Roadmap to a Partial Trust Managed Code world
Following my ‘On Microsoft’s lack of Partial Trust Managed Code (PTMC) focus and ideas for the future‘ and ‘Security Awareness Modes’ & the ‘day Microsoft changes which defend (and give ideas for) the need to go to a Partial Trust Managed world, here is an interesting ‘big vision’ table:
| Code Execution Location | Today | 2011 | 2015/2020 |
| Kernel (Unmanaged & Managed Full Trust) | 10% | 9.5% | 1% |
| Kernel (Partial Trust Managed Code) | 0% | 0.5% | 9% |
| Admin/System code (Unmanaged & Managed Full Trust) | 30% | 25% | 1% |
| Admin/System code (Partial Trust Managed Code) | 0% | 5% | 19% |
| User-land code (Unmanaged & Managed Full Trust) | 59% | 20% | 1% |
| User-land code (Partial Trust Managed Code) | 1% | 20% | 29% |
| Virtual PC environments | 0% | 20% | 40% |
So the logic here is that by 2011 there as been a clear and hard move to to execute non-kernel code in Partial Trust Managed Code environments (note that I group Full Trust with unmanaged code) together with the use of VPCs (or VMware) to execute certain type of applications which don’t need direct access to the user’s assets (for example games)
And that by 2015/2020, the conversion is made and most of the code executed is Partial Trust Managed Code. The issue will then be the security of that 1% of unmanaged & Full Trust code, and the CAS policies that control the rest of the code (and that will be a job for the security companies).
The good news is that altough we will probably still need some types of AV,IDS, HPS (or whatever they will call themselves at the time), in this managed and verifiable world these tools will actually have a chance to detect and contain malicious behaviour / activities.
The reason I am moving a lot of code into the Virtual PC world is because I was looking at some of the use-cases of the software that it is used everyday, and there are large types of applications which only need “hardware + OS resources” to run (games are the best example), and don’t need any (or very limited) access to user’s assets. So in those cases it makes sense to run those apps in virtual pc environments, and here think ‘Citrix Application Virtualization’ ( http://www.citrix.com/English/ps2/products/product.asp?contentID=186) and not ‘VMWare’ (note that those applications don’t need an entire OS, they only should need the hardware, the kernel, the win32 APIs and a couple of supporting services).
Ideally that ‘bridge’ between the Virtual PC environment and the user assets would be implemented via a PTMC (Partial Trust Managed Code) application which would then envorce CAS rules to user’s assets accesses
Even I with my focus on PTMC application I know that PTMC games will NOT happen anytime soon, and since most games NEED almost full access to the user’s hardware (and admin/system access) there is NO way they will be written in user-land PTMC (on that note, we might want to make some changes in our hardware access so that code running under admin / system inside one of those VMs can NOT rootkit my network card by patching it’s flash memory.
So I think that with time we will find that large parts of the apps we run everyday are executed inside this ’sandboxed’ OS environments.
———————————
Final comment, don’t agree with this ideas? no problem, show me your solution?
Vista, XP (and soon) Mac OSX /Linux clearly shown the limitations of trying to control and sandbox unmanaged code (oh, I forgot UAC is not a security feature anymore!).
So what is the plan to secure the user’s assets in 2,5, 10 years from now?”