRNativeWIR SIPSIP TCP ListenerTCP Listener UDP ListenerUDP Listener IPC ListenerIPC Listener
Network Class LibraryNetwork Class Library
GDI/GDI+GDI/GDI+ WindowManagerWindowManager
GlobalAudio Engine
GlobalAudio Engine
DirectXGraphicsDirectXGraphicsGraphics driversGraphics drivers
DDIDDI InputManagerInputManager
AudioDriversAudioDrivers
DirectX GraphicsMini port
DirectX GraphicsMini port
RedirectionsRedirections
.... WIRWIR NDISNDIS ....Device and File SystemDrivers
Services Schemas
Data Model
ADO.NET
Synchronization(WinFS, Win32..)Synchronization(WinFS, Win32..)
InfoAgent(PreferenceRules..)InfoAgent(PreferenceRules..)
FileSystem Services(MetaDataHandlers..)FileSystem Services(MetaDataHandlers..)
ContactsContacts MediaMedia
DocumentsDocuments ....
ItemsItems
RelationshipsRelationships
ExtensionsExtensions
ObjectSpacesObjectSpaces
DataSetDataSet
SQL XMLSQL XML
ProvidersProviders
ObjectsObjects T/SQLT/SQL XMLXML
Collaboration
Connector
Communications Manager (Port)Communications Manager (Port)
Transport Channels (IPC, HTTP, TCP…)Transport Channels (IPC, HTTP, TCP…)
Message Exchange Channels (Stream, Reliable…)Message Exchange Channels (Stream, Reliable…)
Common Services (Router, Queue, Topic…)Common Services (Router, Queue, Topic…) Policy EnginePolicy Engine
ChannelSecurity Provider
ChannelSecurity Provider
People People GroupsGroups ControlsControls SignalingSignaling
RemotingRemoting PeerStorePeerStore SchedulesSchedules
Presentation Storage Communication
Base Operating System Services
Avalon WinFS Indigo
Location Service
4
WinFXWinFXClient Application Model
Avalon Windows Forms
Web & Service Application Model
ASP.NET / Indigo Win FSCompact
FrameworkYukon Mobile PC Optimized
System.HelpSystem.Help
System.DrawingSystem.Drawing
System.NaturalLanguageServicesSystem.NaturalLanguageServices
Data Systems Application Model
Presentation Data
Mobile PC & Devices Application Model
Communication
Command Line
NT Service
DataSetDataSet
MappingMapping
ObjectSpacesObjectSpaces
ObjectSpaceObjectSpace
QueryQuery
SchemaSchema
ItemItem
RelationshipRelationship
MediaMedia
AudioAudio
VideoVideo
ImagesImages
System.MessagingSystem.Messaging System.DiscoverySystem.Discovery
System.DirectoryServicesSystem.DirectoryServices
System.RemotingSystem.Remoting
System.Runtime.RemotingSystem.Runtime.Remoting
ActiveDirectoryActiveDirectory
UddiUddi
System.Web.ServicesSystem.Web.Services
Web.ServiceWeb.Service
DescriptionDescription
DiscoveryDiscovery
ProtocolsProtocols
System.MessageBusSystem.MessageBus
TransportTransport
PortPort
ChannelChannel
ServiceService
QueueQueue
PubSubPubSub
RouterRouter
System.TimersSystem.Timers
System.GlobalizationSystem.Globalization
System.SerializationSystem.Serialization
System.ThreadingSystem.Threading
System.TextSystem.Text
Base & Application Services
Fundamentals
System.ComponentModelSystem.ComponentModel
System.CodeDomSystem.CodeDom
System.ReflectionSystem.Reflection
System.EnterpriseServicesSystem.EnterpriseServices
System.TransactionsSystem.Transactions
Security
System.Windows.TrustManagementSystem.Windows.TrustManagement
System.Web.SecuritySystem.Web.Security
System.MessageBus.SecuritySystem.MessageBus.Security
AuthorizationAuthorization
AccessControlAccessControl
CredentialsCredentials
CryptographyCryptography
System.Web.ConfigurationSystem.Web.Configuration
System.MessageBus.ConfigurationSystem.MessageBus.Configuration
System.ConfigurationSystem.Configuration
System.ResourcesSystem.ResourcesSystem.ManagementSystem.Management
System.DeploymentSystem.Deployment
System.DiagnosticsSystem.Diagnostics
Configuration Deployment/Management
System.WindowsSystem.Windows System.WindowsSystem.WindowsSystem.Windows.FormsSystem.Windows.Forms
System.ConsoleSystem.Console
System.ServiceProcessSystem.ServiceProcess
System.Windows.FormsSystem.Windows.Forms System.WebSystem.Web System.StorageSystem.Storage System.Data.SqlServ
erSystem.Data.SqlServer
AnimationAnimation
ControlsControls
ControlControl
DesignDesign
PanelPanel
ControlsControls
DialogsDialogs
SideBarSideBar
NotificationNotification
System.WindowsSystem.Windows
DocumentsDocuments
Text ElementText Element
ShapesShapes
ShapeShape
InkInk
UI ElementUI Element ExplorerExplorer MediaMedia
System.Windows.FormsSystem.Windows.Forms
FormsForms
ControlControl
Print DialogPrint Dialog
DesignDesign
System.Web.UISystem.Web.UI
PagePage
ControlControl
HtmlControlsHtmlControls
MobileControlsMobileControls
WebControlsWebControls
AdaptorsAdaptors
DesignDesign
ExtensionExtension
InteropServicesInteropServices
System.RuntimeSystem.Runtime
System.LocationSystem.Location
System.CollectionsSystem.Collections
GenericGeneric
System.SearchSystem.Search
AnnotationsAnnotations
MonitoringMonitoring
LoggingLogging
RelevanceRelevance
System.DataSystem.Data
SqlClientSqlClient
SqlTypesSqlTypes
SqlXMLSqlXML
OdbcClientOdbcClient
OleDbClientOleDbClient
OracleClientOracleClient
CoreCore
ContactContact
LocationLocation
MessageMessage
DocumentDocument
EventEvent
System.StorageSystem.Storage
System.WebSystem.Web
PersonalizationPersonalization
CachingCaching
SessionStateSessionState
System.XmlSystem.Xml
SchemaSchema
SerializationSerialization
XpathXpath
QueryQuery
PermissionsPermissions
PolicyPolicy
PrincipalPrincipal
TokenToken
System.SecuritySystem.Security
System.CollaborationSystem.Collaboration
RealTimeEndpointRealTimeEndpoint
TransientDataSessionTransientDataSession
SignalingSessionSignalingSession
MediaMedia
ActivitiesActivities
HttpWebRequestHttpWebRequest
FtpWebListenerFtpWebListener
SslClientStreamSslClientStream
WebClientWebClient
System.NetSystem.Net
NetworkInformationNetworkInformation
SocketsSockets
CacheCache
System.WebSystem.Web
AdministrationAdministration
ManagementManagement
NavigationNavigation
Peer GroupPeer Group
PolicyPolicy
SerializationSerialization
CompilerServicesCompilerServices
RecognitionRecognition
System.SpeechSystem.Speech
SynthesisSynthesis
ManagementManagement
Matthew J. DoveyOxford University Computing Service
Longhorn
Aero
6
7
8
Matthew J. DoveyOxford University Computing Service
Longhorn
Avalon
10
The Avalon ApproachThe Avalon Approach
Unified approach to UI, Documents, and Media
Integration as part of development and experience
Integrated, vector-based composition engine
Utilizing the power of the PC throughout the graphics stack
Declarative programmingBringing designers directly into application development
Unified approach to UI, Documents, and Media
Integration as part of development and experience
Integrated, vector-based composition engine
Utilizing the power of the PC throughout the graphics stack
Declarative programmingBringing designers directly into application development
11
Integration – The Guiding VisionAvalon - the integrated platform for UI, Media, and Documents
UI, Media, and Documents share the benefits of a new stack built from the bottom upAnchored on the .NET Framework and Direct3DParallel procedural and declarative models
UIFlexible component architectureLayout servicesTwo-way transformable data binding
MediaGraphicsAudio, video, animation
DocumentsFixed, flow, and adaptive layoutsPagination/printingRights management
12
Developer ExperienceBest of Web, Best of Windows
Webseamless deployment, update, and administrationflowable layoutprogressive download and renderingdeclarative model (text-based markup)
Windowsunrestricted functionalityintegration with Windows desktopgood offline supportscalability/performancebroad developer language and tools support
Bringing together the advantages from both worlds
13
Developer ExperienceDeclarative ProgrammingDeveloper ExperienceDeclarative Programming
Extensible Application Markup – codenamed XAML
One-to-one correspondence with object modelKey role in enabling interoperation between UI authoring tools and developer tools
Fundamental XAML concepts:Markup can contain codeMarkup can be compiled for executionMarkup and procedural code are peers in functionality and performance
