Windows Vista and "Longhorn" Server: Under the Hood of the ...


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • ©2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 06/16/10 13:30
  • Windows Vista and "Longhorn" Server: Under the Hood of the ...

    1. 1. Windows Vista and “Longhorn” Server: Under the Hood of the Operating System Internals and Your Application Richard B. Ward Karthik Thirumalai FUN417 Program Manager Architect [email_address] [email_address]
    2. 2. Simplified Windows Core Memory Manager I/O Manager Security Scheduler Object Manager Inter-process Communication Hardware Abstraction Layer User Mode Kernel Mode NTDLL advapi32 kernel32 Registry Power Management Plug and Play . . .
    3. 3. Simplified Windows Core Memory Manager I/O Manager Security Scheduler Object Manager Inter-process Communication Hardware Abstraction Layer User Mode Kernel Mode NTDLL advapi32 kernel32 Registry Power Management Plug and Play . . .
    4. 4. Core Changes <ul><li>New Boot environment </li></ul><ul><ul><li>Platform and Firmware independent and highly portable </li></ul></ul><ul><ul><li>Supports 32 and 64 bit systems via PC/AT BIOS or EFI </li></ul></ul><ul><ul><li>Fully localized, supporting many languages </li></ul></ul><ul><li>Hot Add/Replace of processor and memory </li></ul><ul><li>Enhanced power management with Hybrid Sleep </li></ul><ul><ul><li>Combines Standby and Hibernate </li></ul></ul><ul><ul><li>Suspend to RAM and disk at the same time </li></ul></ul>
    5. 5. Core Changes <ul><li>Memory manager </li></ul><ul><ul><li>Dynamic system address space </li></ul></ul><ul><ul><li>System virtual address (VA) space kernel page tables allocated on-demand </li></ul></ul><ul><ul><li>NUMA and large page support </li></ul></ul><ul><ul><li>Paging video memory </li></ul></ul>
    6. 6. Core Changes <ul><li>User Mode Driver Framework </li></ul><ul><ul><li>Infrastructure to run a device driver in user-mode </li></ul></ul><ul><ul><li>Implementation of the WDF Driver Model </li></ul></ul><ul><ul><ul><li>Supports core WDF objects </li></ul></ul></ul><ul><ul><li>User-Mode Drivers are isolated from other drivers </li></ul></ul><ul><ul><ul><li>Kernel is isolated from User-Mode drivers </li></ul></ul></ul><ul><ul><ul><li>System can recover after a driver crash – no blue screen </li></ul></ul></ul><ul><li>Enhanced multimedia support </li></ul><ul><ul><li>Multimedia Class Scheduler Service </li></ul></ul><ul><ul><li>Support for soft real-time memory allocations </li></ul></ul><ul><ul><li>Scheduled File I/O </li></ul></ul>
    7. 7. Security Enhancements <ul><li>Kernel mode malware on the rise </li></ul><ul><ul><li>Presents new categories of problems </li></ul></ul><ul><ul><li>Malicious code running with the highest privileges </li></ul></ul><ul><ul><li>Device drivers can monitor and affect almost anything on the system </li></ul></ul>
    8. 8. Security Enhancements <ul><li>Kernel mode code </li></ul><ul><ul><li>must be digitally signed </li></ul></ul><ul><ul><li>Enforced at install and load time </li></ul></ul><ul><ul><li>x64 only for Vista </li></ul></ul><ul><li>User mode code </li></ul><ul><ul><li>Critical system processes will require signed code </li></ul></ul>
    9. 9. Windows Services <ul><li>Architecture overview </li></ul><ul><li>Changes to the services model </li></ul><ul><ul><li>Security </li></ul></ul><ul><ul><ul><li>Session 0 isolation, Service hardening </li></ul></ul></ul><ul><ul><li>Performance </li></ul></ul><ul><ul><ul><li>Delayed Start, State change notifications </li></ul></ul></ul><ul><ul><li>Reliability </li></ul></ul><ul><ul><ul><li>Failure action on non-crash failures </li></ul></ul></ul>
