Windows Vista and Longhorn Server:

1
Windows Vista and Longhorn Server Under the
Hood of the Operating System Internals
Idan Plotnik, CTO Microsoft Security Regional
Director of ISA Server
2
Agenda

• Introduction
• Processes Threads
• I/O and File System
• Memory Management
• Startup and Shutdown
• Security

3
Scope of Talk

• This talk covers enhancements to the Windows
  Vista kernel and related core components
• Windows Server Longhorn will be a superset of
  Windows Vista
• These changes will be merged back into Windows
  Vista kernel with SP1
• Therefore, all Windows Vista kernel changes
  described in this talk apply to Windows Server
  Longhorn

4
Quiz! Why Windows Vista / Longhorn is unaffected
by the VML Bug

• MS07-004 does not affect Windows Vista, even
  though the coding bug is there. Why?
• The bug is an integer overflow calling C
  operatornew
• The affected component vgx.dll is compiled with
  the C compiler available in Visual Studio 2005.
  
• All of Windows Vista is compiled with this
  compiler.

5
Processes Threads
6
Time Accounting

• Before, Windows accounted for CPU time based on
  the interval clock timer
• 10-15ms resolution (programming/hardware)
• Thread quantum expiration was not always fair
• A thread might get almost no turn or up to three
  turns
• Threads also were charged for interrupts that
  occurred while they were running

T1 T2 come out of wait T1 begins
Idle
T1
T2
Time slice interval
7
Cycle Time Counter

• Windows Vista reads Time Stamp Counter (TSC) at
  context switch
• Actual CPU cycles consumed charged to thread
• Interrupt time not charged
• Allows for more accurate quantum accounting
• Thread gets at least 1 turn and can get at most a
  turn 1 tick
• Also provides accurate time accounting for thread
  execution

Idle
T1
T1
T2
Time slice interval
8
I/O and File System
9
Symbolic File Links

• Before, NTFS supported only symbolic directory
  links (called junctions)
• In Windows Vista, NTFS supports symbolic file
  links
• Like UNIX soft links (ln s) for files
• Built using NTFS reparse points (like junctions)
• Create them with new CreateSymbolicLink API or
  Mklink.exe command
• Requires Create Symbolic Links privilege (by
  default only assigned to Administrators)
• Mklink can also create hard links
• Symbolic links are processed on the client and so
  can span volumes and even machines

10
I/O Cancellation Support

• Before, opens could not be cancelled
• Example you browse to an off-line network share
  in a File Save dialog and hang for the duration
  of the network timeout
• In Windows Vista, opens and other synchronous I/O
  can be cancelled
• CancelSynchronousIo cancels a pending synchronous
  I/O issued by another thread
• CancelIoEx permits canceling all or individual
  I/Os from any thread (CancelIo could only cancel
  all I/Os issued by the calling thread)
• Windows Vista common control file open/save
  dialogs all implement cancellation
• Threads processing I/O can now be notified of
  process termination

11
I/O Prioritization

• Background I/O (e.g. AV scans, disk
  defragmenting) interferes with foreground
  interactive tasks (e.g. reading email)
• Before, only way to prioritize work was based on
  thread CPU priority
• Windows Vista introduces two types of I/O
  prioritization
• I/O priority
• I/O bandwidth reservation

12
I/O Priorities

• I/O priority is based on the priority of the
  issuing thread or the explicitly set I/O priority
• Five levels Critical, High, Normal, Low, Very
  Low (DF, IndexS)
• High not implemented
• Critical only for use by memory manager
• Stored in Flags field of I/O Request Packet (IRP)
• At least one Low or Very Low I/O is processed
  every second
• Processes and threads can lower their I/O
  priority with SetPriorityClass, SetThreadPriority
• Background mode
• Used by Windows Vista background tasks like
  indexing and Windows Defender scans (prefatch)

13
Memory Management
14
SuperFetch

• Before
• Memory was not proactively populated (no mem
  priority)
• Memory often did not contain optimal content (no
  scenario aware)
• Windows XP improved population with the logical
  prefetcher, but only prefetched a single process
  at process startup

15
SuperFetch

• In Windows Vista, SuperFetch prefetches across a
  set of applications
• Takes into account frequency of page usage, usage
  of page in context of other pages in memory
• Adapts to memory usage patterns, including
  complex usage scenarios (e.g. the after lunch
  usage)
• Scenarios SuperFetch improves include
• Application launch (outlook.exe)
• Resume from hibernate and suspend
• Performance after infrequent or low priority
  tasks execute
• 8 priorities

16
Startup and Shutdown
17
Startup Processes on XP

• Session Manager (SMSS) created Winlogon and Csrss
  for each session
• Session creation was done serially
• Was bottleneck for Terminal Services
• Winlogon, the interactive logon manager, created
• Local Security Authority (Lsass.exe)
• Service Control Manager (Services.exe)