Extensible Application Markup – codenamed XAML
One-to-one correspondence with object modelKey role in enabling interoperation between UI authoring tools and developer tools
Fundamental XAML concepts:Markup can contain codeMarkup can be compiled for executionMarkup and procedural code are peers in functionality and performance
14
XAMLXAML
<Canvas xmlns="http://schemas.microsoft.com/2003/xaml" Background="LightCyan" Width="100%" Height="100%">
<Image Source="lh.bmp" Canvas.Left="5" Canvas.Top="5" />
<Text Canvas.Left="90" Canvas.Top="20" FontSize="36">Hello, Longhorn! </Text>
</Canvas>
<Canvas xmlns="http://schemas.microsoft.com/2003/xaml" Background="LightCyan" Width="100%" Height="100%">
<Image Source="lh.bmp" Canvas.Left="5" Canvas.Top="5" />
<Text Canvas.Left="90" Canvas.Top="20" FontSize="36">Hello, Longhorn! </Text>
</Canvas>
Matthew J. DoveyOxford University Computing Service
Longhorn
Indigo
16
Indigo ArchitectureIndigo Architecture
Connector
Communications Manager (Port)Communications Manager (Port)
Transport Channels(IPC, HTTP, TCP…)Transport Channels(IPC, HTTP, TCP…)
Channels (Datagram, Reliable, Peer, …)Channels (Datagram, Reliable, Peer, …)
Policy EnginePolicy Engine
MessageEncoderMessageEncoder
ChannelSecurityChannelSecurity
Service Model
Hosting Environments
Instance ManagerInstance Manager
Context ManagerContext Manager
TypeIntegrationTypeIntegration
ServiceMethodsServiceMethods
DeclarativeBehaviorsDeclarativeBehaviors
TransactedMethodsTransactedMethods
ASP.NETASP.NET .container.container .exe.exe NT ServiceNT Service DllHostDllHost
Messaging Services
System Services
QueuingQueuing
RoutingRouting
EventingEventing
……
Transaction Transaction
Federation Federation
……
17
“Indigo” Security Goals“Indigo” Security Goals
Provide message-based security leveraging Web Service Security standardsProvide simple, constrained, out-of-box security solutions that meet most application security requirementsProvide adequate flexibility for customizing security solutionsProvide extensibility for authentication, authorization, token types, security providers
Provide message-based security leveraging Web Service Security standardsProvide simple, constrained, out-of-box security solutions that meet most application security requirementsProvide adequate flexibility for customizing security solutionsProvide extensibility for authentication, authorization, token types, security providers
18
Turn-Key DeploymentConfiguration and ProfilesTurn-Key DeploymentConfiguration and Profiles
Define security profiles which indicate how security requirements are to be satisfiedDeveloper or deployer may define their own security profilesCommon security profiles are predefined in machine.configA scope of messages are bound to a security profile
Define security profiles which indicate how security requirements are to be satisfiedDeveloper or deployer may define their own security profilesCommon security profiles are predefined in machine.configA scope of messages are bound to a security profile
Matthew J. DoveyOxford University Computing Service
Longhorn
WinFS
20
WinFS IsWinFS Is
All end-user data lives in LonghornNew user experience in Longhorn ShellA trustworthy place to store dataData model built on relational database technology Filesystem capabilities built on NTFS Everyday Information - domain-specific schemasServices that make data active
All end-user data lives in LonghornNew user experience in Longhorn ShellA trustworthy place to store dataData model built on relational database technology Filesystem capabilities built on NTFS Everyday Information - domain-specific schemasServices that make data active
21
WinFS Data Model WinFS Data Model Items
The new atomic unit of dataItems have subsumed FilesCopy, put in Folders, etc.
A group of simple and complex types that represent data
Defined in a schema, arranged in types
Structured, Semi-Structured, and, OpaquePersisted
RelationshipsExplicitly relate Items together
E.g.; Author binds Document to ContactSchema can model complex itemsContainment, reference, embedding, categories, etc.
ExtensionsProvide ability to add new data to existing Item types
ItemsThe new atomic unit of data
Items have subsumed FilesCopy, put in Folders, etc.
A group of simple and complex types that represent data
Defined in a schema, arranged in types
Structured, Semi-Structured, and, OpaquePersisted
RelationshipsExplicitly relate Items together
E.g.; Author binds Document to ContactSchema can model complex itemsContainment, reference, embedding, categories, etc.
ExtensionsProvide ability to add new data to existing Item types
Fram
ework
Models
Core WinFS ItemsItems
RelationshipsRelationships
ExtensionsExtensionsFilesystem Srvcs (Handlers, …)Filesystem Srvcs (Handlers, …)
OperationsOperations
Data Model
NTFSNTFS
Relational EngineRelational Engine
ServicesPeoplePeople
DocumentsDocuments
……InfoAgent (Rules, …)InfoAgent (Rules, …)
Synchronization(WinFS, …)Synchronization(WinFS, …)
Schemas
XMLXMLAPIs
T/SQLT/SQLObjectsObjects
22
WinFS Schemas WinFS Schemas
Windows Everyday Information
Documents, Messages, Annotations, NotesMedia, Audio, Video, ImagesEvents, Appointments, Locations, UserTask
Windows SystemSystemTasks, Config, ProgramsExplorer, Help, Security
New SchemasDevelopers can define own data shapeComprised of
ScalarsComplex TypesXMLBinary/Filestream
Windows Everyday Information
Documents, Messages, Annotations, NotesMedia, Audio, Video, ImagesEvents, Appointments, Locations, UserTask
Windows SystemSystemTasks, Config, ProgramsExplorer, Help, Security
New SchemasDevelopers can define own data shapeComprised of
ScalarsComplex TypesXMLBinary/Filestream
Fram
ework
Models
Core WinFS ItemsItems
RelationshipsRelationships
ExtensionsExtensionsFilesystem Srvcs (Handlers, …)Filesystem Srvcs (Handlers, …)
OperationsOperations
Data Model
NTFSNTFS
Relational EngineRelational Engine
ServicesPeoplePeople
DocumentsDocuments
……InfoAgent (Rules, …)InfoAgent (Rules, …)
Synchronization(WinFS, …)Synchronization(WinFS, …)
Schemas
XMLXMLAPIs
T/SQLT/SQLObjectsObjects
23
<ItemType Name="Person” BaseType="Core.Contact" ... > <Property Name="PersonalNames” Type="MultiSet“ MultiSetOfType="FullName“ Nullable="true"> <Property Name="AddressLine“ Type="WinFS.String" Nullable="true"> <RelationshipType Name="Employment“ BaseType="WinFS.Relationship“ AllowsHolding="true“ AllowsEmbedding="false“ AllowsReference="true"> <Property Name=“IrisScan” Type=“WinFS.FileStream” …/></ItemType>
WinFS Schema
ItemId Name Addresses
Street City State Zip
Street City State Zip
Street City State Zip
IrisScan
FirstName LastName
Table View of Person
NTFS stream
ExampleExample
ItemId Name Addresses
Street City State Zip
Street City State Zip
Street City State Zip
IrisScan
FirstName LastName
Table View of Person
NTFS stream
ExampleExample
24
Longhorn And FilesystemsLonghorn And Filesystems
Files can live solely in an NTFS volumeAvailable for boot
E.g., C:\Windows is in NTFS
Volume can be mounted on down level machine
E.g., Firewire drive on both XP and Longhorn
Items can live solely in WinFSFile-backed Items
Accessible through standard Win32 APIsMetadata Handlers get data in and out of file streams
User data moved into WinFSI.e., C:\Documents and Settings
Has Import/Export utilities
Files can live solely in an NTFS volumeAvailable for boot
E.g., C:\Windows is in NTFS
Volume can be mounted on down level machine
E.g., Firewire drive on both XP and Longhorn
Items can live solely in WinFSFile-backed Items
Accessible through standard Win32 APIsMetadata Handlers get data in and out of file streams
User data moved into WinFSI.e., C:\Documents and Settings
Has Import/Export utilities
25
WinFS ServicesSynchronizationWinFS ServicesSynchronization
Synchronize one WinFS with another
Keep My Contacts and My Files in sync across my home machinesPeer to Peer sharing
Synchronize WinFS with other data sources
Keep My Contacts in sync with online email contacts, enterprise CRM, etc.
