Title: Windows Vista and Longhorn Server:
1Windows Vista and Longhorn Server Under the
Hood of the Operating System Internals
Idan Plotnik, CTO Microsoft Security Regional
Director of ISA Server
2Agenda
- Introduction
- Processes Threads
- I/O and File System
- Memory Management
- Startup and Shutdown
- Security
3Scope of Talk
- This talk covers enhancements to the Windows
Vista kernel and related core components - Windows Server Longhorn will be a superset of
Windows Vista - These changes will be merged back into Windows
Vista kernel with SP1 - Therefore, all Windows Vista kernel changes
described in this talk apply to Windows Server
Longhorn
4Quiz! Why Windows Vista / Longhorn is unaffected
by the VML Bug
- MS07-004Â does not affect Windows Vista, even
though the coding bug is there. Why? - The bug is an integer overflow calling C
operatornew - The affected component vgx.dll is compiled with
the C compiler available in Visual Studio 2005.
- All of Windows Vista is compiled with this
compiler.
5Processes Threads
6Time Accounting
- Before, Windows accounted for CPU time based on
the interval clock timer - 10-15ms resolution (programming/hardware)
- Thread quantum expiration was not always fair
- A thread might get almost no turn or up to three
turns - Threads also were charged for interrupts that
occurred while they were running
T1 T2 come out of wait T1 begins
Idle
T1
T2
Time slice interval
7Cycle Time Counter
- Windows Vista reads Time Stamp Counter (TSC) at
context switch - Actual CPU cycles consumed charged to thread
- Interrupt time not charged
- Allows for more accurate quantum accounting
- Thread gets at least 1 turn and can get at most a
turn 1 tick - Also provides accurate time accounting for thread
execution
Idle
T1
T1
T2
Time slice interval
8I/O and File System
9Symbolic File Links
- Before, NTFS supported only symbolic directory
links (called junctions) - In Windows Vista, NTFS supports symbolic file
links - Like UNIX soft links (ln s) for files
- Built using NTFS reparse points (like junctions)
- Create them with new CreateSymbolicLink API or
Mklink.exe command - Requires Create Symbolic Links privilege (by
default only assigned to Administrators) - Mklink can also create hard links
- Symbolic links are processed on the client and so
can span volumes and even machines
10I/O Cancellation Support
- Before, opens could not be cancelled
- Example you browse to an off-line network share
in a File Save dialog and hang for the duration
of the network timeout - In Windows Vista, opens and other synchronous I/O
can be cancelled - CancelSynchronousIo cancels a pending synchronous
I/O issued by another thread - CancelIoEx permits canceling all or individual
I/Os from any thread (CancelIo could only cancel
all I/Os issued by the calling thread) - Windows Vista common control file open/save
dialogs all implement cancellation - Threads processing I/O can now be notified of
process termination
11I/O Prioritization
- Background I/O (e.g. AV scans, disk
defragmenting) interferes with foreground
interactive tasks (e.g. reading email) - Before, only way to prioritize work was based on
thread CPU priority - Windows Vista introduces two types of I/O
prioritization - I/O priority
- I/O bandwidth reservation
12I/O Priorities
- I/O priority is based on the priority of the
issuing thread or the explicitly set I/O priority - Five levels Critical, High, Normal, Low, Very
Low (DF, IndexS) - High not implemented
- Critical only for use by memory manager
- Stored in Flags field of I/O Request Packet (IRP)
- At least one Low or Very Low I/O is processed
every second - Processes and threads can lower their I/O
priority with SetPriorityClass, SetThreadPriority - Background mode
- Used by Windows Vista background tasks like
indexing and Windows Defender scans (prefatch)
13Memory Management
14SuperFetch
- Before
- Memory was not proactively populated (no mem
priority) - Memory often did not contain optimal content (no
scenario aware) - Windows XP improved population with the logical
prefetcher, but only prefetched a single process
at process startup
15SuperFetch
- In Windows Vista, SuperFetch prefetches across a
set of applications - Takes into account frequency of page usage, usage
of page in context of other pages in memory - Adapts to memory usage patterns, including
complex usage scenarios (e.g. the after lunch
usage) - Scenarios SuperFetch improves include
- Application launch (outlook.exe)
- Resume from hibernate and suspend
- Performance after infrequent or low priority
tasks execute - 8 priorities
16Startup and Shutdown
17Startup Processes on XP
- Session Manager (SMSS) created Winlogon and Csrss
for each session - Session creation was done serially
- Was bottleneck for Terminal Services
- Winlogon, the interactive logon manager, created
- Local Security Authority (Lsass.exe)
- Service Control Manager (Services.exe)
18Startup Processes on Vista
- In Windows Vista
- Initial Smss.exe creates an instance of itself to
initialize each session - Permits parallel session creation
- Minimum parallel session startups is 4
- Maximum is number of processors
- Session 0 Smss runs Wininit.exe (new)
