Microsoft weighs strong app IDs for Windows future

Microsoft has plans to introduce stronger security for third-party applications that run on future versions of Windows, including "Vienna," the planned successor to Windows Vista. 

With the next versions of the Windows desktop operating system -- "Vista" and Longhorn Server -- nearing completion, Microsoft is returning to an idea it has been pursuing for a decade: strong, cryptographically signed application identities for third-party applications that run on Windows. The application IDs will extend to applications the strong UAC (user account control) log-in security, limiting what kinds of data certain applications can access, according to interviews with Microsoft executives.

The features are currently being researched, but are slated for the next version of Windows, code-named "Vienna." Microsoft hopes to use 128-bit, cryptographically signed application secure identities, or "sids," for standard user code into Windows, limiting the data and the areas of the operating system that applications can access, according to Peter Woods, program manager for Windows security at Microsoft.

"It's just like signing a sid for a user. It makes the [application ID] a 'sid-able' object," he said.

The feature is similar to Microsoft's Authenticode, which was first introduced in 1996 and allows software developers and content publishers to issue code-based credentials, backed by authorities such as VeriSign and GeoTrust.

As with that system, ISVs would need to publish a root certificate that could be used to identify Windows applications, for example Adobe's Acrobat Reader. However, unlike Authenticode, the application secure ID would be independent of the application version, Woods said.

"It means you don't have to change your [access control lists] for files just because the version changed," according to Woods, who led a session on UAC at last week's TechEd Conference in Boston.

Cryptographic signatures would be unique for each application and would ship with Windows, said Ben Fathi, corporate vice president of Microsoft's Security Technology Unit, adding that they're based on a hash of the application's executable file and other application support files, such as DLLs and configuration files.

The application secure ID concept is an extension of application "manifests," a resource file that developers add to their applications to identify them to Windows Vista. Manifests, which can be cryptographically signed, allow Windows administrators to define the application's security level, which determines when users are prompted to enter administrative credentials to elevate their level of privilege within Vista.

"We're taking [application manifests] one step further so you can say, 'Take this [executable file] and these five DLLs and whatever else it touches and consider that one version of an application and have a hash around that,'" Fathi said.

The IDs would slam the door shut on malicious code by allowing administrators to limit an application to a specific type of data and verify that the application requesting the data is legitimate, Woods said.

Adobe, for example, could supply Microsoft with a strong ID for Acrobat Reader. That ID would ship with Windows and identify it within Windows. Any application trying to access and open a PDF file would be checked against that unique ID; non-sanctioned applications would be barred from doing so, he said.