    10. 10. Services Model Overview SCM API clients Service Control Manager HKLMSystem CCSServices Svchost.exe OwnProc.exe LRPC RPC/TCP (Vista+) RPC/NP (legacy) Service process communication channel Start, stop, controls Hosts a configurable number of services
    11. 11. Service Start Types <ul><li>Automatic </li></ul><ul><ul><li>Started during boot by SCM </li></ul></ul><ul><ul><li>Auto-start services have a significant performance effect </li></ul></ul><ul><ul><ul><li>Lots of I/O requests and contention over global resources </li></ul></ul></ul><ul><ul><ul><li>Can have a significant effect on boot time </li></ul></ul></ul><ul><li>Manual </li></ul><ul><ul><li>Started on demand by a client </li></ul></ul><ul><ul><li>Reduces impact on boot performance </li></ul></ul>
    12. 12. Start Types – Delayed Start <ul><li>Delayed Auto Start – new in Windows Vista </li></ul><ul><ul><li>Many services are auto start simply because they want “unattended” start, but do not need to be running immediately after boot </li></ul></ul><ul><ul><li>Delayed start services are started in low priority CPU & IO threads shortly after boot </li></ul></ul><ul><ul><li>Client code must tolerate service’s unavailability </li></ul></ul>SERVICE_DELAYED_AUTO_START_INFO sdaInfo; sdaInfo.fDelayedAutoStart = TRUE; ChangeServiceConfig2(hService, SERVICE_CONFIG_DELAYED_AUTO_START_INFO, &sdaInfo);
    13. 13. Service Security Model <ul><li>Built-in accounts for easy management </li></ul><ul><ul><li>No password management requirements </li></ul></ul><ul><ul><li>LocalSystem </li></ul></ul><ul><ul><ul><li>Very powerful and has most privileges – use cautiously </li></ul></ul></ul><ul><ul><li>LocalService and NetworkService </li></ul></ul><ul><ul><ul><li>Greatly reduced privilege set </li></ul></ul></ul><ul><ul><ul><li>NetworkService uses machine account for remote authentication </li></ul></ul></ul><ul><li>Session-0 Isolation – new in Windows Vista </li></ul><ul><ul><li>Services are isolated from interactive sessions </li></ul></ul><ul><ul><li>Helps mitigate UI attacks </li></ul></ul>
    14. 14. Windows Service Hardening <ul><li>Motivation </li></ul><ul><ul><li>Services are attractive targets for malware </li></ul></ul><ul><ul><ul><li>Running on a large number of systems </li></ul></ul></ul><ul><ul><ul><li>Services typically are higher privileged than users </li></ul></ul></ul><ul><ul><ul><li>Worms target services, e.g. Sasser, Code Red, etc. </li></ul></ul></ul><ul><li>Goals </li></ul><ul><ul><li>Run with least privilege necessary </li></ul></ul><ul><ul><li>Use only resources needed by the service </li></ul></ul><ul><ul><li>Reduce the damage potential and number of critical vulnerabilities in services. </li></ul></ul><ul><ul><li>Extend existing security model for more granular control </li></ul></ul>
    15. 15. Running With Least Privilege <ul><li>Privilege stripping </li></ul><ul><ul><li>Enables a service to run with least privilege </li></ul></ul><ul><li>Use only required privileges </li></ul><ul><ul><li>Express required privileges during service configuration </li></ul></ul><ul><ul><ul><li>SeBackupPrivilege, SeRestorePrivilege, etc. </li></ul></ul></ul><ul><ul><ul><li>ChangeServiceConfig2 API ( sc.exe can be used as well) </li></ul></ul></ul><ul><ul><li>SCM computes union of all hosted service required privileges </li></ul></ul><ul><ul><ul><li>Permanently removes unnecessary privileges from process token when service process starts </li></ul></ul></ul><ul><ul><li>No privileges are added </li></ul></ul><ul><ul><ul><li>Target account must support required privileges, e.g. a service in LocalService account cannot get SeTCBPrivilege </li></ul></ul></ul>
