Microsoft weighs strong app IDs for Windows future

Microsoft has plans to introduce stronger security for third-party applications that run on future versions of Windows, including “Vienna,” the planned successor to Windows Vista. 

With the next versions of the Windows desktop operating system — “Vista” and Longhorn Server — nearing completion, Microsoft is returning to an idea it has been pursuing for a decade: strong, cryptographically signed application identities for third-party applications that run on Windows. The application IDs will extend to applications the strong UAC (user account control) log-in security, limiting what kinds of data certain applications can access, according to interviews with Microsoft executives.

The features are currently being researched, but are slated for the next version of Windows, code-named “Vienna.” Microsoft hopes to use 128-bit, cryptographically signed application secure identities, or “sids,” for standard user code into Windows, limiting the data and the areas of the operating system that applications can access, according to Peter Woods, program manager for Windows security at Microsoft.

“It’s just like signing a sid for a user. It makes the [application ID] a ‘sid-able’ object,” he said.

The feature is similar to Microsoft’s Authenticode, which was first introduced in 1996 and allows software developers and content publishers to issue code-based credentials, backed by authorities such as VeriSign and GeoTrust.

As with that system, ISVs would need to publish a root certificate that could be used to identify Windows applications, for example Adobe’s Acrobat Reader. However, unlike Authenticode, the application secure ID would be independent of the application version, Woods said.

“It means you don’t have to change your [access control lists] for files just because the version changed,” according to Woods, who led a session on UAC at last week’s TechEd Conference in Boston.

Cryptographic signatures would be unique for each application and would ship with Windows, said Ben Fathi, corporate vice president of Microsoft’s Security Technology Unit, adding that they’re based on a hash of the application’s executable file and other application support files, such as DLLs and configuration files.

The application secure ID concept is an extension of application “manifests,” a resource file that developers add to their applications to identify them to Windows Vista. Manifests, which can be cryptographically signed, allow Windows administrators to define the application’s security level, which determines when users are prompted to enter administrative credentials to elevate their level of privilege within Vista.

“We’re taking [application manifests] one step further so you can say, ‘Take this [executable file] and these five DLLs and whatever else it touches and consider that one version of an application and have a hash around that,'” Fathi said.

The IDs would slam the door shut on malicious code by allowing administrators to limit an application to a specific type of data and verify that the application requesting the data is legitimate, Woods said.

Adobe, for example, could supply Microsoft with a strong ID for Acrobat Reader. That ID would ship with Windows and identify it within Windows. Any application trying to access and open a PDF file would be checked against that unique ID; non-sanctioned applications would be barred from doing so, he said.

Microsoft’s interest in application secure IDs is part of a larger effort to give administrators a finer degree of control over applications, said Mark Russinovich, a Windows security expert at Winternals Software, which makes system recovery and data protection software for Windows.

Traditionally, Windows applications have been granted access to one of three broad “service” accounts that came with rights to a wide range of system resources, regardless of the purpose of the applications. Malicious code authors have made use of those broad privileges for years, using attacks like buffer overflows to take control of applications and their elevated privilege on Windows systems to run amok, he said.

“It’s a way to specify for a particular service what it needs access to and refine the scope of the privileges,” Russinovich said.

But engineers at Microsoft will have to navigate a minefield of potential problems to make the strong, application secure IDs a reality. Challenges range from managing cryptographic signatures across enterprise applications to suspicion among ISVs that the Redmond company will use the secure IDs and lock out Windows competitors, experts say.

“There’s no doubt that auditing secure environments will be more complex,” said Dennis Moreau, CTO at Configuresoft.

As with the UAC technology, application secure IDs will require adjustment from software vendors.

“All applications are built with the assumption that they have access by default. This will get in the way of that and change the underlying authentication model,” he said.

But complaints from customers, which also marked Microsoft’s introduction of UAC, is not necessarily a bad thing, said John Pescatore, a vice president at Gartner.

“With XP SP2 you got one level of squawking and another level of squawking with Vista — customers saying ‘All our boxes and applications don’t work!’ But you have to raise the bar more,” he said.

Cryptographic application IDs built into Windows should improve security. However, there’s no guarantee that malicious code authors will not warm to the new architecture as well, Moreau said.

“Suppose exploit vendors apply for blocks of root keys from Verisign. Now [certificate authorities] have to issue growing revocation lists to deal with them. And that’s the exact problem with PKI in enterprise environments,” he said.

Fathi acknowledged the challenges facing the new application secure ID plans, and said Microsoft is just beginning to get “its hands around” the problem.

However, the advantages in such an architecture are considerable, he said.

Microsoft is looking into ways to tie reputation-based services to strong application IDs to ease security concerns in managed environments, with one Windows user being able to automatically “trust” a particular application within formal or informal networks, he said.

Applications, verified with strong application IDs, could one day have reputations akin to the URL reputation services that companies such as Microsoft and AOL offer to their customers to prevent phishing and spyware, he said.

Application reputations could be a big benefit for enterprises, which would have more assurance that the application they deploy meets standards, such as Common Criteria certification, said Pescatore.

However, the new architecture could awaken old debates about anti-trust and Microsoft’s control of the desktop, he acknowledged.

“Microsoft sells a lot of software products. Will [IBM] Lotus get certified by Microsoft? Is that the way the world wants to go?” he said.