Microsoft 'Drawbridge' project seeks ways to streamline and better secure Windows

Microsoft 'Drawbridge' project seeks ways to streamline and better secure Windows

Summary: Microsoft researchers have built a "library" operating system (OS) codenamed Drawbridge, and have demonstrated working prototypes of Windows 7, Windows 8 and various Microsoft applications running on it.

SHARE:

At Microsoft, what comes after the "Singularity" microkernel? The answer may be "Drawbridge," a cousin of the exokernel concept.

Microsoft researchers have built a "library" operating system (OS) codenamed Drawbridge, and have demonstrated working prototypes of Windows 7, Windows 8 and various Microsoft applications running on it.

Galen Hunt, one of the driving forces behind the Microsoft Research (MSR) Singularity project, is leading the Drawbridge charge. Charon of the Ma-Config.com site has unearthed the first public details about Drawbridge. After reading a translation of Charon's Drawbridge post (from the original French) and asking Charon for clarification on a few points, here's my best attempt to explain MSR's latest operating-system effort:

The Drawbridge library OS approach is akin to the concept of an exokernel -- a design construct that's been around since at least 1994 but that hasn't yet been used by any major commercial operating systems.

What are exokernels? From an OSDev.org Wiki entry:

"Exokernels are an attempt to separate security from abstraction, making non-overrideable parts of the operating system do next to nothing but securely multiplex the hardware. The goal is to avoid forcing any particular abstraction upon applications, instead allowing them to use or implement whatever abstractions are best suited to their task without having to layer them on top of other abstractions which may impose limits or unnecessary overhead. This is done by moving abstractions into untrusted user-space libraries called 'library operating systems' (libOSes), which are linked to applications and call the operating system on their behalf."

Hunt and a handful of other researchers have documented their Drawbridge work in a white paper published by ACM, which they presented recently at the Architectural Support for Programming Languages and Operating Systems (ASPLOS) conference in early March. That white pape, "Rethinking the library OS from the top down," details Microsoft's approach to the library OS construct.

"The idea of the library OS is that the personality of the OS on which an application depends runs in the address space of the application. A small, fixed set of abstractions connects the library OS to the host OS kernel, offering the promise of better system security and more rapid independent evolution of OS components," according to an introduction to the paper.

The Drawbridge paper "describes the first working prototype of a full commercial OS redesigned as a library OS capable of running significant applications," the abstract says. "Our experience shows that the long-promised benefits of the library OS approach better protection of system integrity and rapid system evolution are readily obtainable."

Charon reproduced an architectural diagram of Drawbridge:

There are three isolated Drawbridge layers that can evolve independently: The host OS, the library OS and the interface.

The Drawbridge approach is different from MinWin, Microsoft's effort to untangle and reduce the dependencies in Windows, as Drawbridge focuses on not just the core, but also the higher levels of the OS, as well as applications, Charon said in his post on Drawbridge. It's also different from simply running an OS inside of a virtual machine, as there's less overhead.

Drawbridge has been tested on Windows 7, Windows Server 2008 R2, Windows 7 MinWin, a pre-release version of Windows 8 and a Hyper-V virtual machine, according to Charon's post. These prototypes are running "the latest releases of major applications, such as Microsoft Excel, PowerPoint and Internet Explorer," according to the Drawbridge researchers.

As Charon cautions, no one should expect Windows 8 -- or any future Windows version, for that matter -- to take the form of a library OS. The Microsoft Singularity project didn't change the way Windows was developed or what it looks like. There are no guarantees that this new research effort will affect Windows' design any time soon. As Charon notes, Drawbridge currently supports only 14,000 Win32 APIs while Windows has more than 100,000 Win32 APIs.

