WCI 442
WindowsWindows VistaVista SystemSystem IntegrityIntegrity TechnologiesTechnologies Why? TheThe badbad guysguys areare everywhere!everywhere!
They literally want to do you harm Threats exist in two interesting places— Online: system started and shows a login screen or a user is logged in Offline: system is powered down or in hibernation Policies must address both CoolCool stuff!stuff!
CodeCode integrity:integrity: protectionprotection againstagainst onlineonline attackattack BitLockerBitLocker (secure(secure startup):startup): protectionprotection againstagainst offlineoffline attackattack WindowsWindows serviceservice hardeninghardening MandatoryMandatory integrityintegrity controlcontrol InternetInternet ExplorerExplorer protectedprotected modemode Protect the OS When Running TheThe threatsthreats
TrojanTrojan thatthat replacesreplaces aa systemsystem filefile toto installinstall aa rootkitrootkit andand taketake controlcontrol ofof thethe computercomputer (e.g.(e.g. FunFun LoveLove oror othersothers thatthat useuse rootroot kits)kits) OfflineOffline attackattack causedcaused byby bootingbooting anan alternatealternate operatingoperating systemsystem andand attemptingattempting toto corruptcorrupt oror modifymodify WindowsWindows kernelkernel filesfiles ThirdThird--partyparty kernelkernel driversdrivers thatthat areare notnot securesecure RogueRogue administratoradministrator whowho changeschanges kernelkernel modemode codecode toto hidehide otherother actsacts CodeCode integrityintegrity
ValidatesValidates thethe integrityintegrity ofof certaincertain OSOS filesfiles Implemented as a file system filter driver Hashes stored in system catalog or in X.509 certificate embedded in file AlsoAlso validatesvalidates thethe integrityintegrity ofof thethe bootboot processprocess Checks the kernel, the HAL, boot-start drivers IfIf validationvalidation fails,fails, imageimage wonwon’’tt loadload WhatWhat doesdoes itit check?check?
AllAll kernelkernel modemode codecode ((x64x64 onlyonly)) AllAll codecode loadedloaded intointo aa protectedprotected processprocess ModulesModules implementingimplementing cryptographiccryptographic functionsfunctions ModulesModules loadedloaded intointo thethe softwaresoftware licensinglicensing serviceservice MoreMore onon kernelkernel modemode codecode x64 All kernel mode code must be signed or it won’t load Third-party code must be WHQL-certified or contain a certificate from a Microsoft CA No exceptions, period Applies to drivers, utilities, anything in the kernel x32 Signing applies only to drivers shipped with Windows Can control by policy what to do with third-party Other unsigned kernel mode code will load MoreMore onon protectedprotected processesprocesses
OnlyOnly oneone rightright now:now: MediaMedia FoundationFoundation
LoadedLoaded binariesbinaries areare codecscodecs Microsoft-supplied: signed by Microsoft Third-party: signed by a Windows Media DRM certificate AffectsAffects potentialpotential playbackplayback ofof nextnext--generationgeneration highhigh definitiondefinition protectedprotected contentcontent Content and/or playback app control what to do in presence of unsigned kernel mode drivers CodeCode integrityintegrity nonnon--goalsgoals
ProtectingProtecting fromfrom attackersattackers withwith physicalphysical accessaccess VerifyingVerifying thethe integrityintegrity ofof NTLDRNTLDR Requires secure startup on TPM-enabled machines Requires read-only fixed media otherwise SupportingSupporting rebindingrebinding oror hotpatchinghotpatching These change the on-disk image CI will work if patch includes updated hash OnlineOnline checkschecks atat bootboot--timetime forfor revocationrevocation listslists Revocation list updated after boot and stored locally Protect the OS When Not Running TheThe threatsthreats
ComputerComputer isis lostlost oror stolenstolen Theft or compromise of data Attack against corporate network DamageDamage toto OSOS ifif attackerattacker installsinstalls alternatealternate OSOS DifficultDifficult andand timetime--consumingconsuming toto trulytruly eraseerase decommissioneddecommissioned disksdisks ExistingExisting waysways toto mitigatemitigate thesethese threatsthreats areare tootoo easyeasy forfor useruser toto circumventcircumvent SecureSecure startupstartup ((““BitLockerBitLocker””))
Ensure boot Resilient Protect system from offline integrity against attack software-based attacks Lock tampered Prevent boot if monitored files systems have been altered Protect data Encrypt user All data on the volume is when offline data and encrypted: user, system, page, system files hibernation, temp, crash dump Umbrella Third-party apps benefit when protection installed on encrypted volume Ease Simplify Render data useless by deleting equipment recycling TPM key store recycling Speed data Decommissioning takes seconds, deletion not hours WonWon’’tt EFSEFS protectprotect me?me?