    16. 16. Service Isolation <ul><li>Service-specific SID </li></ul><ul><ul><li>1:1 mapping between service name and SID </li></ul></ul><ul><ul><li>Use to ACL objects the service needs to allow access only to service-specific SID </li></ul></ul><ul><ul><ul><li>Use ChangeServiceConfig2, sc.exe to control service SID </li></ul></ul></ul><ul><ul><ul><li>Set ServiceSidType to SERVICE_SID_TYPE_UNRESTRICTED </li></ul></ul></ul><ul><li>Service-specific SID assigned at start time </li></ul><ul><ul><li>When service process starts </li></ul></ul><ul><ul><ul><li>SCM adds service SIDs to process token </li></ul></ul></ul><ul><ul><ul><ul><li>S-1-5-80-XXXXX-YYYYY </li></ul></ul></ul></ul><ul><ul><ul><li>SID enabled/disabled when service starts/stops </li></ul></ul></ul><ul><ul><li>Service SIDs are local to the machine </li></ul></ul>
    17. 17. Reducing Damage Potential <ul><li>Restricted Services </li></ul><ul><ul><li>Uses Service SIDs and Restricted tokens </li></ul></ul><ul><li>Write-restricted service process </li></ul><ul><ul><li>Allows service process write access only to objects allowing WRITE for service SIDs </li></ul></ul><ul><ul><ul><li>Reduces the scope of resources accessed on the system </li></ul></ul></ul><ul><ul><li>When service process starts </li></ul></ul><ul><ul><ul><li>SCM adds service SID to both normal and restricted SID list in process token </li></ul></ul></ul><ul><ul><ul><li>SID enabled/disabled when service starts/stops </li></ul></ul></ul><ul><ul><li>All services in a process must be restricted </li></ul></ul>
    18. 18. Service Management <ul><li>Service State Changes </li></ul><ul><ul><li>Clients used QueryServiceStatus polling loop to discover state changes </li></ul></ul><ul><ul><li>Many bugs found in such loops </li></ul></ul><ul><ul><li>Performance hit due to lots of threads looping at boot </li></ul></ul><ul><li>New notification API NotifyServiceStatusChange </li></ul><ul><ul><li>Notification of service state changes & Create/Delete </li></ul></ul><ul><ul><li>Works both locally and remotely </li></ul></ul><ul><ul><li>Callback based </li></ul></ul><ul><ul><li>Uses cross-process APC mechanism locally </li></ul></ul><ul><ul><li>Uses async RPC remotely </li></ul></ul>
    19. 19. Service Management <ul><li>SCM supported automatic recovery on service crashes </li></ul><ul><ul><li>Enabled by specifying the FailureAction settings for a service. </li></ul></ul><ul><ul><li>Recovery usually invoked only on service process crash </li></ul></ul><ul><li>Support for recovery on non-crash – new in Windows Vista </li></ul><ul><ul><li>Service can fail in other ways than crashing </li></ul></ul><ul><ul><ul><li>Leaks, System load etc. </li></ul></ul></ul><ul><ul><li>Enabled by specifying FailureActionOnNonCrashFailures flag in addition to the FailureAction settings </li></ul></ul><ul><ul><li>Invoked on service stop with dwWin32ExitCode != ERROR_SUCCESS </li></ul></ul>
    20. 20. Windows Registry <ul><li>Architecture overview </li></ul><ul><li>Changes in Windows Vista </li></ul><ul><ul><li>Transactional registry </li></ul></ul><ul><ul><li>Registry virtualization </li></ul></ul><ul><ul><li>Enhanced registry filtering </li></ul></ul>