However, the project does show that the Softies are continuing to look for ways to separate the user interface from the rest of the operating system, and to be able to make changes to the OS core that wouldn't negatively affect backward compatibility of applications. Microsoft researchers have continued to investigate ways to improve security by isolating the operating system from the browser with the ServiceOS research project (and one of the Microsoft Drawbridge researchers, Jon Howell, also worked on ServiceOS when it was known as "MashupOS").

Any OS experts out there have additional observations about Drawbridge and its possible significance?

Topics: Software, Microsoft, Operating Systems, Windows

About

Mary Jo has covered the tech industry for 30 years for a variety of publications and Web sites, and is a frequent guest on radio, TV and podcasts, speaking about all things Microsoft-related. She is the author of Microsoft 2.0: How Microsoft plans to stay relevant in the post-Gates era (John Wiley & Sons, 2008).

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

34 comments
Log in or register to join the discussion
  • WINE?

    This appears remarkably similar to WINE in that it allows a compartmentalized application with all its required libraries to function in user space at arms length from the host OS. The major difference being that in this case the host OS is Windows rather than Linux as it is with WINE. This would allow, not only more flexibility in user space, but also more flexibility with the Windows kernel, allowing it to massively tighten up security and push security issues out into user space where they present a lesser threat to the OS in much the same way as Windows threats are today marginalized by WINE running under Linux. But, of course, in this situation, ALL apps could be potentially supported since MS has all the code, or at least access to all the code, to make this work.
    George Mitchell
    • Wine is closer to a 'hybrid kernel'

      @ George Mitchell

      Wine isn't actually a 'library OS'. It uses the 'wineserver' server process to implement a Windows 'personality' on top of the monolithic Linux kernel, with Windows system calls redirected to this server (and then often translated to Linux system calls). This is closer to the 'hybrid kernel' design of Windows than to an exokernel, except that the 'native' NT API of Windows was specifically designed for the purpose of hosting multiple OS 'personalities', whereas the Unix API that Linux implements wasn't.

      Looking at Windows, the implementation of its 'Unix Subsystem' is similar to Wine on Linux, with the 'psxss.exe' server process implementing the Unix personality -- with the main difference again being that the Unix subsystem on Windows is mostly implement with the NT API rather than the Windows API. The Windows personality on (NT-based) Windows is actually partly implemented in a server process too, called 'csrss.exe'. However, a large part of the Windows personality was move into a kernel mode module, 'win32k.sys', in Windows NT 4.0, so it's now partly implemented in kernel mode and partly in user mode.

      The idea of an exokernel or 'library OS' is to move more of the OS implementation into individual processes, as opposed to a shared server process (like 'wineserver' on Wine/Linux or 'csrss.exe' and 'psxss.exe' on Windows). Notice in the diagram that the 'NT Emulation' component (NT is the Windows kernel) runs inside each individual application process.
      WilErz
      • Fancy terms do not make this glamorous. They are talking about figuring out

        how to sandbox applications. These guys are pretty clueless. Not only that, it is YEARS off.
        DonnieBoy
      • RE: Microsoft 'Drawbridge' project seeks ways to streamline and better secure Windows

        @ DonnieBoy

        Do run along now and play somewhere else. The adults are trying to discuss things you don't understand.
        WilErz
      • We understand it very well. I think it is YOU that does not understand, as

        you are unable to offer any argument.
        DonnieBoy
      • RE: Microsoft 'Drawbridge' project seeks ways to streamline and better secure Windows

        @WilErz Thanks for the explanation. Your posts here are very helpful and refreshingly free of external agendas. But you have to be aware that sanity is not always appreciated around here where the motto all to often is "my os can whip your os's ass." But thanks for providing a *brief* breath of fresh air!
        George Mitchell
      • Thanks.

        @ George Mitchell

        Thanks, that's very kind of you to write. I've certainly got my biases, but I try to keep honesty ahead of them (as a scientist, it's something I have to think about all the time). I don't really mind the 'fanboyism' from posters who are obviously kids either, except when the posts are so numerous that they drown out serious discussion. I was a fanboy when I was 12 too, but the more you learn about operating systems (or most anything else), the harder it is to remain one.

