Drawbridge: A new form of virtualization for application sandboxing

Download this episode

Download Video

Description

Drawbridge is a research prototype of a new form of virtualization for application sandboxing. Drawbridge combines two core technologies: First, a picoprocess, which is a process-based isolation container with a minimal kernel API surface. Second, a library OS, which is a version of Windows enlightened to run efficiently within a picoprocess. Drawbridge combines two ideas from the literature, the picoprocess and the library OS, to provide a new form of computing, which retains the benefits of secure isolation, persistent compatibility, and execution continuity, but with drastically lower resource overheads.

The Drawbridge library OS is an experimental Windows 7 library OS - a research project and proving ground for a larger concept: application virtualization and sandboxing. Drawbridge is capable of running the latest releases of major Windows applications such as Microsoft Excel, PowerPoint, and Internet Explorer with very little overhead compared to the traditional virtualization techniques. The experiment is going well! Now, what's going on here, exactly?

Drawbridge research team members Galen Hunt, Reuben Olinsky and Jon Howell dig into some of the details, including project rationale and OS architecture, of research project Drawbridge.

Paper: http://research.microsoft.com/apps/pubs/default.aspx?id=141071

 

Embed

Format

Available formats for this video:

Actual format may change based on video formats available and browser capability.

    The Discussion

    • User profile image
      aldie_lab

      Enlightened? That's the opposite of "embiggened", right?

    • User profile image
      Charles

      @aldie_lab: No. Enlightened as in the operating system (in this case, a library OS, which is a modified Windows 7 used for experimentation in the Drawbridge research experiment) is aware of and capable of running inside picoprocesses. So, enlightenments are enhancements to the OS which help reduce the cost of certain OS functions (like running inside a picoprocess).

      C

    • User profile image
      felix9

      this video is finally out ! very interesting Smiley

    • User profile image
      philjay

      IE9 RC? ;P

      This means that we might finally get native code on the web(again)?

    • User profile image
      Simon

      Interesting video! Thanks Charles! Always impressive with what new ideas the people at MSR come up! Great to put the spotlight on researchers.

      Unrelated: Would love to see Singularity's ideas go mainstream. Singularity's *the single most interesting* idea and implementation I've seen in a long time in OS research. While it might not have been the first approach it was very well executed (and documented).

    • User profile image
      androidi

      Interesting interview but would have been nice to have a little deeper questions:

      If app consists of multiple sequential or parallel executables, so that eg. excel.exe starts excel2.exe and then excel.exe terminates and excel2 starts multiple different exes with their own windows and excel2.exe terminates... will this kind of thing work with this model? What if there's also some LPC or shared memory IPC between these before the termination?

      If app uses CreateFile to open \\.\C: (hope i got that right) or a PhysicalDisk and in order to run needs to be able to write and read somewhere on the disk without going through the filesystem apis, will your security layer virtualize this or will the app fail to run?

      How do you "install" app onto this sandbox? Lot of talk about lack of 3D/HW support but would have been many more interesting questions about how to handle things related to what eg. game installers do, such as "sony rootkit drm", would that rootkit drm game install fine even if it was just 2D non-accelerated game. Also, would this approach work to enable better compatibility with Windows 3 & 95/98 apps/games using old DX apis?

      Getting old windows games and apps to run is oft more pain than dos games in dosbox. If MS were to productize this research, it could end up like the current app compat layer, which can require a bunch (too much) of fiddling just to find the app you want to run is not going to run since even if you put compat mode "XP", the broken stuff tends to stay broken unless it was specifically tested by people in MS.

      I think this type of legacy compatibility thing may be better using a hybrid development model: paid core team developing the long term goal deliveries and then allow the community using the product develop their own minor fixes and improvements that could be easily patched (by users, so simply that no instructions are needed) into the product on need basis. eg. if I as user run appX, it will check for community made fixes for appX and allow me to install those in the sandboxing layer or something, ensuring longevity and broadening compatibility as time goes on even if MS stops active development on the sandbox. Just a thought...

    • User profile image
      Charles

      @androidi: "It would have been great if the conversation centered around the specific technical topics I'm most curious about". OK. Maybe next time...

      At any rate, you have a place to ask questions now.  The Drawbridge people also have a place to look for questions to anwser.

      C

    • User profile image
      Minh

      The video in the SL player is not playing... download works though

    • User profile image
      Charles

      @Minh:Weird. Republishing.
      C

    • User profile image
      rstat1

      The possibility that I could start working one something on my home machine (say in VS) "hibernate" it and transfer that state to a cloud service and then pick up again right where I left off on any internet-enabled (and RDP enabled) device is quite intriguing to say the least; as well as very useful.

      Not to mention the possibilities as far as backward compatibility is concerned.

    • User profile image
      felix9

      There is a concept called 'AppContainer' for Metro-style apps in Windows 8, which is very strict sandboxing / isolation, I guess it could be a good basis to incorporate the library OS idea. can you compare the AppContainer and the Picoprocess approach ? or AppV ? ThinApp ?

    • User profile image
      giovanni

      , Charles wrote

      @Minh:Weird. Republishing.
      C

      Still not working here either. other videos work fine...

    • User profile image
      Charles

      @giovanni: Working on it. My apologies.
      C

    • User profile image
      staceyw

      Nice. So in the future, a user could hit a exception, then "click-dump" the process (as a button in the exception window) and email to me. I could open that in VS debuging and be right in the context of the issue and even see what happened before the exception.  Probably could also add a 20 sec reply window replay what user was doing 20 seconds before the issue for even more local context.  Now that itself is a game changer. Also a neat way to publish working VS solutions for samples and demos, or office documents. The target user does not even have to have office installed and could even open from over the web. Big game changer. Nice what senerios that could enable.