Synchronize one WinFS with another
Keep My Contacts and My Files in sync across my home machinesPeer to Peer sharing
Synchronize WinFS with other data sources
Keep My Contacts in sync with online email contacts, enterprise CRM, etc.
Fram
ework
Models
Core WinFS ItemsItems
RelationshipsRelationships
ExtensionsExtensionsFilesystem Srvcs (Handlers, …)Filesystem Srvcs (Handlers, …)
OperationsOperations
Data Model
NTFSNTFS
Relational EngineRelational Engine
ServicesPeoplePeople
DocumentsDocuments
……InfoAgent (Rules, …)InfoAgent (Rules, …)
Synchronization(WinFS, …)Synchronization(WinFS, …)
Schemas
XMLXMLAPIs
T/SQLT/SQLObjectsObjects
26
Synchronization OverviewSynchronization Overview
ApproachMulti-master replication
Replicas make changes independently
Net-change synchronizationLooking at cumulative changes, not logs
A set of common services for all data sources and all schemas
Change tracking, change enumeration, conflict handling, etc.
ExtendingSchema design
Granularity of change units is declared in the WinFS schemas
Custom conflict resolution handlersExtend the system conflict policies with code
Synchronization AdaptorsOutside datasources for one way or bidirectional synchronization
ApproachMulti-master replication
Replicas make changes independently
Net-change synchronizationLooking at cumulative changes, not logs
A set of common services for all data sources and all schemas
Change tracking, change enumeration, conflict handling, etc.
ExtendingSchema design
Granularity of change units is declared in the WinFS schemas
Custom conflict resolution handlersExtend the system conflict policies with code
Synchronization AdaptorsOutside datasources for one way or bidirectional synchronization
27
Synchronization ManagerSynchronization Manager
28
WinFS ServicesInfoAgent WinFS ServicesInfoAgent
Users want to control how their PCs behave
It’s called a personal computer after allEvery aspect of the system can be personalized
InfoAgent enables rich, flexible customization
“When I receive a high priority email from a customer, show me a popup message if I’m at my desk, otherwise forward it to my cell phone”“When I download new photos from my camera, relates them to the events on my calendar”
Users want to control how their PCs behave
It’s called a personal computer after allEvery aspect of the system can be personalized
InfoAgent enables rich, flexible customization
“When I receive a high priority email from a customer, show me a popup message if I’m at my desk, otherwise forward it to my cell phone”“When I download new photos from my camera, relates them to the events on my calendar”
Fram
ework
Models
Core WinFS ItemsItems
RelationshipsRelationships
ExtensionsExtensionsFilesystem Srvcs (Handlers, …)Filesystem Srvcs (Handlers, …)
OperationsOperations
Data Model
NTFSNTFS
Relational EngineRelational Engine
ServicesPeoplePeople
DocumentsDocuments
……InfoAgent (Rules, …)InfoAgent (Rules, …)
Synchronization(WinFS, …)Synchronization(WinFS, …)
Schemas
XMLXMLAPIs
T/SQLT/SQLObjectsObjects
29
Notifications And InfoAgentNotifications And InfoAgent‘Active Data’ – Subscribe to WinFS
changesItem change subscriptions Item Domain containment/query subscriptions
InfoAgent IntegrationInclusive set of events, contexts, and actionsPreferences stored as WinFS itemsUnified management of notification rules
‘Active Data’ – Subscribe to WinFS changesItem change subscriptions Item Domain containment/query subscriptions
InfoAgent IntegrationInclusive set of events, contexts, and actionsPreferences stored as WinFS itemsUnified management of notification rules
ActionsActionsPreferencesPreferences
EventsEvents
ContextsContexts
Matthew J. DoveyOxford University Computing Service
Longhorn
Microsoft Shell
31
Microsoft ShellMicrosoft Shell
Weak cmd shellWeak languagespotty coverage
GUI focusHard to automate
SDK FocusProgrammers
Weak cmd shellWeak languagespotty coverage
GUI focusHard to automate
SDK FocusProgrammers
Foundation for task-based managementFocused on power users and adminsProvides:
Interactive shellCmdletsUtilitiesScripting language Remote scripting
Foundation for task-based managementFocused on power users and adminsProvides:
Interactive shellCmdletsUtilitiesScripting language Remote scripting
Solution: MSHProblem
32
Core ConceptsCore Concepts
Command line scripting languageBest of sh/ksh, Perl/Ruby, DCL/CL
Commands are classes (Cmdlets)Hosting model
Command line scripting languageBest of sh/ksh, Perl/Ruby, DCL/CL
Commands are classes (Cmdlets)Hosting model
33
How It WorksHow It Works
MSH Engine
Core Command Base Classes
Core Commands(get, set, rename, move, push, pop, …)
FileSysProvider
Cmdlet Cmdlet Cmdlet …
RegistryProvider
ADProvider
34
Parameters And ConfirmationParameters And Confirmation[CommandDeclaration("stop", "ps")]public class StopPs: Cmdlet{
public string ProcessName; public override void ProcessRecord() { Process [ ]ps; ps = Process.GetProcessesByName(ProcessName); foreach (Process p in ps) {
{ p.Kill(); } } }}
[CommandDeclaration("stop", "ps")]public class StopPs: Cmdlet{
public string ProcessName; public override void ProcessRecord() { Process [ ]ps; ps = Process.GetProcessesByName(ProcessName); foreach (Process p in ps) {
{ p.Kill(); } } }}
[ParsingMandatoryParameter][ParsingPromptString(“Name of the process")]
if (ConfirmProcessing(p.ProcessName))
35
Navigation ProviderNavigation Provider
[ProviderDeclaration("REG", "Registry",ProviderCapabilityFlags.None)]public class RegistryProvider : NavigationCmdletBase{ protected override void GetItem(string path) { RegistryKey key = GetRegkeyForPath(path, false);
if (key == null) { WriteErrorObject(path,
new ArgumentException("does not exist")); } WriteObject(key); } ....}
[ProviderDeclaration("REG", "Registry",ProviderCapabilityFlags.None)]public class RegistryProvider : NavigationCmdletBase{ protected override void GetItem(string path) { RegistryKey key = GetRegkeyForPath(path, false);
if (key == null) { WriteErrorObject(path,
new ArgumentException("does not exist")); } WriteObject(key); } ....}
Matthew J. DoveyOxford University Computing Service
Longhorn
Application Automation
37
“UI Automation” defined“UI Automation” defined
Gather information about the UIDynamically discover UI structureExtract property information Receive event notifications when UI changesQuery an element for its behavior
Interact with UI elementsClick a button, scroll a list, move a window, etc.Inject keystrokes and mouse input
Gather information about the UIDynamically discover UI structureExtract property information Receive event notifications when UI changesQuery an element for its behavior
Interact with UI elementsClick a button, scroll a list, move a window, etc.Inject keystrokes and mouse input
– code that programmatically drives another application’s UI to yield a desired
result
38
UI Automation ClientsUI Automation Clients
UI Automation Providers
Windows UI Automation Core
Longhorn Model: UI AutomationLonghorn Model: UI Automation
Assistive TechnologyProducts
ScriptingUtilities
TestingFramework
“Avalon”Implementation
Control Proxy CustomImplementation
…InteropProvider…Provider
MSAvalon.Windows.Automation
Leg
acy C
on
trol
ISV
Ob
ject
Mod
el
Atu
om
ate
d T
est
…InteropProvider
39
Windows UI AutomationWindows UI AutomationAutomation framework built into Longhorn
Platform-level support for automating all UI elements
Avalon, WinForms, Win32, Visual Basic, etc.
