Windows Vista

advertisement
Windows Vista
Security model and vulnerabilities
Features of Vista Security Model

User account protection (UAP)





New in Vista
Goal: implement least-privilege user accounts
Accounts created during installation are protected
administrators and subject to UAP, and are limited user
accounts (LUA)
When executing without restrictions, a protected
administrator user can make changes to key registry, start
services, and perform all privileged functions
However, processes launched by that user (including
programs) do not inherit this full range of privileges
LUA (continued)

Some processes cannot run properly
without administrator privileges



These processes can be allowed to inherit the
full privileges from the administrator at launch
A pop-up box will require the user to approve
privilege escalation
Claim: no process escalate its privileges without
explicit consent from the protected administrator
Integrity levels (privilege levels)
Integrity access level
System privileges
High
Administrative (install to Program
Files folder, write system registry
entries, etc.)
Medium
User (access to its Documents
folder and its section of the
registry)
Low
Untrusted (access to Temporary
Internet folders and low-privilege
sections of current user’s
registry)
Unprivileged user accounts

Windows Vista (as XP) allows for the creation of
standard user accounts (without administrator
privileges)

Creation of such accounts require additional steps

Reasonable to expect that non-administrative accounts
will be the default in well-managed corporate networks

Reasonable to expect that administrative user accounts
will be used by home users for all activities, including
browsing the web
Mandatory Integrity Control (MIC)






Also referred as Integrity Levels
New in Vista
Controlled by Access Control Entries (ACE) in
System Access Control List (SACL)
Applies to all securable objects (files, processes,
registry keys, etc.)
Spawned process inherit parent’s privileges
MIC is enabled/disabled through a windows
registry entry
SACL ACE types
SID
Integrity Level
S-1-16-16384
System Mandatory Level
S-1-16-12288
High Mandatory Level
S-1-16-8192
Medium Mandatory Level
S-1-16-4096
Low Mandatory Level
Integrity enforcement

A process cannot interact with another process at a higher
integrity level directly




However, it is possible for a higher integrity process to directly interact
with a lower privilege process
It is possible for a process with any privilege to interact through IPC
(named pipes,etc.)
A lower integrity server to impersonate a higher integrity client using
calls such as ImpersonateNamedPipeClient, as long as the
impersonation level of the client allows it?!
Registry entry keys have associated privilege levels.

For instance, if IE has been given low privileges, it will only have
access to a limited section of the registry even if launched by a
protected administrator
Other restrictions

A process is not generally able to send windowing
messages to higher-privilege processes sharing
the desktop


Need to have explicit UI privileges in SACL
Mechanisms to create processes that inherit only
some of the user’s privileges via
CreateRestrictedToken API. E.g:


Removed privileges
Match only DENY rules for an SID type
Elevation of process privileges

Installer applications







Has extension .msi, matches common installers, or has name SETUP.EXE
Application has a compatibility entry in the registry key or a entry in the
compatibility database
Manifest file contains requestedExecutionLevel or requireAdministrator
entries
User manually selects “Run Elevated…” by right-clicking the
application in Windows Explorer
Lauched through a privileged process without using the restricted API
Fixed bug: Launched through TaskManager
COM objects configured as such in the registry (either builti-in or
through user consent)
Lauching from Windows Explorer


Windows explorer has a restricted token
and medium integrity level
To launch processes at higher integrity
levels, it requests it to AppInfo Admin
Broker

RunAsAdminProcess system call


Requets user consent (pop-up box)
Triggers CreateProcessAsUser
Registry virtualization

Application developers have traditionally assumed
administrator privileges



User-area registry files are written transparently if application
requests to write to registry and fails, lacking privilege
User-area registry overrides system registry for that user
Augmented by file virtualization:



C:\Progra~1 (C:\Program Files) to:
%UserProfile%\AppData\Local\VirtualStore\C\P
rogra~1
In this fashion, unprivileged applications can modify a localized
win.ini, for instance
Special virtualization rules apply to low-integrity processes such
as IE
IE7 in Protected Mode
Compatibility
Layer
Integrity Mechanism
IE7 in
protected
mode
(Low IL)
IEInstal.exe
Admin Broker
(High IL)
Administrative
Rights Required
IEUser.exe
User Broker
(Medium IL)
User
Rights Required
Low Rights
Required
Registry protection


Not only files protected, but registry entries
Modifications of system files made only
through trusted installer


Trusted installer called for updates (only accepts
signed updates)
Resolves a major security issue with earlier
windows versions
Privilege escalation




Processes by the same user can be running with medium or
high privileges
Since a medium privilege process can write to the current user
registry, it can modify entries that control the behavior of the
same user’s high-privilege processes (if written to that user’s
registry)
By default, user processes and files have medium integrity level,
while IE7 (as before) is low integrity
Examples of privilege escalation from low  medium  high 
local system are provided by Matthew Conover, Principal
Security Researcher, Symantec Corporation, in “Analysis of the
Windows Vista Security Model,” a SYMANTEC ADVANCED
THREAT RESEARCH technical report
Low to Medium

IE7 cannot write files in the user account or
the medium integrity area of the user
registry, including adding startup items

But it may be able to connect through the
loopback interface to a file sharing service and
achieve the same result
Medium to High

Program runs in the background, listening to calls
to consent.exe



When it is called, it checks if it has write privileges to the
caller
Overwrite the caller with its own malicious code
Launched w/ high privileges
High to LocalSystem

If the high integrity process launched is not LUA restricted,
it can






Take ownership of security objects
Change all registry files to grant administrators full privilege to
system modification
Apply patches to libraries that disabled signature checking for
system files
Modify the operating system arbitrarily
There is no longer monitoring of modification of system
files
Still, overall a much stronger security architecture than
earlier versions of windows
Download