- Wininit starts what Winlogon used to start
Services, Lsass - Also starts a new process, Local Session Manager
(Lsm.exe) - Session 1-n Smsss create initialize interactive
sessions - Session-specific instance of Csrss.exe and
Winlogon.exe
19Session 0 Isolation
- Before, the console user ran in session 0
- Names created by console user could collide with
service and system object names - Services that presented windows on the console
could open the door for privilege elevation
(shatter attacks)
Session 1
Application D
ApplicationE
ApplicationF
20Session 0 Isolation
- In Windows Vista, the console user starts in
session 1 and cannot connect to session 0 - Eliminates name collisions
- Poorly written services cant display windows to
the user
Session 1
Session 2
ApplicationA
ApplicationD
ApplicationB
ApplicationE
ApplicationC
ApplicationF
21Interactive Logon Architecture
- Credential Providers replace GINAs
- Plug into Logonui.exe
- Easier to write than GINAs
- Multiple concurrent providers are supported (gina
issue) - User selected or event driven
- Used to capture elevation credentials
- Inbox Credential providers (standard)
- Password
- Smartcard
WinLogon
LogonUI
Credential Provider 1
Credential Provider 2
Credential Provider 3
22Delayed Auto Start Services
- Before, autostart services could severely impact
login performance - In Windows Vista, services can request delayed
autostart - Set by new ChangeServiceConfig2 API
- Stores new DelayedAutoStart value in service
Registry key - Service Control Manager (SCM) starts these
services after the automatic start services - I/O priority set to Very Low during startup
- Services configured this way include BITS,
Windows Update client, Ehome - sc qc bits
23Clean Service Shutdown
- Before, services had no way to extend the time
allowed for shutdown - After a fixed timeout (default 20 seconds), SCM
was killed and system halted (while services were
running) - This was a problem for services that needed to
flush data - In Windows Vista, services can request
preshutdown notification and take as long as they
want to shut down - If the service stops responding the system gives
up on it after 3 minutes - After pre-shutdown services stop, the system
performs Windows XP-style shutdown for other
services
24Service Shutdown Ordering
- Before, there was no way for services to specify
the order in which they receive shutdown
notification - Some services have shutdown dependencies
- Had to implement ad-hoc solutions
- In Windows Vista, services can specify shutdown
order - Must request pre-shutdown notification
- Must include their name in HKLM\System\CurrentCont
rolSet\Control\PreShutdownOrder
25Security
26Vista service changesServices common to both
platforms
27Code Integrity Verification
- The OS loader and kernel performs code signature
checks - On 64-bit x64 platforms
- All kernel mode code must be signed in order to
load - Identity of all kernel mode binaries is verified
- System audit events for integrity check failures
- On 32-bit platforms
- Load-time checks done on all kernel mode
binaries, unsigned code allowed to load - But to play protected hi-def content, all loaded
kernel mode drivers must be signed - Event log logging of driver loads
28Address Space Load Randomization (ASLR)
XP1
XP2
- Prior to Windows Vista
- Executables and DLLs load at fixed locations
- Buffer overflows commonly relied on known system
function addresses to cause specific code to
execute - The Windows Vista loader bases modules at one of
256 random points in the address space - OS images now include relocation information
- Relocation performed once per image and shared
across processes - User stack locations are also randomized
Exe
Exe
User32
User32
Kernel32
Kernel32
NTDLL
NTDLL
Vista1
Vista2
Exe
Exe
User32
User32
Kernel32
Kernel32
NTDLL
NTDLL
29Windows XP
30Vista
31Service Security Improvements
- Before, service bugs allowed for privilege
elevation attacks - In Windows Vista, services apply principle of
least-privilege to limit system exposure in case
of compromise - Service-specific SIDs permit a services access
to objects to be limited - Only required objects give SID access
- Firewall policy can be applied to service SID
(and many Windows Vista services have this
specified) - Write-restricted service processes further limit
write access - Can only modify objects allowing WRITE for
service SIDs
32Service Security Improvements
- Service can specify which privileges (e.g.
shutdown, audit, etc.) they require - Limits power of service processes
- Specified in MULTI_SZ registry value under
service key called RequiredPrivileges - On service start, SCM computes union of all
required privileges for service(s) inside service
process - If process token does not contain one, service
start fails - Privileges not explicitly specified are removed
from token - If no required privileges specified, assumes all
privileges in process token are needed - sc qprivs bits
33Process Integrity Levels
- Specified as new Mandatory Integrity Level (IL)
SIDs in process token - Low Protected-mode IE
- Medium UAC (LUA) processes
- High Elevated processes
- System System processes
- Accesschk e s