    • User profile image
      JohnSawyer

      , staceyw wrote

      Nice. So in the future, a user could hit a exception, then "click-dump" the process (as a button in the exception window) and email to me. I could open that in VS debuging and be right in the context of the issue and even see what happened before the exception.

      If you want to resume hibernation, you need hiberfil.sys as well as your intact filesystem. You can't just send hiberfil.sys to another machine and resume your OS there.

    • User profile image
      Charles

      @Charles: Fixed! Smiley

      C

    • User profile image
      Scottee

      Strangely, I found this about 10 minutes after watching the video.

      http://technet.microsoft.com/en-us/appvirtualization/dd146065

      The move from kernel mode to user mode comments stood out.

      Very cool stuff!

      I'm curious how (in conceptual terms) the Drawbridge compares to a technology like Thinapp (previously Thinstall), I suppose other than the obvious ability to rearrange the OS.. Wink

       

    • User profile image
      JohnSawyer

      I watched the video yesterday. But it got me thinking - how exactly is rearranging the OS better than using a Hyper-V VM with memory deduplication on EPT/Nested Pages?

      This keeps memory usage low. How many instances of IIS would you be able to run in VMs using memory deduplication, as opposed to the number in Drawbridge? How well does Drawbridge perform CPU-wise, as opposed to running on bare metal hypervisor?

      There were also some scenarios mentioned, such as:
      - using it to keep compatibility with XP
      - sandboxing

      Well, I don't think it is easy to refactor an outdated OS and to keep compatibility for every single system call. Would you use XP RTM, XP SP1, XP SP2 or XP SP3 as the baseline?

      With an upgrade to a new OS version, your existing applications get a new look, since they blend with the OS's redesigned UI elements. This is very much desirable, as opposed to keeping it at the version "they were designed for". Then there's WinRT. I guess "desktop mode" APIs will stay Win7 compatible for a very long time, since most innovation will be in the WinRT world.

      As to sandboxing, using a processor security feature (ie VM mode) is much more secure than it is to use existing ring protection. Unless you decide to use PL1 and PL2 Big Smile (how's with ARM compatibility then)?

    • User profile image
      martinmine

      Really cool! Very interesting. I was imaginating you could like "transfer" a program from a computer to a tablet (Just an example) in the very near future. Just an example tho Smiley 

    • User profile image
      James

      Linux Containers (http://lxc.sourceforge.net/) anyone?

    • User profile image
      galen

      Linux Containers (http://lxc.sourceforge.net/) anyone?

      @James: As you point out, there is a rich history of sandboxing technologies that operate at the scale of an application (chroot, zones, jails, containers, etc.). These were all important advances. Our contribution is to marry application sandboxing with the library OS concept. If you want to read more detail, our ASPLOS 2011 paper provides some comparison with existing technologies.

      As far as we know, Drawbridge is the first in this class to provide not just isolation, but also persistent compatibility and execution continuity. When packaged with its library OS, a Drawbridge application can run across many different host OS versions.  And, a running Drawbridge application can move from one host machine to another (without losing its state).

    • User profile image
      giovanni

      @Charles: Perfect, thank you!

    • User profile image
      B3NT

      Wow, it's like that Galen guy and his team get to work on magic...

       

      I'm jealous of their lifestyle.

    • User profile image
      JohnSawyer

      , JohnSawyer wrote

      I watched the video yesterday. But it got me thinking - how exactly is rearranging the OS better than using a Hyper-V VM with memory deduplication on EPT/Nested Pages?

      This keeps memory usage low. How many instances of IIS would you be able to run in VMs using memory deduplication, as opposed to the number in Drawbridge? How well does Drawbridge perform CPU-wise, as opposed to running on bare metal hypervisor?

      Any benchmarks yet?

    • User profile image
      James

      In the paper "Exterminate All Operating System Abstractions" (www.stanford.edu/~engler/hotos-jeremiad.ps) they talk about an "application-level operating system"; would you say that that is, or can be seen as, related to DrawBridge?

    • User profile image
      galen

      In the paper "Exterminate All Operating System Abstractions" (www.stanford.edu/~engler/hotos-jeremiad.ps) they talk about an "application-level operating system"; would you say that that is, or can be seen as, related to DrawBridge?

      Yes, Engler et. al invented the idea of a library OS (an "application-level operating system").  Our academic contribution was to show 1) how the interface between the library OS and the host OS can be modified to enable persistent compatibility, 2) how the it can enable migration, and 3) that Windows can be used to create a library OS.

      By the way, our paper mentioned above discusses the related work in more detail.

    • User profile image
      galen

      Unrelated: Would love to see Singularity's ideas go mainstream. Singularity's *the single most interesting* idea and implementation I've seen in a long time in OS research. While it might not have been the first approach it was very well executed (and documented).

      Thanks!  We are very proud of our Singularity work as well.  Interesting, several of the great ideas from Singularity were reused in Drawbridge.  For example, the Drawbridge ABI (application binary interface) is very similar to the Singularity ABI.  Also, Drawbridge employs many of the program manifest and packaging ideas that we pioneered in Drawbridge.

    • User profile image
      ajasmin

      I like the way you can suspend a process or fork it across the network. That's quite impressive!

    Comments closed

    Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums, or Contact Us and let us know.