    21. 21. Windows Registry <ul><li>Most widely used configuration store </li></ul><ul><ul><li>One of the first OS sub-systems to be started </li></ul></ul><ul><ul><li>Used by the kernel, drivers, apps and anything else that needs to store or share state information </li></ul></ul><ul><li>Simple programming model </li></ul><ul><ul><li>Hierarchical layout to provide structured access to data </li></ul></ul><ul><ul><li>Abstracts the complex data management schemes </li></ul></ul><ul><ul><li>Reg* APIs in user mode, Zw APIs in kernel mode </li></ul></ul><ul><li>Data is stored in Registry hives </li></ul><ul><ul><li>Implemented as files </li></ul></ul><ul><ul><li>Logically, registry is a “FS in a file” </li></ul></ul>
    22. 22. Architecture Overview User KERNEL CM (registry) NTFS CC Cache Manager Disk ADVAPI32.DLL Win32 Registry APIs svchost.exe regsvc.dll NT APIs PRIMARY file (CC PRIVATE_WRITE streams) .LOG file (NO_INTERMEDIATE_BUFFERING) MM Memory Manager Volatile Storage
    23. 23. Windows Vista - Transactional Registry <ul><li>Needed for “all or none” semantics when changing a group of settings </li></ul><ul><li>Adds ACID semantics to group of registry operations </li></ul><ul><li>Integrates with TxF and any other Resource Manager which participates in KTM transactions </li></ul><ul><ul><li>A transaction can span across FS and Registry operations </li></ul></ul><ul><li>Provides easier way for apps to clean up on error path </li></ul>More information on Transactional technologies in Vista – FUN320
    24. 24. Windows Vista – Registry Virtualization <ul><li>Enable legacy applications to run as non- admin </li></ul><ul><ul><li>Applications that want to write to keys that require admin privileges </li></ul></ul><ul><li>Redirect globally impactful registry write to a per user virtual key </li></ul><ul><ul><li>Only keys under HKLMSoftware are virtualized </li></ul></ul><ul><ul><li>Redirection is transparent to callers </li></ul></ul><ul><ul><li>Applications use the user’s virtual key while running </li></ul></ul><ul><li>Is not platform support for sandboxing </li></ul><ul><ul><li>Should be treated as an assistance technology </li></ul></ul>
    25. 25. Virtualization – How It Works <ul><li>Write </li></ul><ul><li>HKLMSofwareKey1 </li></ul><ul><li>V1 </li></ul><ul><li>V2 </li></ul><ul><li>V3 -> RegSetValueEx(…) </li></ul><ul><li>ACCESS_DENIED => </li></ul><ul><li>HKU{SID}_ClassesVirtualStoreMachineSoftwareK1 </li></ul><ul><li> V3 </li></ul><ul><li>Opening key for WRITE_ACCESS returns MAX_ALLOWED </li></ul>
    26. 26. What Is Not Virtualized? <ul><li>Application is identified as an “admin application” </li></ul><ul><li>Key is not changeable by admins </li></ul><ul><ul><li>Key is Windows Resource Protected </li></ul></ul><ul><li>Caller is Kernel mode </li></ul><ul><li>Caller is using Impersonation </li></ul><ul><li>Any 64 bit application </li></ul><ul><li>Keys marked as ‘ Do Not Virtualize ’ </li></ul><ul><ul><li>HKLMSoftwareClasses </li></ul></ul>
    27. 27. Virtualization Configuration <ul><li>Globally controlled by the caller’s token </li></ul><ul><li>Can be turned on/off on individual keys in the Software hive </li></ul><ul><li>New FLAGS option in reg.exe for key level virtualization control </li></ul><ul><ul><li>Allows recursive enable/disable of virtualization </li></ul></ul><ul><ul><li>Allows control of “open access right policy” </li></ul></ul><ul><li>Changing ACLs on specific keys </li></ul>
    28. 28. Virtualization Gotchas’ <ul><li>Using the registry for IPC </li></ul><ul><ul><li>Service and user apps will have different views of the key </li></ul></ul><ul><li>Impersonating callers </li></ul><ul><ul><li>Will not be virtualized </li></ul></ul><ul><li>Audit for possible elevation paths </li></ul><ul><ul><li>Virtualization is at the value level </li></ul></ul><ul><ul><li>Default for the Software hive is enable recursive virtualization </li></ul></ul>
