Microsoft's Midori to sandbox apps for increased security

IBM releases Jazz-based requirements definition tool set
Rational Requirements Composer brings requirements definition to the beginning of the life...

Web services debate: SOAP up or REST easy?
With Web 3.0 approaching, developers are weighing the costs and benefits of SOAP (and its ...

Industry Watch: Opening the door ... carefully
Security is not just for keeping the bad guys out, but for also letting the good guys in. ...

SOA Watch: New economic realities
In the current economic downturn, agile programming and SOA are attractive options that bu...

Integration Watch: A new twist on threads
The key to raising the efficiency of multiprocessors is to shrink the overall workload by ...

Integration Watch: The Return of NetRexx?
Java scripting languages are seeing a surge in popularity, with NetRexx looking particular...

Guest View: HATs off to content management
Document help writers face two choices: using HATs or CMSes. While CMSes are newer, they a...

From the Editors: Keep watching the clouds
Just because Amazon's EC2 is the first cloud platform to hit the market doesn't mean it is...

Zeichick's Take: PC Magazine and the changing media world
PC Magazine, one of the most venerable and respected computer magazines in the United Stat...

From the Editors: Election should shake up JCP
Rod Johnson has the right ideas for opening up the Java Community Process, and he may be a...

Advanced Corda CenterView™ Data Visualization for the BusinessObjects™ Intelligence Platform Corda Technologies presents a white paper on pervasive BI. The BusinessObjects business in...

From Mobile to SOA: A Guide for Optimized Application Deployment Customer need has driven the emergence of multiple computing tiers. Today’s application d...

e-Kit: Web Application Security Is your network secure? What about your web applications. If IT security is your top p...

Practical tips for saving money on code maintenance
If software design is expensive, well, code maintenance is even more so. When you look...

By David Worthington

August 5, 2008 — Security is a watchword for Midori, the operating system that Microsoft is incubating in hopes of freeing itself from its legacy Windows software architecture.

SD Times has viewed internal Microsoft documents that detail Midori’s security proposition. The highlights include memory safety and type safety, and a least-privileged mode. As well, hardware support may enable a secure boot mechanism and a remote chain of trust on top of secure booting.

For additional coverage on Midori, read "Microsoft maps out migration from Windows" and "Microsoft's plans for post-Windows OS revealed."

Midori’s memory safety and type safety features will eliminate the potential for buffer overruns, perform heap deletes more frequently to avoid stack and heap corruption, and possibly offer some guarantees around fine-grained locking to prevent data race conditions, the documents indicate.

Applications and system services in Midori will run with the least authority necessary for their purposes. A standard declarative policy will be used for configuring component isolation, elevating code privileges, evaluating code identity and managing system state.

“From a software architecture standpoint,” wrote Yankee Group program manager Andrew Jaquith in an e-mail, Midori’s approach “is a very good one. The big idea here is to enumerate, and then enshrine in policy, all of the things a program can and cannot do. By combining declarative security policies with runtime enforcement mechanisms, Midori should be able to effectively ‘sandbox’ applications in a fairly bulletproof way.”

Jaquith noted that what Microsoft is doing is a form of mandatory access control, a concept that intelligence agencies adopted many years ago.

Microsoft is trying to keep up with the Joneses, Jaquith noted, pointing out that Apple’s Mac OS X Leopard, Novell’s AppArmor (which ships with Ubuntu) and SELinux (which ships with Red Hat Enterprise Linux) all provide implementations of mandatory access control.

Another Midori design objective is to reduce the risk of cross-process elevation attacks by using application manifests and eliminating dynamic code loading, in order to regulate what execution is possible in a process.

With those protections in place, if a process is compromised, malicious code will be restricted to the appropriate process subsets.

But in this model, policies need to be easily updateable by trusted sources, wrote Jaquith. He explained that it is difficult for a developer to foresee all of the potential privileges that a program would require, and that the application manifests would have to change as programs are added and updated.

Microsoft maps out migration from Windows

Microsoft's plans for post-Windows OS revealed

Windows 7 May Borrow From .NET

“It's a great idea in theory, but in practice, application sandboxing (which is the generic term for what they are doing) has some practical problems that lead deployers to scale back their ambitions.” But his concerns are far outweighed by the benefit of having sandboxing built into the operating system.

There may be one flaw at the core of Midori’s scheme: The presence of defects in Microsoft’s implementation that enforce security policies at the kernel-runtime level would undermine the effectiveness of Midori's security, Jaquith said.

Good security is crucial to run the type of distributed applications that Microsoft is designing Midori for, experts agree. “Security is really important in distributed applications … you have to be very careful,” noted John Manferdelli, a distinguished engineer at Microsoft and the general manager of the incubation team led by Craig Mundie, chief research and strategy officer.

The Midori documents indicate that the OS will also have hardware support for secure boot mechanisms as specified in the company’s Next-Generation Secure Computing Base, formerly known as “Palladium.”

Related Search Term(s): security, Microsoft

Share this link: http://www.sdtimes.com/link/32662

EMAIL THIS ARTICLE

SEND FEEDBACK