Exposes a consistent object model for all controls
3rd party controls easily integrate into model
Security Model – client must be trustedLocale, machine, and resolution independent
Creates new opportunities for innovation in:
Automated UI TestingAssistive Technology ProductsCommand-and-Control Utilities
Automation framework built into Longhorn
Platform-level support for automating all UI elements
Avalon, WinForms, Win32, Visual Basic, etc.
Exposes a consistent object model for all controls
3rd party controls easily integrate into model
Security Model – client must be trustedLocale, machine, and resolution independent
Creates new opportunities for innovation in:
Automated UI TestingAssistive Technology ProductsCommand-and-Control Utilities
40
UI Automation OverviewUI Automation OverviewLogical Tree – structure of the UI
Stitches all UI trees into one coherent structureEliminates unnecessary elementsResembles the structure perceived by an end user
Properties – important UI informationName, Bounding Rectangle, Persistent ID, etc.
Events – notification of UI changes Window creation, change in focus or selection, etc
Control Patterns – control behavior Scroll, Selection, Window, ExpandCollapse, etc.
Input – simple mouse and keyboard input
Logical Tree – structure of the UI Stitches all UI trees into one coherent structureEliminates unnecessary elementsResembles the structure perceived by an end user
Properties – important UI informationName, Bounding Rectangle, Persistent ID, etc.
Events – notification of UI changes Window creation, change in focus or selection, etc
Control Patterns – control behavior Scroll, Selection, Window, ExpandCollapse, etc.
Input – simple mouse and keyboard input
41
UI Automation Control PatternsUI Automation Control Patterns
Mutually exclusive classes of control behaviorControl developers (providers) expose these patterns for new or existing controlsAutomation developers (clients) use patterns to
Discover what functionality a control offersGather pattern-specific property informationReceive pattern-specific eventsProgrammatically manipulate the control
Examples: Button: InvokeListBox: Scroll, SelectionComboBox: Scroll, Selection, ExpandCollapse
Mutually exclusive classes of control behaviorControl developers (providers) expose these patterns for new or existing controlsAutomation developers (clients) use patterns to
Discover what functionality a control offersGather pattern-specific property informationReceive pattern-specific eventsProgrammatically manipulate the control
Examples: Button: InvokeListBox: Scroll, SelectionComboBox: Scroll, Selection, ExpandCollapse
42
Security ModelSecurity Model
No default automation permissions UI Automation functionality is protected according to the following permissions:
Read – Navigate tree, get properties, receive eventsWrite – Call control pattern methodsInput – Call methods in the Input class
Access to Rights Managed requires additional permissions
No default automation permissions UI Automation functionality is protected according to the following permissions:
Read – Navigate tree, get properties, receive eventsWrite – Call control pattern methodsInput – Call methods in the Input class
Access to Rights Managed requires additional permissions
Matthew J. DoveyOxford University Computing Service
Longhorn
Deployment
44
ClickOnce VisionClickOnce Vision
Bring the ease & reliability of web application deployment to client applications.
Bring the ease & reliability of web application deployment to client applications.
45
The Best of the Client & WebThe Best of the Client & Web
Web ClickOnce
MSI Client
Reach Y
No Touch Deployment Y Y
Low System Impact Y Y
Install/Run Per-User Y Y
Rich / Interactive Y Y
Offline Y Y
Windows Shell Integration Y Y
Per-Machine/Shared Components
Y
Unrestricted Install Y
46
Install GoalsInstall GoalsReduce install fragility
Allow what’s low impactEx. App file copy, start menu integration, etc…
Can always undo what was installed
Disallow what’s not low impactApps never run with admin rights (LUA)
Driver registration, COM objects, etc..
Custom actions; large source of install uncertainty
Expand the definition of “low impact”
Requires OS Changes. Starts with Longhorn
Reduce install fragility
Allow what’s low impactEx. App file copy, start menu integration, etc…
Can always undo what was installed
Disallow what’s not low impactApps never run with admin rights (LUA)
Driver registration, COM objects, etc..
Custom actions; large source of install uncertainty
Expand the definition of “low impact”
Requires OS Changes. Starts with Longhorn
47
Declarative InstallDeclarative Install
Application ManifestDescribes the applicationEx.. What assemblies constitute the appAuthored by the developer
Deployment ManifestDescribes the application deploymentEx.. What version clients should runAuthored by the administrator
Application ManifestDescribes the applicationEx.. What assemblies constitute the appAuthored by the developer
Deployment ManifestDescribes the application deploymentEx.. What version clients should runAuthored by the administrator
48
Deployment ManifestDeployment Manifest
Identity
<assemblyIdentity name="TaskVision.deploy" version="1.0.0.0" publicKeyToken=“…" processorArchitecture="x86" asmv2:culture="en-US" />
<description asmv2:publisher="Microsoft" asmv2:product="TaskVision"> </description>
MyApp.Deploy
49
Deployment ManifestDeployment Manifest
Identity
Deployment
<deployment isRequiredUpdate="false" >
<install shellVisible="true" />
<subscription> <update> <beforeApplicationStartup /> <periodic> <minElapsedTimeAllowed time="0" unit="hours" /> </periodic> </update> </subscription>
</deployment>
MyApp.Deploy
50
Deployment ManifestDeployment Manifest
Identity
Deployment
App Ref
<dependency>
<dependentAssembly> <assemblyIdentity name="TaskVision.manifest"
version="1.0.0.0" publicKeyToken=“…" processorArchitecture="x86" asmv2:culture="en-US" /> </dependentAssembly>
<asmv2:installFrom codebase="1.0.0.0/TV.manifest" />
</dependency>
MyApp.Deploy
51
Deployment ManifestDeployment Manifest
Identity
Deployment
App Ref
Signature
MyApp.Deploy <Signature > <SignedInfo> <Reference URI=""> <DigestMethod Algorithm=“http://…" /> <DigestValue>2xKk…</DigestValue> </Reference> </SignedInfo>
<SignatureValue>vNTBod96H7k…</SignatureValue>
<KeyInfo> <KeyValue> <RSAKeyValue> <Modulus>+Wnh5RN9…</Modulus> <Exponent>AQAB</Exponent> </RSAKeyValue> </KeyValue> </KeyInfo> </Signature>
52
Application ManifestApplication Manifest
Identity
Entry Point
Security
File List
Assembly List
MyApp.Manifest
Signature
<assemblyIdentity name="TaskVision.deploy" version="1.0.0.0" publicKeyToken=“…" processorArchitecture="x86" asmv2:culture="en-US" />
53
Deployment OptionsDeployment Options
‘Installed’ ApplicationsFrom Web, UNC or CDStart Menu, Add/Remove ProgramsVaried update options
‘Launched' ApplicationsApp launches but doesn’t “install”No Start Menu, Add/Remove ProgramsAlways update on launch
‘Installed’ ApplicationsFrom Web, UNC or CDStart Menu, Add/Remove ProgramsVaried update options
‘Launched' ApplicationsApp launches but doesn’t “install”No Start Menu, Add/Remove ProgramsAlways update on launch
54
Update OptionsUpdate OptionsOn App Startup
If found, ask user to update app
After App StartupIf found, ask user to update on next run
ProgrammaticIntegrate update experience into app
Required Update can specify minimum version required
Background UpdatesUpdates drizzle in silently – like Windows Updates“Longhorn” only
On App StartupIf found, ask user to update app
After App StartupIf found, ask user to update on next run
ProgrammaticIntegrate update experience into app
Required Update can specify minimum version required
Background UpdatesUpdates drizzle in silently – like Windows Updates“Longhorn” only
55
Secure UpdatesSecure Updates
Only the original deployer can updateNo auto-deployment of viruses
Manifests are signedXMLDSIGDeployer key needed to publish updates
Only the original deployer can updateNo auto-deployment of viruses
Manifests are signedXMLDSIGDeployer key needed to publish updates
56
“Longhorn Web” Apps“Longhorn Web” Apps
Integrated with BrowserInstall UI built into browser Best possible user experienceLeverages Avalon app/navigation modelNo shell presence (ex. Start Menu shortcut)Runs in semi-trust
Progressive InstallApp automatically installs as it’s usedFile level install
Integrated with BrowserInstall UI built into browser Best possible user experienceLeverages Avalon app/navigation modelNo shell presence (ex. Start Menu shortcut)Runs in semi-trust
Progressive InstallApp automatically installs as it’s usedFile level install
57
When Should I Use The Windows Installer (MSI) ?When Should I Use The Windows Installer (MSI) ?