YesYes——forfor thosethose whowho knowknow whatwhat theythey’’rere doingdoing UsersUsers oftenoften storestore datadata onon thethe desktopdesktop——isis itit EFSed?EFSed? EFSEFS doesndoesn’’tt protectprotect thethe operatingoperating systemsystem EFSEFS isis veryvery strongstrong againstagainst attacksattacks Four levels of key protection Properly configured, EFS is computationally infeasible to crack EncryptionEncryption scenariosscenarios
BitLocker EFS RMS Laptops Branch office servers Local single user file protection (Windows partition only) Local multi-user file protection Remote file protection Untrusted administrator Remote document policy enforcement OSOS coco--existenceexistence
BitLockerBitLocker encryptsencrypts WindowsWindows volumevolume onlyonly YouYou wonwon’’tt bebe ableable toto dualdual--bootboot anotheranother OSOS onon thethe samesame volumevolume OSesOSes onon otherother volumesvolumes willwill workwork finefine DataData onon protectedprotected volumevolume isis unavailableunavailable outsideoutside thethe OSOS AttemptsAttempts toto modifymodify thethe protectedprotected WindowsWindows volumevolume willwill renderrender itit unbootableunbootable EnablingEnabling BitLockerBitLocker
CreateCreate aa 1.5GB1.5GB activeactive partitionpartition This becomes your “system” partition—where OS boots The TPM boot manager uses only 50MB Windows runs from on your “boot” partition—where the system lives InitializeInitialize TPMTPM chipchip ifif youyou’’rere usingusing itit In management console or BIOS EnableEnable BitLockerBitLocker inin SecuritySecurity CenterCenter Update hard disk MBR Encrypt Windows “boot” partition RecoveryRecovery optionsoptions
UsefulUseful inin casecase ofof somesome kindkind ofof hardwarehardware failurefailure ItIt’’ss aa password;password; storedstored inin differentdifferent waysways—— Removable media Printed Active Directory
Also,Also, serviceservice packspacks andand driverdriver upgradesupgrades triggertrigger aa loaderloader thatthat recomputesrecomputes andand resealsreseals TPMTPM secretssecrets CanCan useuse TPMTPM 1.21.2 chipchip
MicrocontrollerMicrocontroller affixedaffixed toto motherboardmotherboard StoresStores keyskeys andand digitaldigital certificatescertificates ForFor BitLocker,BitLocker, TPMTPM storesstores storagestorage rootroot keykey SRK decrypts volume encryption key only when system boots normally; compares each boot process against previously stored measurements No user interaction or visibility (unless you require a PIN or additional start-up key) Recovery key can be archived in Active Directory for the inevitable “omg” moment Prohibits meaningful use of software debuggers during boot TPMTPM architecturearchitecture
PCR[15] Reset all registers, transfer execution to PCR[14] PCR[14] Core Root of Trust Measurement PCR[13] PCR[12] Measure next stage of firmware into PCR[0] PCR[11] and data into PCR[1] PCR[10] Hardware test and configuration PCR[9] Code always measured first, then executed PCR[8] PCR[7] New PCR value is SHA-1 hashed then PCR[6] concatenated with previous hash; PCR[5] permanently written to PCR PCR[4] Option ROMs and data into PCR[2] and [3] Platform Configuration Registers Platform Configuration Platform Configuration Registers Platform Configuration PCR[3] PCR[2] MBR into PCR[4], partition table in PCR[5] PCR[1] PCR[0] TPMTPM architecturearchitecture
