Windows Vista and Longhorn Server: - PowerPoint PPT Presentation

1 / 33
About This Presentation
Title:

Windows Vista and Longhorn Server:

Description:

This talk covers enhancements to the Windows Vista kernel and related core components ... Thread gets at least 1 turn and can get at most a turn 1 tick ... – PowerPoint PPT presentation

Number of Views:190
Avg rating:3.0/5.0
Slides: 34
Provided by: downloadM
Category:

less

Transcript and Presenter's Notes

Title: Windows Vista and Longhorn Server:


1
Windows Vista and Longhorn Server Under the
Hood of the Operating System Internals
Idan Plotnik, CTO Microsoft Security Regional
Director of ISA Server
2
Agenda
  • Introduction
  • Processes Threads
  • I/O and File System
  • Memory Management
  • Startup and Shutdown
  • Security

3
Scope of Talk
  • This talk covers enhancements to the Windows
    Vista kernel and related core components
  • Windows Server Longhorn will be a superset of
    Windows Vista
  • These changes will be merged back into Windows
    Vista kernel with SP1
  • Therefore, all Windows Vista kernel changes
    described in this talk apply to Windows Server
    Longhorn

4
Quiz! Why Windows Vista / Longhorn is unaffected
by the VML Bug
  • MS07-004 does not affect Windows Vista, even
    though the coding bug is there. Why?
  • The bug is an integer overflow calling C
    operatornew
  • The affected component vgx.dll is compiled with
    the C compiler available in Visual Studio 2005.
  • All of Windows Vista is compiled with this
    compiler.

5
Processes Threads
6
Time Accounting
  • Before, Windows accounted for CPU time based on
    the interval clock timer
  • 10-15ms resolution (programming/hardware)
  • Thread quantum expiration was not always fair
  • A thread might get almost no turn or up to three
    turns
  • Threads also were charged for interrupts that
    occurred while they were running

T1 T2 come out of wait T1 begins
Idle
T1
T2
Time slice interval
7
Cycle Time Counter
  • Windows Vista reads Time Stamp Counter (TSC) at
    context switch
  • Actual CPU cycles consumed charged to thread
  • Interrupt time not charged
  • Allows for more accurate quantum accounting
  • Thread gets at least 1 turn and can get at most a
    turn 1 tick
  • Also provides accurate time accounting for thread
    execution

Idle
T1
T1
T2
Time slice interval
8
I/O and File System
9
Symbolic File Links
  • Before, NTFS supported only symbolic directory
    links (called junctions)
  • In Windows Vista, NTFS supports symbolic file
    links
  • Like UNIX soft links (ln s) for files
  • Built using NTFS reparse points (like junctions)
  • Create them with new CreateSymbolicLink API or
    Mklink.exe command
  • Requires Create Symbolic Links privilege (by
    default only assigned to Administrators)
  • Mklink can also create hard links
  • Symbolic links are processed on the client and so
    can span volumes and even machines

10
I/O Cancellation Support
  • Before, opens could not be cancelled
  • Example you browse to an off-line network share
    in a File Save dialog and hang for the duration
    of the network timeout
  • In Windows Vista, opens and other synchronous I/O
    can be cancelled
  • CancelSynchronousIo cancels a pending synchronous
    I/O issued by another thread
  • CancelIoEx permits canceling all or individual
    I/Os from any thread (CancelIo could only cancel
    all I/Os issued by the calling thread)
  • Windows Vista common control file open/save
    dialogs all implement cancellation
  • Threads processing I/O can now be notified of
    process termination

11
I/O Prioritization
  • Background I/O (e.g. AV scans, disk
    defragmenting) interferes with foreground
    interactive tasks (e.g. reading email)
  • Before, only way to prioritize work was based on
    thread CPU priority
  • Windows Vista introduces two types of I/O
    prioritization
  • I/O priority
  • I/O bandwidth reservation

12
I/O Priorities
  • I/O priority is based on the priority of the
    issuing thread or the explicitly set I/O priority
  • Five levels Critical, High, Normal, Low, Very
    Low (DF, IndexS)
  • High not implemented
  • Critical only for use by memory manager
  • Stored in Flags field of I/O Request Packet (IRP)
  • At least one Low or Very Low I/O is processed
    every second
  • Processes and threads can lower their I/O
    priority with SetPriorityClass, SetThreadPriority
  • Background mode
  • Used by Windows Vista background tasks like
    indexing and Windows Defender scans (prefatch)

13
Memory Management
14
SuperFetch
  • Before
  • Memory was not proactively populated (no mem
    priority)
  • Memory often did not contain optimal content (no
    scenario aware)
  • Windows XP improved population with the logical
    prefetcher, but only prefetched a single process
    at process startup

15
SuperFetch
  • In Windows Vista, SuperFetch prefetches across a
    set of applications
  • Takes into account frequency of page usage, usage
    of page in context of other pages in memory
  • Adapts to memory usage patterns, including
    complex usage scenarios (e.g. the after lunch
    usage)
  • Scenarios SuperFetch improves include
  • Application launch (outlook.exe)
  • Resume from hibernate and suspend
  • Performance after infrequent or low priority
    tasks execute
  • 8 priorities

16
Startup and Shutdown
17
Startup Processes on XP
  • Session Manager (SMSS) created Winlogon and Csrss
    for each session
  • Session creation was done serially
  • Was bottleneck for Terminal Services
  • Winlogon, the interactive logon manager, created
  • Local Security Authority (Lsass.exe)
  • Service Control Manager (Services.exe)