        I really think converting Windows into a library OS could be one of the most important steps for Microsoft since the development of Windows NT. It's incredible that they can preserve running processes across reboots, and even migrate them across machines. The scalability improvements of making Win32 per-process look pretty compelling too. It would make update-related reboots both less frequent and far less annoying. Migrating processes from devices to 'the cloud' and back could also give cloud computing the impetus it needs to really take off.

        Looking to the future, the fact that different versions of Windows could effectively run concurrently on the same machine (each as a different set of libraries), without the overhead of virtual machines, would make backwards compatibility much easier to manage. A post-Win32 application model based on managed code, and running under something like Singularity/Midori, could even run alongside current Windows.
        WilErz
  • Security Model Worth Considering

    I think a good security model for computers, is to have every program / executable be assigned an operational profile, and if an application deviates from its profile, measures are taken against it. Therefore if a program e.g. starts accessing memory it's not supposed to, or areas of the registry, or a computer's system settings (not specified in its profile), it could be preemptively shut down. Also agents within an OS should monitor the behavior of all executables (including the behavior of other agents - just in case they become compromised by malware themselves) and the OS should act if it sees activity that looks suspicious. Also if agents notice a program deviating from its operational profile, it should log the changes made by the program, and provide the user the option to undo the actions of the program.

    So the whole idea is to have agent programs monitor the behavior of all programs and apparent user activity on a computer. If agents see an executable acting the way it's not supposed to, or they see activity consistent with malware or hacking activity, they can freeze the executable, verify from the user he is not aware or behind it, then take corrective actions such as deleting the executable, and undoing the things it did.
    P. Douglas
  • Hear that guys? This junk called Windows has 100,000 Win32 APIs.

    This is an API that was introduced with Windows 3.1 when it was running on top of DOS. What a hairball security nightmare. And, according to the MS engineers, any fix is years off. And, hey, I don't make this stuff up. This is the village idiots from MICROSOFT.<br><br>Meanwhile, Win32 is fading away . . . .
    DonnieBoy
    • RE: Microsoft 'Drawbridge' project seeks ways to streamline and better secure Windows

      @DonnieBoy - and yet you propose that Linux is a better solution: An OS that ripped off an OS that is now almost 40 years old and which, itself, has now "blossomed" with many thousands of API's of different types - native Linux, Perl, Python, Ruby, PHP, Qt, ThisLib, ThatLib, WhateverLib.
      De-Void
      • Nice try switching the subject since you can not defend this absurd

        research by a few brain dead MS engineers, using Win32. They are basically saying: "We like the idea of sandboxing, but, it could be years away before we are smart enough to do it".

        THESE GUYS ARE FREAKING STUUUUUPID.
        DonnieBoy
    • Stupid User

      @DonnieBoy Thank you for showing all of us that you know nothing about programming on any platform. Count of APIs in any software is the measure of how developer friendly the software is. Now go and keep <b>using</b> whatever software you use.
      1773
      • No, an API is perfect NOT when there is nothing else to add, but, when

        there is nothing left to take out. Even the authors, as stupid as they are, understood that and only implemented the necessary functions to start.

        But, even then, it is not just the count, but the age and clumsiness of the Win32 api. For gods sake, it was written for Windows 3.1 running on DOS.
        DonnieBoy
      • Again you show you know nothing about programming

        @Donnieboy Again you open your mouth and out comes stupidity. Do you understand the meanings of the words "working prototype" or "proof of concept". If they were to implement all the APIs it wouldn't have been a prototype. It would have been a full fledged product. Also in terms of age, a matured set of APIs are beneficial since they have undergone various levels of testing and reviews. What clumsiness of Win32 are you talking about ? I would love to know some of them since I never found any API in any language in any software to be clumsy.
        And if you write APIs do you change them frequently and break the software written using it ? (Assuming you write APIs and someone writes software using them)
        1773
      • 1773: You pathetic attempts at insults do not in any way help your argument

