Microsoft can’t throw away old Windows code, but the company’s research under Project Verona is aiming to make Windows 10 more secure with its recent work on integrating Mozilla-developed Rust for low-level Windows components.
The company recently revealed that its trials with Rust over C and C++ to remove insecure code from Windows had hit its targets. But why did Microsoft do this?
The company has partially explained its security-related motives for experimenting with Rust, but hasn’t gone into much detail about the reasons for its move.
All Windows users know that on the second Tuesday every month, Microsoft releases patches to address security flaws in Windows. Microsoft recently revealed that the vast majority of bugs being discovered these days are memory safety flaws, which is also why Microsoft is looking at Rust to improve the situation. Rust was designed to allow developers to code without having to worry about this class of bug.
‘Memory safety’ is the term for coding frameworks that help protect memory space from being abused by malware. Project Verona at Microsoft is meant to progress the company’s work here to close off this attack vector.
Microsoft’s Project Verona could turn out to be just an experiment that leads nowhere, but the company has progressed far enough to have detailed some of its ideas through the UK-based non-profit Knowledge Transfer Network.
Matthew Parkinson, a Microsoft researcher from the Cambridge Computer Lab in the UK who’s dedicated to “investigating memory management for managed programming languages”, gave a talk last week focusing on what the company is doing to address these memory issues.
In the talk, Parkinson discussed the work Microsoft has done with MemGC, which is short for Memory Garbage Collector, for Internet Explorer (IE) and Edge.
MemGC addressed vulnerabilities in the standard browser feature known as a Document Object Model (DOM), a representation of the data used by browsers to interpret web pages. Google’s elite Project Zero hackers were impressed with Microsoft’s MemGC after canvassing major browsers.
“We built a garbage collector (GC) for the DOM. That big bulge in use-after-free was basically people finding ways of exploiting memory management in the DOM engine in IE,” said Parkinson, referring to a graph that illustrates the prominence of memory safety bugs.
“And then [Microsoft] introduced MemGC, which is a conservative GC for the DOM. It was very targeted at this particular style of vulnerability and then basically eradicated that as an attack vector.”
The other class of bugs Microsoft is working on to address relates to uninitialized memory in a way that also doesn’t kill performance.
Parkinson delved into a problem that might resonate with customers of its products. “How can we build the safest stuff going forward? So we still have to deal with the legacy. We can’t just throw away what we have, but what can we build now in safer systems.”
Parkinson said Microsoft is rewriting some “targeted” components in Rust. His talk focused on language design and compartmentalization.
“If we want compartments, and to carve up the legacy bits of our code so [attackers’] exploit code can’t get out, what do we need in the language design that can help with that?”
This is Project Verona and Parkinson said it was the first time he’d discussed the project, which will be made open source “soon”. It is a new language for what Microsoft is calling “safe infrastructure programming”.
The challenge for Microsoft is dealing with the “application spectrum”, which spans from C# for desktop apps through to C and C# for Exchange, ASP.NET, Azure, and device drivers, to deep Windows components like memory management and boot loaders and the Windows kernel hardware abstraction layer (HAL).
“It’s really hard to do memory management. Temporal memory safety is very difficult if you have arbitrary concurrent mutation,” said Parkinson.
“The ownership model in Verona is based on groups of objects, not like in Rust where it’s based on a single object. In C++ you get pointers and it’s based on objects and it’s pretty much per object. But that isn’t how I think about data and grammar. I think about a data structure as a collection of objects. And that collection of objects as a lifetime.
“So by taking ownership at the level of ownership of objects, then we get much closer to the level of abstraction that people are using and it gives us the ability to build data structures without going outside of safety.”
More on programming languages