18
Startup Processes on Vista
  • In Windows Vista
  • Initial Smss.exe creates an instance of itself to
    initialize each session
  • Permits parallel session creation
  • Minimum parallel session startups is 4
  • Maximum is number of processors
  • Session 0 Smss runs Wininit.exe (new)
  • Wininit starts what Winlogon used to start
    Services, Lsass
  • Also starts a new process, Local Session Manager
    (Lsm.exe)
  • Session 1-n Smsss create initialize interactive
    sessions
  • Session-specific instance of Csrss.exe and
    Winlogon.exe

19
Session 0 Isolation
  • Before, the console user ran in session 0
  • Names created by console user could collide with
    service and system object names
  • Services that presented windows on the console
    could open the door for privilege elevation
    (shatter attacks)

Session 1
Application D
ApplicationE
ApplicationF
20
Session 0 Isolation
  • In Windows Vista, the console user starts in
    session 1 and cannot connect to session 0
  • Eliminates name collisions
  • Poorly written services cant display windows to
    the user

Session 1
Session 2
ApplicationA
ApplicationD
ApplicationB
ApplicationE
ApplicationC
ApplicationF
21
Interactive Logon Architecture
  • Credential Providers replace GINAs
  • Plug into Logonui.exe
  • Easier to write than GINAs
  • Multiple concurrent providers are supported (gina
    issue)
  • User selected or event driven
  • Used to capture elevation credentials
  • Inbox Credential providers (standard)
  • Password
  • Smartcard

WinLogon
LogonUI
Credential Provider 1
Credential Provider 2
Credential Provider 3
22
Delayed Auto Start Services
  • Before, autostart services could severely impact
    login performance
  • In Windows Vista, services can request delayed
    autostart
  • Set by new ChangeServiceConfig2 API
  • Stores new DelayedAutoStart value in service
    Registry key
  • Service Control Manager (SCM) starts these
    services after the automatic start services
  • I/O priority set to Very Low during startup
  • Services configured this way include BITS,
    Windows Update client, Ehome
  • sc qc bits

23
Clean Service Shutdown
  • Before, services had no way to extend the time
    allowed for shutdown
  • After a fixed timeout (default 20 seconds), SCM
    was killed and system halted (while services were
    running)
  • This was a problem for services that needed to
    flush data
  • In Windows Vista, services can request
    preshutdown notification and take as long as they
    want to shut down
  • If the service stops responding the system gives
    up on it after 3 minutes
  • After pre-shutdown services stop, the system
    performs Windows XP-style shutdown for other
    services

24
Service Shutdown Ordering
  • Before, there was no way for services to specify
    the order in which they receive shutdown
    notification
  • Some services have shutdown dependencies
  • Had to implement ad-hoc solutions
  • In Windows Vista, services can specify shutdown
    order
  • Must request pre-shutdown notification
  • Must include their name in HKLM\System\CurrentCont
    rolSet\Control\PreShutdownOrder

25
Security
26
Vista service changesServices common to both
platforms
27
Code Integrity Verification
  • The OS loader and kernel performs code signature
    checks
  • On 64-bit x64 platforms
  • All kernel mode code must be signed in order to
    load
  • Identity of all kernel mode binaries is verified
  • System audit events for integrity check failures
  • On 32-bit platforms
  • Load-time checks done on all kernel mode
    binaries, unsigned code allowed to load
  • But to play protected hi-def content, all loaded
    kernel mode drivers must be signed
  • Event log logging of driver loads

28
Address Space Load Randomization (ASLR)
XP1
XP2
  • Prior to Windows Vista
  • Executables and DLLs load at fixed locations
  • Buffer overflows commonly relied on known system
    function addresses to cause specific code to
    execute
  • The Windows Vista loader bases modules at one of
    256 random points in the address space
  • OS images now include relocation information
  • Relocation performed once per image and shared
    across processes
  • User stack locations are also randomized

Exe
Exe
User32
User32
Kernel32
Kernel32
NTDLL
NTDLL
Vista1
Vista2
Exe
Exe
User32
User32
Kernel32
Kernel32
NTDLL
NTDLL
29
Windows XP
30
Vista
31
Service Security Improvements
  • Before, service bugs allowed for privilege
    elevation attacks
  • In Windows Vista, services apply principle of
    least-privilege to limit system exposure in case
    of compromise
  • Service-specific SIDs permit a services access
    to objects to be limited
  • Only required objects give SID access
  • Firewall policy can be applied to service SID
    (and many Windows Vista services have this
    specified)
  • Write-restricted service processes further limit
    write access
  • Can only modify objects allowing WRITE for
    service SIDs

32
Service Security Improvements
  • Service can specify which privileges (e.g.
    shutdown, audit, etc.) they require
  • Limits power of service processes
  • Specified in MULTI_SZ registry value under
    service key called RequiredPrivileges
  • On service start, SCM computes union of all
    required privileges for service(s) inside service
    process
  • If process token does not contain one, service
    start fails
  • Privileges not explicitly specified are removed
    from token
  • If no required privileges specified, assumes all
    privileges in process token are needed
  • sc qprivs bits

33
Process Integrity Levels
  • Specified as new Mandatory Integrity Level (IL)
    SIDs in process token
  • Low Protected-mode IE
  • Medium UAC (LUA) processes
  • High Elevated processes
  • System System processes
  • Accesschk e s
Write a Comment
User Comments (0)
About PowerShow.com