18
Startup Processes on Vista

• In Windows Vista
• Initial Smss.exe creates an instance of itself to
  initialize each session
• Permits parallel session creation
• Minimum parallel session startups is 4
• Maximum is number of processors
• Session 0 Smss runs Wininit.exe (new)
• Wininit starts what Winlogon used to start
  Services, Lsass
• Also starts a new process, Local Session Manager
  (Lsm.exe)
• Session 1-n Smsss create initialize interactive
  sessions
• Session-specific instance of Csrss.exe and
  Winlogon.exe

19
Session 0 Isolation

• Before, the console user ran in session 0
• Names created by console user could collide with
  service and system object names
• Services that presented windows on the console
  could open the door for privilege elevation
  (shatter attacks)

Session 1
Application D
ApplicationE
ApplicationF
20
Session 0 Isolation

• In Windows Vista, the console user starts in
  session 1 and cannot connect to session 0
• Eliminates name collisions
• Poorly written services cant display windows to
  the user

Session 1
Session 2
ApplicationA
ApplicationD
ApplicationB
ApplicationE
ApplicationC
ApplicationF
21
Interactive Logon Architecture

• Credential Providers replace GINAs
• Plug into Logonui.exe
• Easier to write than GINAs
• Multiple concurrent providers are supported (gina
  issue)
• User selected or event driven
• Used to capture elevation credentials
• Inbox Credential providers (standard)
• Password
• Smartcard

WinLogon
LogonUI
Credential Provider 1
Credential Provider 2
Credential Provider 3
22
Delayed Auto Start Services

• Before, autostart services could severely impact
  login performance
• In Windows Vista, services can request delayed
  autostart
• Set by new ChangeServiceConfig2 API
• Stores new DelayedAutoStart value in service
  Registry key
• Service Control Manager (SCM) starts these
  services after the automatic start services
• I/O priority set to Very Low during startup
• Services configured this way include BITS,
  Windows Update client, Ehome
• sc qc bits

23
Clean Service Shutdown

• Before, services had no way to extend the time
  allowed for shutdown
• After a fixed timeout (default 20 seconds), SCM
  was killed and system halted (while services were
  running)
• This was a problem for services that needed to
  flush data
• In Windows Vista, services can request
  preshutdown notification and take as long as they
  want to shut down
• If the service stops responding the system gives
  up on it after 3 minutes
• After pre-shutdown services stop, the system
  performs Windows XP-style shutdown for other
  services

24
Service Shutdown Ordering

• Before, there was no way for services to specify
  the order in which they receive shutdown
  notification
• Some services have shutdown dependencies
• Had to implement ad-hoc solutions
• In Windows Vista, services can specify shutdown
  order
• Must request pre-shutdown notification
• Must include their name in HKLM\System\CurrentCont
  rolSet\Control\PreShutdownOrder

25
Security
26
Vista service changesServices common to both
platforms
27
Code Integrity Verification

• The OS loader and kernel performs code signature
  checks
• On 64-bit x64 platforms
• All kernel mode code must be signed in order to
  load
• Identity of all kernel mode binaries is verified
• System audit events for integrity check failures
• On 32-bit platforms
• Load-time checks done on all kernel mode
  binaries, unsigned code allowed to load
• But to play protected hi-def content, all loaded
  kernel mode drivers must be signed
• Event log logging of driver loads

28
Address Space Load Randomization (ASLR)
XP1
XP2

• Prior to Windows Vista
• Executables and DLLs load at fixed locations
• Buffer overflows commonly relied on known system
  function addresses to cause specific code to
  execute
• The Windows Vista loader bases modules at one of
  256 random points in the address space
• OS images now include relocation information
• Relocation performed once per image and shared
  across processes
• User stack locations are also randomized

Exe
Exe
User32
User32
Kernel32
Kernel32
NTDLL
NTDLL
Vista1
Vista2
Exe
Exe
User32
User32
Kernel32
Kernel32
NTDLL
NTDLL
29
Windows XP
30
Vista
31
Service Security Improvements

• Before, service bugs allowed for privilege
  elevation attacks
• In Windows Vista, services apply principle of
  least-privilege to limit system exposure in case
  of compromise
• Service-specific SIDs permit a services access
  to objects to be limited
• Only required objects give SID access
• Firewall policy can be applied to service SID
  (and many Windows Vista services have this
  specified)
• Write-restricted service processes further limit
  write access
• Can only modify objects allowing WRITE for
  service SIDs

32
Service Security Improvements

• Service can specify which privileges (e.g.
  shutdown, audit, etc.) they require
• Limits power of service processes
• Specified in MULTI_SZ registry value under
  service key called RequiredPrivileges
• On service start, SCM computes union of all
  required privileges for service(s) inside service
  process
• If process token does not contain one, service
  start fails
• Privileges not explicitly specified are removed
  from token
• If no required privileges specified, assumes all
  privileges in process token are needed
• sc qprivs bits

33
Process Integrity Levels

• Specified as new Mandatory Integrity Level (IL)
  SIDs in process token
• Low Protected-mode IE
• Medium UAC (LUA) processes
• High Elevated processes
• System System processes
• Accesschk e s