    29. 29. Registry Filtering <ul><li>Certain class of applications have the need for filtering registry calls </li></ul><ul><ul><li>Anti Virus, Management apps, etc. </li></ul></ul><ul><li>Kernel mode callback model to allow for filtering registry operations </li></ul><ul><ul><li>Allows monitoring and blocking of registry operations </li></ul></ul><ul><ul><li>Multiple drivers can register callbacks </li></ul></ul><ul><li>Limitations </li></ul><ul><ul><li>No support to modify parameters or redirect calls </li></ul></ul><ul><ul><li>No concept of altitudes </li></ul></ul>
    30. 30. Windows Vista Enhanced Registry Filtering <ul><li>Introduces a layered model with altitudes for callback registration </li></ul><ul><ul><li>Consistent with the file system mini-filter model </li></ul></ul><ul><ul><li>Altitudes have to be registered with Microsoft </li></ul></ul><ul><li>Ability to modify parameters and re-direct calls </li></ul><ul><ul><li>Supports three modes of operation – Monitor, Block and Modify </li></ul></ul><ul><li>Compatible with existing registry callbacks </li></ul><ul><ul><li>Legacy callbacks will be registered at a default altitude </li></ul></ul><ul><ul><li>First come first serve registration semantics retained for these legacy callbacks </li></ul></ul>
    31. 31. What Is WoW64? <ul><li>32-bit Windows emulation layer on 64-bit Windows </li></ul><ul><li>Binary compatibility with 32-bit Windows applications </li></ul><ul><li>32-bit code executes as if it is running on a native x86 processor </li></ul>
    32. 32. WoW64 Architecture 64-bit ntdll.dll WoW64.dll WoW64win.dll WoW64cpu.dll Win32k.sys NT Executive Kernel Mode User Mode 32-bit ntdll.dll 32-bit modules Reserved Address Space 0x00000000`7FFEFFFF or 0x00000000`FFFEFFFF 32-bit kernel32.dll 32-bit user32.dll
    33. 33. WoW64 Architecture <ul><li>Address space is limited to 2GB (or 4GB if the application is marked Large-Address-Aware in the header) </li></ul><ul><li>WoW64 processes can NOT load 64-bit DLLs except for the core one! </li></ul><ul><ul><li>Likewise, native 64-bit processes can NOT load 32-bit DLLs </li></ul></ul><ul><ul><li>LoadLibrary() will fail </li></ul></ul><ul><ul><li>No 16-bit support on 64-bit Windows </li></ul></ul><ul><li>32-bit kernel drivers won’t run on 64-bit Windows </li></ul><ul><ul><li>Needs to be ported and support WoW64 </li></ul></ul><ul><li>Target 64-bit platform may not support specific features </li></ul><ul><ul><li>GetNativeSystemInfo() retrieves info about the native system </li></ul></ul>
    34. 34. WoW64 Registry <ul><li>Two views of the registry exist on 64-bit Windows </li></ul><ul><ul><li>Native and WoW64 </li></ul></ul><ul><ul><li>Native 64-bit Windows application sees the native registry view </li></ul></ul><ul><ul><li>WoW64 application sees the WoW64 view </li></ul></ul><ul><li>Why different WoW64 registry views? </li></ul><ul><ul><li>Compatibility </li></ul></ul><ul><ul><ul><li>Separates 32-bit application state from 64-bit state </li></ul></ul></ul><ul><ul><ul><ul><li>Not supported features stored in the registry </li></ul></ul></ul></ul><ul><ul><ul><li>Provides a safe execution environment for both 32-bit and 64-bit applications </li></ul></ul></ul><ul><ul><ul><ul><li>A registry value hosting a DLL path </li></ul></ul></ul></ul>