ClickOnce is the solution for new self-contained applications
Low System ImpactNo Touch DeploymentInstall / Run Per-UserRich Interactive applications
Use Windows Installer if you need toInstall Shared ResourcesInstall Win32 Applications Perform custom actions during installation
ClickOnce is the solution for new self-contained applications
Low System ImpactNo Touch DeploymentInstall / Run Per-UserRich Interactive applications
Use Windows Installer if you need toInstall Shared ResourcesInstall Win32 Applications Perform custom actions during installation
58
ClickOnce And Windows Installer (MSI)ClickOnce And Windows Installer (MSI)
ClickOnce
MSI Client
No Touch Deployment Y
Low System Impact Y Y*Install/Run Per-User Y YRich / Interactive Y YOffline Y YWindows Shell Integration Y YPer-Machine/Shared Components
Y
Unrestricted Install Y
* MSI applications can be authored for “low system impact”
59
Windows Installer Basics.MSI Windows Installer Basics.MSI
Features
Components
Shortcuts
Action
Files
Optional Internal CAB
Summary Information Assemblies
Pointers to source files
MSI databasePopulated by setup developer.MSI file extensionOne per productDescribed in relational tables
Products haveFeaturesComponentsInstallable resourcesEntry points
Other Tables...
60
Windows Installer Basics.MSP Windows Installer Basics.MSP
MSP is a Windows Installer patch packagePatches make changes to the configuration information database and resources (files, registry)Patch package (MSP) contains
Summary Information StreamTransformsCabinet file
MSP is a Windows Installer patch packagePatches make changes to the configuration information database and resources (files, registry)Patch package (MSP) contains
Summary Information StreamTransformsCabinet file
61
Windows Installer v4.0MSI 40Windows Installer v4.0MSI 40
Longhorn extensionsMSI will support new Longhorn shell extension manifest
No-Reboot support for setup / updates
MSI detects processes holding files in useSends notification to processesDesign your applications to save state, shutdown and resume
Longhorn extensionsMSI will support new Longhorn shell extension manifest
No-Reboot support for setup / updates
MSI detects processes holding files in useSends notification to processesDesign your applications to save state, shutdown and resume
62
Windows Installer v4.0Image Based SetupWindows Installer v4.0Image Based Setup
Longhorn uses a new Image Based Setup model
Minimizes number of imagesDeployment of Windows + Applications is fasterImages can be maintained, serviced &modified offline/online
MSI applications can be deployed with Images
FASTOEM property is used by major OEMs to speed up factory floor setupFiles copied with the OS image Installation and configuration are done on first boot
Longhorn uses a new Image Based Setup model
Minimizes number of imagesDeployment of Windows + Applications is fasterImages can be maintained, serviced &modified offline/online
MSI applications can be deployed with Images
FASTOEM property is used by major OEMs to speed up factory floor setupFiles copied with the OS image Installation and configuration are done on first boot
Matthew J. DoveyOxford University Computing Service
Longhorn
Identity
64
The Identity SystemThe Identity System
Ubiquitous store, development platform for applications that consume identity
Built on “WinFS” storage subsystem (CLI201)Schema for unified representation of identityAPI with specialized types, methods for principals
Provides recognition between principalsBootstrap and manage recognition between people, computers, groups, organizationsExtends Windows security services, can be used by existing applications
Principals can be serialized, exchanged using document we call an”Information Card”
Ubiquitous store, development platform for applications that consume identity
Built on “WinFS” storage subsystem (CLI201)Schema for unified representation of identityAPI with specialized types, methods for principals
Provides recognition between principalsBootstrap and manage recognition between people, computers, groups, organizationsExtends Windows security services, can be used by existing applications
Principals can be serialized, exchanged using document we call an”Information Card”
65
What is an Information Card?What is an Information Card?
Exchangeable identity statement allowing verification of signatureExchangeable identity statement allowing verification of signature
Display name
Identity claims
Disclosed information
Certificate
Use p
olicy
Unique identifier(s)For a person: email addressFor organization: web site
Unique identifier(s)For a person: email addressFor organization: web siteData I choose to discloseHome addressPhone number
Data I choose to discloseHome addressPhone number
Public key certificateLocal account: self-signedDomain account: signed by CA in Active Directory
Public key certificateLocal account: self-signedDomain account: signed by CA in Active Directory
66
How Are Information Cards Used?How Are Information Cards Used?
Information Cards are used to manage secure digital relationships with people and organizationsWhen an Information Card is imported, it becomes a contact in the contact explorer
Can be recognized using Windows security services (SSPI)Can be granted access to shared spaces
Will seek broad adoption of Information Card, encourage others to implement
Information Cards are used to manage secure digital relationships with people and organizationsWhen an Information Card is imported, it becomes a contact in the contact explorer
Can be recognized using Windows security services (SSPI)Can be granted access to shared spaces
Will seek broad adoption of Information Card, encourage others to implement
67
68
Identity-Based Host FirewallIdentity-Based Host Firewall
Only people you recognize and to whom granted access can make inbound connections to your computerOther callers see IPSEC negotiation port, nothing elseGreatly reduces exposed attack surface of a Windows computer on a network
Only people you recognize and to whom granted access can make inbound connections to your computerOther callers see IPSEC negotiation port, nothing elseGreatly reduces exposed attack surface of a Windows computer on a network
69
Authentication Versus AuthorizationAuthentication Versus Authorization
Accepting an Information Card does not grant a contact access to the computer
Recognition only – clear separation of authentication, authorizationA contact must have no implicit access
To revoke someone’s access to computerRemove from access policies on resourcesOptionally, delete contact object, no longer recognize that person
E.g. Person to Person - WinFS Sync with “Castle”sPerson to OrganisationOrganisation to Organisation
Accepting an Information Card does not grant a contact access to the computer
Recognition only – clear separation of authentication, authorizationA contact must have no implicit access
To revoke someone’s access to computerRemove from access policies on resourcesOptionally, delete contact object, no longer recognize that person
E.g. Person to Person - WinFS Sync with “Castle”sPerson to OrganisationOrganisation to Organisation
70
Tracking Disclosed InformationTracking Disclosed Information
Identity system tracks Information Card disclosure
To whom Information Cards were sentWhat information was sent
If information changes, can selectively or automatically send updates
Updates signed thus known to be from you, can process automatically at destinationFor example: your mailing address changes – automatically update magazine subscriptions
Identity system tracks Information Card disclosure
To whom Information Cards were sentWhat information was sent
If information changes, can selectively or automatically send updates
Updates signed thus known to be from you, can process automatically at destinationFor example: your mailing address changes – automatically update magazine subscriptions
71
RoamingRoaming
Within home: “Castle” replicates dataWithin organization
Credentials, data stored in Active DirectoryDownload to Identity System on clients
To arbitrary other computersIdentity system data can be backed up, encrypted, and stored in vault in “cloud”
Can also use combination smartcard storage “dongle” for any of the above
Within home: “Castle” replicates dataWithin organization
Credentials, data stored in Active DirectoryDownload to Identity System on clients
To arbitrary other computersIdentity system data can be backed up, encrypted, and stored in vault in “cloud”
Can also use combination smartcard storage “dongle” for any of the above
72
Identity Loss and RecoveryIdentity Loss and Recovery
What happens if your computer dies?If a “Castle”, data is on other computer(s)Or, restore from system backup
Mechanisms used for roaming can also apply to recovery
Upload from smart dongleDownload from vault in cloud or from Active Directory
What happens if your computer dies?If a “Castle”, data is on other computer(s)Or, restore from system backup
Mechanisms used for roaming can also apply to recovery
Upload from smart dongleDownload from vault in cloud or from Active Directory
73
Identity TheftIdentity Theft
What if computer, smart dongle is stolen?