        Win32 was designed for Windows 3.1 running on top of DOS, and they are still using it as the basis for bogus sandbox research.
        DonnieBoy
    • RE: Microsoft 'Drawbridge' project seeks ways to streamline and better secure Windows

      @DonnieBoy <br><br>Please.. please.. stick to what you know.. which is.. umm..<br><br>Anyway, the intrinsic capabilities within such an encapsulated OS structure should, SHOULD, really intrigue entities that desire complex operating systems just outside the norm (yes, government agencies) to allow timeframes of security via obscurity (as an additional 'barrier' against known API/vulns" between builds. The government would love an ever-morphing OS (and accompanying codespace) to continuously relegate 'known' overflows from ever gaining traction to become an attack vector. The only way to defeat system comprimises is to vary the landscape continuously. Recent technologies built into Windows 8 (codename) have decidedly taken a step in that direction by the use of 'contracts' between applications that only accept specifice types of information from any other 'contracted' application. Providing sufficient/efficient use of code-signing (possibly only signed by government agencies, in this case, not 'for hire' agencies) this next step should be deemed 'evolutionary' if not for it's foothold in innovation which deems it 'revolutionary'.
      TechNickle
  • Uh, OS X?

    While there may be vast technical differences I will never fathom, this basic concept - separate the desktop part of the OS from the basic engine, has been the foundation of OS X for more than a decade, and it's why there is still no credible security threat to Macs (excepting the user, of course). Just because you call it a "Drawbridge" instead of a "Chinese wall," doesn't make it a new idea. It may be new execution, but it's far from a new idea.
    JoeBob_z
    • RE: Microsoft 'Drawbridge' project seeks ways to streamline and better secure Windows

      @JoeBob_z I think the article specifically said that the basic idea was around since 1994 but i guess u missed that, i guess that's understandable.
      FlatbushE21
    • Doesn't Apple have a patent on this?

      @JoeBob_z
      [i] this basic concept - separate the desktop part of the OS from the basic engine, has been the foundation of OS X for more than a decade[/i]

      I hope that Apple sues MS over this.
      edtimes
    • No, OS X is like Windows

      @ JoeBob_z

      The design of OS X is similar to the design of Windows. OS X is based on the XNU kernel, which combines a Mach-derived microkernel with a BSD emulation layer and standard system services in kernel mode, giving the OS a hybrid/monolithic design. Similarly, the hybrid/monolithic NT OS at the heart of Windows comprises a microkernel (Kernel) and kernel-mode system services (Executive). Most of the Windows emulation layer also runs in kernel mode (win32k.sys), and has done since Windows NT 4.0, but there is still a user mode Windows subsystem process too (csrss.exe).

      Neither Windows nor Mac OS X (nor indeed any widely used OS) uses the library OS idea, which originated with academic work in the 90s, but never took off outside of academic projects like the original MIT Exokernel, Cache and Nemesis. One of the reasons is that hypervisor-based virtualisation caught on, and it solves some of the same problems more easily -- but at a much higher cost. What this research shows is that it's technically feasible to convert an existing commercial OS to a library OS, and that the savings relative to a hypervisor model (in terms of memory/disk requirements) are enormous.

      Having read the original paper by Parker et al., I'm quite impressed with what they've done. If the interactive performance is really comparable to standard Windows (they're using RDP for audio/video and input), I think Microsoft ought to seriously consider this as the starting point for Windows 9. It really does appear to have very considerable advantages, solving many of the problems with Windows (and other desktop/server OSes). One of the features I'd most appreciate is the ability to suspend a running app and restore it after a reboot or even on another device. After reading this, it wouldn't surprise me if some enterprising Linux developers (and eventually even Apple) look into the library OS idea too (although the Unix process model would complicate things).
      WilErz