    35. 35. Registry Redirection <ul><li>Certain parts of the system registry are separated </li></ul><ul><ul><li>HKEY_LOCAL_MACHINESoftware </li></ul></ul><ul><ul><li>HKEY_CLASSES_ROOT </li></ul></ul><ul><li>When a WoW64 process opens/creates a key </li></ul><ul><ul><li>WoW64 redirects the path of the key if it is one of the above by inserting ‘WoW6432Node’ to the above path </li></ul></ul><ul><li>Transparent for Win32 applications </li></ul><ul><li>RegConnectRegistry selects server view based on the caller bitness </li></ul><ul><ul><li>Only on new clients (Windows XP 64 and beyond) </li></ul></ul>
    36. 36. Registry Reflection <ul><li>Enables 64-bit and 32-bit application Inter-Op through COM </li></ul><ul><li>Mirrors certain registry keys and values between the 32-bit and 64-bit registry views </li></ul><ul><li>Ownership-based reflection </li></ul><ul><ul><li>Helps intelligent reflection of COM servers </li></ul></ul><ul><li>Rules for HKEY_CLASSES_ROOTCLSID reflection </li></ul><ul><ul><li>InProcServer32 and InProcHandler32 are not reflected </li></ul></ul><ul><ul><li>LocalServer32 is reflected </li></ul></ul><ul><ul><li>Delete reflected keys only if written by WoW64 reflector </li></ul></ul>
    37. 37. 32/64 Inter-Op Issues <ul><li>Pointer data type storage is 64-bit (8 bytes) on 64-bit Windows systems while it is 32-bits (4 bytes) on 32-bit Windows systems </li></ul><ul><ul><li>Alignment is different as well </li></ul></ul><ul><li>Client/Server applications communicating using shared memory </li></ul><ul><ul><ul><li>Client is 32-bit running on 64-bit Windows and server is 64-bit or vice versa </li></ul></ul></ul><ul><ul><ul><li>Shared structures are pointer-dependent </li></ul></ul></ul><ul><li>Two solutions </li></ul><ul><ul><ul><li>32-bit Client writes compatible 64-bit structures </li></ul></ul></ul><ul><ul><ul><ul><li>64-bit Server doesn’t need to be WoW64 aware </li></ul></ul></ul></ul><ul><ul><ul><li>64-bit Server reads 32-bit and 64-bit structures </li></ul></ul></ul><ul><ul><ul><ul><li>64-bit Server is WoW64 aware </li></ul></ul></ul></ul><ul><ul><ul><ul><li>32-bit Client may need to change if source request is not known to the 64-bit server </li></ul></ul></ul></ul>
    38. 38. 32/64 Inter-Op Issues <ul><li>Don’t pass addresses above 2GB (or 4GB) to a WoW64 application </li></ul><ul><li>How to convert data types? </li></ul>Window handles are sign-extended (HWND)LongToHandle (hwnd32) LONG HWND No conversion is needed ULONG ULONG Addresses should never be sign-extended UlongToPtr (pvoid_value32) ULONG PVOID Process and thread handle are signed-extended LongToHandle (handle_value32) LONG HANDLE How to convert? 64-bit Windows compiled data type representing 32-bit Windows-Compiled data type 32-bit Windows-Compiled data type
    39. 39. Community Resources <ul><li>At PDC </li></ul><ul><ul><li>For more information, go see </li></ul></ul><ul><ul><ul><li>FUN Track lounge </li></ul></ul></ul><ul><ul><ul><li>Labs: FUNHOL19; FUNHOL13 </li></ul></ul></ul><ul><ul><ul><li>Related sessions </li></ul></ul></ul><ul><ul><ul><ul><li>FUN320 – Transactional NTFS and Registry </li></ul></ul></ul></ul><ul><ul><ul><ul><li>FUN210; FUN406 – Security and UAP </li></ul></ul></ul></ul><ul><ul><ul><ul><li>PNL07 – Future Directions for Windows Internals </li></ul></ul></ul></ul>
    40. 40. Community Resources <ul><li>After PDC </li></ul><ul><ul><li>Kernel Changes in Windows Vista – http:// =52437 </li></ul></ul><ul><ul><li>UMDF - whdc/driver/wdf/default.mspx </li></ul></ul><ul><ul><li>Registry filter driver registration - </li></ul></ul><ul><ul><li>WoW64 - </li></ul></ul>
    41. 41. Questions?
    42. 42. © 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.