San Jose (CA) – Living up to his “Person of the Year” reputation for giving keynote addresses, Microsoft Chairman Bill Gates opened up this year’s annual RSA security conference by outlining once again his company’s vision for security as a key component of all software architecture. But in the evolution of Gates’ message, one can spot an emerging trend, particularly with respect to returning to a more monolithic, less decentralized approach toward implementing security in software architecture.
“The Internet…has become such a critical infrastructure for productivity, for reliability, for privacy, that the dreams we have can only be realized if we not only build secure approaches,” Gates’ speech today opened. But in order for systems to be trusted, he went on, they have to be transparent. To do that, architects must “make those easy to administer, and make it so the users understand exactly what to expect. How will their information be used? How often can they expect the system to be working totally on their behalf?”
Normally, the principal element of Microsoft’s new, more forthcoming approach has been “Trustworthy Computing.” But while Gates today brought up that trademark in its appropriate place in the speech, he quickly moved away from it to discuss the more generalized concept of the trust ecosystem. In computing architecture, a state of trust exists between two processes once the identity of each has been authenticated to the other, by means of a mutually trusted third process. The person most responsible for implementing the concept of “chains of trust” – where these third processes become authenticated by fourth and fifth processes, and so on, toward a root of greatest reliability – is Butler Lampson, now a Microsoft Research engineer whom Gates personally credited during his speech.
Up until recently, Microsoft Windows architecture was based around a concept where processes that had officially registered themselves, passed their identity to a collective System Registry, which could always be presumed to be trustworthy. Users might not be trustworthy – they are, after all, the ones who break into systems – but software processes have no similar relative probability for innate evil. The naïveté of this approach was best demonstrated by the rash of Outlook-borne e-mail viruses at the turn of the decade, where attachments could easily pass themselves off to Windows as trusted processes.
In place of the old Component Object Model, which Microsoft is working to systematically replace over the next four years, Gates wants to see a trust ecosystem in which all components – users, processes, and systems – must prove themselves continually, to both earn and maintain their authentication. “What is a trust ecosystem? We have code, we have devices, we have users, and all of those things have certain characteristics…What we need here is the ability to track those trust relationships, to be able to grant permissions, to be able to revoke those trust relationships, to develop reputation over time. If a piece of code is not behaving appropriately, it should be marked that way, and therefore dropped from being used on different systems. If a problem comes up on something that was trusted, you should be able to make sure that it’s no longer running.”
If Gates’ model seems somehow familiar to you – especially the users, processes, and systems part – then it’s because he’s addressing components of Active Directory, the roster of addressable components implemented in today’s Windows Server. AD has, from time to time, been considered a potential replacement for the COM System Registry, although arguably, the company’s forthcoming Windows Communications Foundation (“Indigo”) doesn’t actually require it, even for client-based installations. Still, Gates is clearly addressing how a trust ecosystem can or should work if that ecosystem is Windows, which may have been a little disappointing to some members of the RSA Conference who didn’t realize they were attending a Microsoft developers’ briefing.
How, exactly, Microsoft will devise a model for encoding reputation – the relative trustworthiness of a component – is not exactly known. Many would claim that reputation isn’t necessary, and that trust is a binary state: you either trust a component or you don’t. So whether you trust Microsoft or you don’t, may have a lot to do with how you interpret this next excerpt from Bill Gates’ speech today: “The trust ecosystem has to have a very rich design, because after all, trust comes from many sources. We have companies that are focused on trust relationships – banks, governments, employers, affinity organizations, friends that put us on their buddy lists, and therefore have a certain level of trust or willingness to receive messages, or expose their presence to other people. All of these trust relationships need to be taken into consideration. So it can’t be something where there’s one unique piece of software, one unique organization, but rather, it has to be totally federated, so that all those trust statements can be understood and reasoned against.”
Federated trusts, or any federated state, in Microsoft parlance, is an interesting compromise between a monolithic system and a completely distributed architecture. It’s about as close to completely open as Microsoft can get without creating a system where something can effectively substitute for a core component of Windows. Think of it as a system where states of trust or reputation can be distributed from directory to directory…but where that system is big and closed.
Which leads to Gates’ next very interesting keyword in his growing chain. It comes in response to his own question, “What are some key elements of ‘fundamentally secure?’ The first is isolation. If you go back historically and say, why were computer systems largely secure, it wasn’t because people wrote better code; in fact, they had none of the proof tools and the scanning tools and the rich things that we do today. Those systems were secure because they were isolated. There wasn’t an Internet pipe that allowed arbitrary packets to come in and see what code paths might have flaws in them.”
When many security engineers think of “isolation,” they think of the Trusted Computing platform, whose aim is to create a completely secure communications link between hardware and software components through high-level encryption and authentication – concepts which Microsoft’s Lampson first helped pair together. Some observers have expressed skepticism over the last few years, with regard to Microsoft’s own aims with regard to Trusted Computing.
Such observers will be surprised, however, to learn that Gates’ concept of isolation drifts away from the TCP model, at least as indicated by this statement: “Isolation exists at many levels. It exists at the network level…it exists in terms of process privilege, where you want to make sure that a process is only allowed to do a very limited number of things, it exists in the user model. Even a user who, from time to time, can install software, you want to make sure when they’re just, say, running a normal application, that that privilege is not active, because they’re not intending that that program can go and say, ‘Change things in the Start group,’ or, ‘Install a driver’ that ends up being a rootkit. So having it so that you only have the privileges you need, and that you’re fundamentally isolated, is very, very important.”
So rather than looking more and more like TCP – which is something Microsoft may not be any closer to actually delivering than it was five years ago, perhaps for the better – this portion of the Gates trust ecosystem is brought to you by Active Directory.
The three other components of a fundamentally secure platform, for those of you keeping score at home, are policy enforcement (another Active Directory element), automated recovery from disasters or attacks, and multi-factor authentication. Gates admitted that password-based authentication systems “simply won’t cut it. In fact, they’re very quickly becoming the weak link.”
What isn’t surprising about Gates’ speech today is that the solutions he envisions take place in a world full of Windows; what may be surprising – and perhaps very telling, if this trend continues – is a certain degree of backpedaling away from the Trustworthy promises of a few years earlier, toward a more conventional approach of simply shoring up Windows’ existing defenses.