Send signed revocation message to people you have sent an Information CardIf backup in cloud vault, service could send revocation for you, like canceling credit cardBootstrap replacement identity using disclosure information from backup
How know if identity has been stolen?How discover this today? For example, by checking credit card statementMay need similar mechanisms online
What if computer, smart dongle is stolen?
Send signed revocation message to people you have sent an Information CardIf backup in cloud vault, service could send revocation for you, like canceling credit cardBootstrap replacement identity using disclosure information from backup
How know if identity has been stolen?How discover this today? For example, by checking credit card statementMay need similar mechanisms online
Matthew J. DoveyOxford University Computing Service
Longhorn
Trustworthiness and Security
75
Trustworthy CommitmentTrustworthy Commitment
Microsoft Cultural ShiftThousands of hours spent in security reviews on .NET Framework to dateFoundstone, @Stake security reviews
“Hardening” the .NET FrameworkMaking Security Easier for Customers
Prescriptive Architectural GuidanceFeature changes in .NET Framework
Microsoft Cultural ShiftThousands of hours spent in security reviews on .NET Framework to dateFoundstone, @Stake security reviews
“Hardening” the .NET FrameworkMaking Security Easier for Customers
Prescriptive Architectural GuidanceFeature changes in .NET Framework
SECSYM: Security SymposiumARC340: CLR Under the Covers: .Net Framework Application Security
76
Right Privilege At The Right TimeRight Privilege At The Right Time
User accounts (Only two account types)
Normal users runs with least-privilegedAdmin users runs with least-privileged
Admin applications need privilege elevationOnly trusted applications get to run with elevated privilege
User accounts (Only two account types)
Normal users runs with least-privilegedAdmin users runs with least-privileged
Admin applications need privilege elevationOnly trusted applications get to run with elevated privilege
77
Trust Application Execution OverviewTrust Application Execution Overview
<trustInfo>..
</trustInfo>
Author manifest with a trustInfo section
Make a strong name and sign the manifest
Validate Certificate and Signature
Developer/Administrator
Manifest
System
Enterprise Certificate
StoreSystem
Certificate Store
Make a trust action based on the Manifest data and Policies
Strong name/signature secured
Local Certificate
Store
Signing authority
78
Trust Evaluation ProcessTrust Evaluation Process
Code validation is a human decisionAuthenticode signed manifests
Certificate in the store
Domain administrators signed Deployment manifest
Local administrators blessed All machine have a signing key
Default behavior changed by policy
Code validation is a human decisionAuthenticode signed manifests
Certificate in the store
Domain administrators signed Deployment manifest
Local administrators blessed All machine have a signing key
Default behavior changed by policy
79
Security: The Sandbox (SEE)Security: The Sandbox (SEE)
Apps run in secure sandbox by default
Similar to IE javascriptEnsures applications are safe to run
Increased sandbox size“Longhorn” > “Whidbey” > .NET V1.1
VS helps author for the sandboxDebug in ZonePermissionCalcSecurity Exception helper
Apps run in secure sandbox by default
Similar to IE javascriptEnsures applications are safe to run
Increased sandbox size“Longhorn” > “Whidbey” > .NET V1.1
VS helps author for the sandboxDebug in ZonePermissionCalcSecurity Exception helper
80
Security: Sandbox Restrictions Security: Sandbox Restrictions
Some apps need more permissionUn-managed code access
Export to Excel or any MS Office integration
Un-restricted file accessUn-restricted network access
Some apps need more permissionUn-managed code access
Export to Excel or any MS Office integration
Un-restricted file accessUn-restricted network access
81
Security: Policy DeploymentSecurity: Policy Deployment
Application level policy“Trust this app”“App” defined by it’s app manifestBaked into core CLR security
Trust LicensesLicense issued by admin, deployed with appLicense indicates admin says app is trustedRequires only one-time (ever) client touch
To configure trusted license issuer
Application level policy“Trust this app”“App” defined by it’s app manifestBaked into core CLR security
Trust LicensesLicense issued by admin, deployed with appLicense indicates admin says app is trustedRequires only one-time (ever) client touch
To configure trusted license issuer
82
TrustManagerTrustManager
Decides if app needs additional trustRequested permissions beyond defaultNo previous trusted versionNo admin policy
Display user prompt if necessaryITrustManagerConfig
Control when / how prompting happens
Decides if app needs additional trustRequested permissions beyond defaultNo previous trusted versionNo admin policy
Display user prompt if necessaryITrustManagerConfig
Control when / how prompting happens
83
User ConsentUser Consent
Admins should make trust decisions, but…
Not always possibleHome users are their own admin
Users make trust decisions all the time
Putting a CD in their computerInstalling softwareSubmitting a Credit card to a web page
Admins should make trust decisions, but…
Not always possibleHome users are their own admin
Users make trust decisions all the time
Putting a CD in their computerInstalling softwareSubmitting a Credit card to a web page
84
User Consent DesignUser Consent Design
App request permissions neededRequests specified in app manifestVS helps identify needed permissions
Prompt is simple & binaryHappens at install / 1st launchCombined Install & Trust Prompt
User prompted if:App needs permissions above the sandboxAdmin has configured to allow prompting
App request permissions neededRequests specified in app manifestVS helps identify needed permissions
Prompt is simple & binaryHappens at install / 1st launchCombined Install & Trust Prompt
User prompted if:App needs permissions above the sandboxAdmin has configured to allow prompting
85
Code Access Security (CAS)Code Access Security (CAS)
Based on trust of codeRecognizes that trusted users (e.g. admin) run less trusted code (e.g. browsing the web)System intersects rights of code with rights of user = 2 levels of defense
Key featuresEvidence (location, signature, etc.) is combined with policy to grant permissions to codeProtected operations require permissionsAll callers must have permissions so bad code cannot “trick” good code and be exploited
Based on trust of codeRecognizes that trusted users (e.g. admin) run less trusted code (e.g. browsing the web)System intersects rights of code with rights of user = 2 levels of defense
Key featuresEvidence (location, signature, etc.) is combined with policy to grant permissions to codeProtected operations require permissionsAll callers must have permissions so bad code cannot “trick” good code and be exploited
86
CAS: How It WorksCAS: How It Works
Managed code verifiably robustNo buffer overruns! No unsafe casting!Only well-defined interactions (no ptrs)Components can protect their interfaces
Trusted libraries as security gate keepers
Before doing a protected operations, library demands permission of its callersStack walk – all callers must have permission to proceed; otherwise exception prevents itWhen demand succeeds the library can override (Assert) and do the operation safely
Managed code verifiably robustNo buffer overruns! No unsafe casting!Only well-defined interactions (no ptrs)Components can protect their interfaces
Trusted libraries as security gate keepers
Before doing a protected operations, library demands permission of its callersStack walk – all callers must have permission to proceed; otherwise exception prevents itWhen demand succeeds the library can override (Assert) and do the operation safely
87
Code Access Security (CAS)Code Access Security (CAS)
Demand must be satisfied by all callers
Ensures all code in causal chain is authorizedCannot exploit other code with more privilege
Demand must be satisfied by all callers
Ensures all code in causal chain is authorizedCannot exploit other code with more privilege
calls
Code B
Code C
B has P?
A has P?
calls
Code A
demand
88
What Is The Secure Execution Environment?What Is The Secure Execution Environment?
A new platform for secure applicationsCode written to the SEE is inherently more secure because only safe operations are possible within itSecurity restrictions are enforced by CLRPermission Elevation is possible in a declarative and predictable way, and there is a user experience.
The SEE is simply a default grant set of Code Access Security permissions
A new platform for secure applicationsCode written to the SEE is inherently more secure because only safe operations are possible within itSecurity restrictions are enforced by CLRPermission Elevation is possible in a declarative and predictable way, and there is a user experience.
The SEE is simply a default grant set of Code Access Security permissions
89
Why Code To The SEE?Why Code To The SEE?
Deploy without Trust Dialogs!Reduce test surfaceYou know that your code cannot harm users machineReduce TCO
Business: admin doesn’t have to worry about what the code might do.Home: SEE app cannot harm your machine
Deploy without Trust Dialogs!Reduce test surfaceYou know that your code cannot harm users machineReduce TCO
Business: admin doesn’t have to worry about what the code might do.Home: SEE app cannot harm your machine
90
Why The SEE Is SafeWhy The SEE Is Safe
SEE applicationsAll code has only limited safe permissionsCan only use SEE-approved trusted libraries
Security principlesCode can further restrict self to least privilegeApplication isolationLibrary code is limited to a known safe set
SEE applicationsAll code has only limited safe permissionsCan only use SEE-approved trusted libraries
Security principlesCode can further restrict self to least privilegeApplication isolationLibrary code is limited to a known safe set
91
Limited User Account(LUA)
Protected Admin (PA)
Application Impact Management
Limited User Account(LUA)
Protected Admin (PA)
Application Impact Management
92
LUA Problem StatementLUA Problem StatementRunning with elevated privilege leads to disasters
One reason why viruses can cause damaged is because too many people run with full privilegeWash Post even is telling us to run without privilegeEvery Admin tells us they want to limit users, but…
Most people demand to run as admin because:Rich web experience, dependant on ActiveX installation, currently requires admin privilege“If we don’t run as admin, stuff breaks”Testing is really easy when everyone’s an admin!Everything works including malicious code!
Customers want tools and help “Please help us to get applications that run with Least Privilege”Win98 & XP users are admin, so apps are built for adminThis is the vicious circle that we must break
Running with elevated privilege leads to disastersOne reason why viruses can cause damaged is because too many people run with full privilegeWash Post even is telling us to run without privilegeEvery Admin tells us they want to limit users, but…
Most people demand to run as admin because:Rich web experience, dependant on ActiveX installation, currently requires admin privilege“If we don’t run as admin, stuff breaks”Testing is really easy when everyone’s an admin!Everything works including malicious code!
Customers want tools and help “Please help us to get applications that run with Least Privilege”Win98 & XP users are admin, so apps are built for adminThis is the vicious circle that we must break
93
LUA – The Good And The BadLUA – The Good And The Bad
Long term: we will greatly improve the TCO and “Secure by Deployment” story with Limited UserLUA apps have no legitimate reason to ask for admin privilegeGood LUA apps do not try to change system or domain state – they work on XP today as LUABad LUA apps (the majority) inadvertently change system stateShort term: some LUA apps will not be fixable by Application Impact Management
The target is to have only 20% of apps in this categoryThe expected behavior is that these apps will fail for Longhorn
Long term: we will greatly improve the TCO and “Secure by Deployment” story with Limited UserLUA apps have no legitimate reason to ask for admin privilegeGood LUA apps do not try to change system or domain state – they work on XP today as LUABad LUA apps (the majority) inadvertently change system stateShort term: some LUA apps will not be fixable by Application Impact Management
The target is to have only 20% of apps in this categoryThe expected behavior is that these apps will fail for Longhorn
94
Three Customers For LUAThree Customers For LUA
Fully locked down corporationsLots of research shows that the enterprise admin wants this featureReduce security threatsReduce number of apps loadedReduce TCO
Admins that need a safe place to run appsShould have the least privilege needed by app
At Home where the admin wants to increase security
Parental controls, so that the child uses only age-appropriate appsUser self lockdown to protect PC from security problems
Fully locked down corporationsLots of research shows that the enterprise admin wants this featureReduce security threatsReduce number of apps loadedReduce TCO
Admins that need a safe place to run appsShould have the least privilege needed by app
At Home where the admin wants to increase security
Parental controls, so that the child uses only age-appropriate appsUser self lockdown to protect PC from security problems
95
LUA In LonghornLUA In Longhorn
All applications will have a manifest listing the application parts
Enabling Windows to provide a safe environment for the application to run.All applications will undergo a Trust Evaluation
Contain applications to limit potential damageCreate Compartments where code can run
Least-privileged User Account (LUA)Most apps can run with user privileges in user spaceApps run in LUA space by default in LH
Admin Privilege (Protected Admin)Only trusted applications will run with admin privilege in admin spaceAdmins will not enable PA if LUA is not useful
All applications will have a manifest listing the application parts
Enabling Windows to provide a safe environment for the application to run.All applications will undergo a Trust Evaluation
Contain applications to limit potential damageCreate Compartments where code can run
Least-privileged User Account (LUA)Most apps can run with user privileges in user spaceApps run in LUA space by default in LH
Admin Privilege (Protected Admin)Only trusted applications will run with admin privilege in admin spaceAdmins will not enable PA if LUA is not useful
96
App OperationsApp Operations
Full Admin Full Admin AppsApps
SEE SEE AppsApps
Built for Built for LUA AppsLUA Apps
Fixable Admin Fixable Admin LUA Apps LUA Apps(AIM)(AIM)
97
Code Validation ProcessCode Validation Process
All code validation is a human decisionPublishers can get signed app manifest (need to be in cert store)Domain admins can sign deployment manifest (enterprise store)Local admins can “bless” appsBy policy user can decide to change default behavior
All local validation decisions are preserved in App ContextCode Integrity is assured by checking every .EXE and .DLL for validityApplication trust is assured at Runtime
All code validation is a human decisionPublishers can get signed app manifest (need to be in cert store)Domain admins can sign deployment manifest (enterprise store)Local admins can “bless” appsBy policy user can decide to change default behavior
All local validation decisions are preserved in App ContextCode Integrity is assured by checking every .EXE and .DLL for validityApplication trust is assured at Runtime
98
Application Impact Management And LUA/PAApplication Impact Management And LUA/PA
All system impact changes are logged for potential rollback on uninstallLUA & Admin apps will have their impactful registry writes monitored as wellApps are given their own view of certain files & regkeys
All system impact changes are logged for potential rollback on uninstallLUA & Admin apps will have their impactful registry writes monitored as wellApps are given their own view of certain files & regkeys
99
User Experience GoalsUser Experience Goals
Longhorn is Secure by Default yet the system is as flexible and easy to use as Windows XPUsers know when they are about to do something potentially unsafe and are able to make an informed decision
Longhorn always gives strong Security recommendationsUsers can undo damaging changes
Users feel confident they can install or run any program without compromising their data or their PCs
They feel that, compared to previous versions of Windows, Longhorn is much safer. They trust Longhorn more than any other OS
Users do not need to learn any major new concepts or procedures to be protected
Longhorn is Secure by Default yet the system is as flexible and easy to use as Windows XPUsers know when they are about to do something potentially unsafe and are able to make an informed decision
Longhorn always gives strong Security recommendationsUsers can undo damaging changes
Users feel confident they can install or run any program without compromising their data or their PCs
They feel that, compared to previous versions of Windows, Longhorn is much safer. They trust Longhorn more than any other OS
Users do not need to learn any major new concepts or procedures to be protected
100
Other Big ChangesOther Big Changes
Winlogon is being rewritten for Longhorn
Addressing reliability issues - too many unnecessary processes in WinlogonAddressing performance issues - too many unnecessary components loaded in Winlogon
Winlogon in Longhorn will no longer support replaceable GINAs, new mechanisms provide existing functionality
New, simpler Credential Provider modelEventing mechanismStacking/chaining
Winlogon is being rewritten for Longhorn
Addressing reliability issues - too many unnecessary processes in WinlogonAddressing performance issues - too many unnecessary components loaded in Winlogon
Winlogon in Longhorn will no longer support replaceable GINAs, new mechanisms provide existing functionality
New, simpler Credential Provider modelEventing mechanismStacking/chaining
Matthew J. DoveyOxford University Computing Service
Longhorn
Next Generation Secure Computing Base
102
Next Generation Secure Computing Base DefinedNext Generation Secure Computing Base Defined
Microsoft’s Next-Generation Secure Computing Base (NGSCB) is a new security technology for the Microsoft Windows platform
Uses both hardware and software to protect dataOffers new kinds of security and privacy protections in an interconnected world
Microsoft’s Next-Generation Secure Computing Base (NGSCB) is a new security technology for the Microsoft Windows platform
Uses both hardware and software to protect dataOffers new kinds of security and privacy protections in an interconnected world
103
Threats Mitigated in V1Threats Mitigated in V1
Tampering with DataStrong process isolation prevents rogue applications from changing our data or code while it is runningSealed storage verifies the integrity of data when unsealing it
Information DisclosureSealed storage prevents rogue applications from getting at your encrypted data
RepudiationAttestation enables you to verify that you are dealing with an application and machine configuration you trust
Spoofing IdentitySecure path enables you to be sure that you’re dealing with the real user, not an application spoofing the user
Tampering with DataStrong process isolation prevents rogue applications from changing our data or code while it is runningSealed storage verifies the integrity of data when unsealing it
Information DisclosureSealed storage prevents rogue applications from getting at your encrypted data
RepudiationAttestation enables you to verify that you are dealing with an application and machine configuration you trust
Spoofing IdentitySecure path enables you to be sure that you’re dealing with the real user, not an application spoofing the user
104
Version 1 DetailsVersion 1 Details
Fully aligned with LonghornShips as part of LonghornBetas and other releases in synch with and delivered with Longhorn’s
Focused on enterprise applicationsExample opportunities:
Document signingSecure IMInternal applications for viewing secure dataSecure email plug-in
Hardware based onTrusted Computer Group (https://www.trustedcomputinggroup.org/home)Memory protection (AMD and Intel Prescott CPUs)
Fully aligned with LonghornShips as part of LonghornBetas and other releases in synch with and delivered with Longhorn’s
Focused on enterprise applicationsExample opportunities:
Document signingSecure IMInternal applications for viewing secure dataSecure email plug-in
Hardware based onTrusted Computer Group (https://www.trustedcomputinggroup.org/home)Memory protection (AMD and Intel Prescott CPUs)
105
TPM 1.2TPM 1.2
Nexus-ModeNexus-Mode
NexusNexus
NALNAL
AgentAgent
NCA Runtime LibraryNCA Runtime Library
Trusted UITrusted UIEngine (TUE)Engine (TUE)
TSPTSP TSPTSP TSPTSP
AgentAgentAgentAgent
UserUser
KernelKernel
HardwareHardware Secure InputSecure Input ChipsetChipsetCPUCPUSecure VideoSecure Video
NGSCB
Main OSMain OS
USBUSBDriverDriver
Nexus-Mode (RHS)Nexus-Mode (RHS)
NexusNexus
NexusMgr.sysNexusMgr.sys
HALHAL
NALNAL
User Apps.User Apps.
AgentAgent
NCA Runtime LibraryNCA Runtime Library
Trusted UITrusted UIEngine (TUE)Engine (TUE)
TSPTSP TSPTSP TSPTSP
AgentAgentAgentAgent
Standard-Mode (“std-mode” / LHS)Standard-Mode (“std-mode” / LHS)
106
Nexus Mode EnvironmentNexus Mode Environment
Basic Operating System FunctionsProcess and Thread Loader/ManagerMemory ManagerI/O ManagerSecurity Reference MonitorInterrupt handling/Hardware abstraction
But not a complete Operating SystemNo File SystemNo NetworkingNo Kernel Mode/Privileged Device DriversNo Direct XNo SchedulingNo…
Kernel mode has no pluggablesAll of the kernel loaded at boot and in the PCR
Basic Operating System FunctionsProcess and Thread Loader/ManagerMemory ManagerI/O ManagerSecurity Reference MonitorInterrupt handling/Hardware abstraction
But not a complete Operating SystemNo File SystemNo NetworkingNo Kernel Mode/Privileged Device DriversNo Direct XNo SchedulingNo…
Kernel mode has no pluggablesAll of the kernel loaded at boot and in the PCR
107
NGSCB FeaturesNGSCB Features
All NGSCB-enabled application capabilities build off of four key features
Strong process isolationSealed storageSecure pathAttestation
The first three are needed to protect against malicious code Attestation breaks new ground in distributed computing
“Subjects” (software, machines, services) can be securely authenticatedThis is separate from user authentication
All NGSCB-enabled application capabilities build off of four key features
Strong process isolationSealed storageSecure pathAttestation
The first three are needed to protect against malicious code Attestation breaks new ground in distributed computing
“Subjects” (software, machines, services) can be securely authenticatedThis is separate from user authentication
108
SummarySummary
NGSCB ships as part of LonghornNGSCB is a combination of
New hardware which creates a secure environment for……A new kernel, called the Nexus, which……Will run agents in a secure memory partition, and which……Will provide these agents with security services so that they can……Provide users with trustworthy computing
Remember that:When the Nexus is turned off, literally everything runs just like beforeWhen the Nexus is on, the LHS runs very close to everything that ever ranThe Nexus makes no claims about what runs on the LHSThe hardware should run any Nexus, and give full function to any Nexus (with, at most, an admin step by the user)The Nexus will run any software the user tells it to
NGSCB ships as part of LonghornNGSCB is a combination of
New hardware which creates a secure environment for……A new kernel, called the Nexus, which……Will run agents in a secure memory partition, and which……Will provide these agents with security services so that they can……Provide users with trustworthy computing
Remember that:When the Nexus is turned off, literally everything runs just like beforeWhen the Nexus is on, the LHS runs very close to everything that ever ranThe Nexus makes no claims about what runs on the LHSThe hardware should run any Nexus, and give full function to any Nexus (with, at most, an admin step by the user)The Nexus will run any software the user tells it to
Matthew J. DoveyOxford University Computing Service
Longhorn
Questions
110
SourcesSources
Longhorn Development Centrehttp://msdn.microsoft.com/longhorn/
Trusted Computer Grouphttps://www.trustedcomputinggroup.org/home
Longhorn Development Centrehttp://msdn.microsoft.com/longhorn/
Trusted Computer Grouphttps://www.trustedcomputinggroup.org/home
top related