PCR[15] MBR takes over; loads first sector of active PCR[14] PCR[14] boot partition into memory; measures first PCR[13] PCR[12] 512 bytes into PCR[8] PCR[11] Boot sector loads; measures remainder into PCR[10] PCR[9] and transfers execution PCR[9] PCR[9] Boot code measures BOOTMGR into PCR[8] Boot code measures BOOTMGR into PCR[7] PCR[10] and transfers execution PCR[6] Any additional boot applications must load PCR[5] only from BitLocker volume PCR[4] PCR[4] BitLocker keys are in PCR[11] Platform Configuration Registers Platform Configuration Platform Configuration Registers Platform Configuration PCR[3] PCR[2] Finally, BOOTMGR transfers control to PCR[1] operating system; OS checks integrity of all PCR[0] executables loaded TPMTPM architecturearchitecture
PCR[15] TPM measures all code and reports results PCR[14] PCR[13] PCR[12] Default BitLocker consumption: 4,8,9,10,11 PCR[11] PCR[10] PCR[9] You can add others, with caveats PCR[8] Option ROMs in 2,3 PCR[7] Any change invalidates the PCRs PCR[6] Includes inserting smartcard reader or USB drive PCR[5] BIOS ROMs in 0,1 PCR[4] Reflashing BIOS invalidates the PCRs Platform Configuration Registers Platform Configuration Platform Configuration Registers Platform Configuration PCR[3] PCR[2] PCR[1] PCR[0] BitLockerBitLocker cancan’’tt stopstop everythingeverything
HardwareHardware debuggersdebuggers OnlineOnline attacksattacks——BitLockerBitLocker isis concernedconcerned onlyonly withwith thethe systemsystem’’ss startupstartup processprocess PostPost logonlogon attacksattacks SabotageSabotage byby administratorsadministrators PoorPoor securitysecurity maintenancemaintenance DeploymentDeployment considerationsconsiderations
RequiresRequires hardwarehardware andand softwaresoftware upgradesupgrades Phase in, start with high priority computers MostlyMostly aa featurefeature forfor laptopslaptops AlsoAlso considerconsider forfor desktopdesktop computerscomputers inin insecureinsecure environmentsenvironments (factory(factory floor,floor, kiosk,kiosk, ……)) EnterpriseEnterprise keykey managementmanagement Protect Services From Exploit TheThe threatsthreats
RememberRemember Blaster?Blaster? Took over RPCSS—made it write msblast.exe to file system and added run keys to the registry NoNo softwaresoftware isis perfect;perfect; someonesomeone stillstill mightmight findfind aa vulnerabilityvulnerability inin aa serviceservice MalwareMalware oftenoften lookslooks toto exploitexploit suchsuch vulnerabilitiesvulnerabilities ServicesServices areare attractiveattractive Run without user interaction Many services often have free reign over the system— too much access Most services can communicate over any port ServiceService hardeninghardening
Service Move service from LocalSystem to something less refactoring privileged If necessary, split service so that only the part requiring LocalSystem receives that Service Enables service to restrict its behavior profiling Resources can have ACLs that allow the service’s ID to access only what it needs Also includes rules for specifying required network behavior
It’s about the principle of least privilege— it’s good for people, and it’s good for services RefactoringRefactoring
Ideally,Ideally, removeremove thethe serviceservice outout ofof LocalSystemLocalSystem If it doesn’t perform privileged operations Make ACL changes to registry keys and driver objects Otherwise,Otherwise, splitsplit intointo twotwo piecespieces The main service The bits that perform privileged operations Authenticate the call between them
Main service Privileged runs as LocalService LocalSystem
Memory SVCHOSTSVCHOST groupgroup refactoringrefactoring
Windows XP Service Pack 2 Windows Vista LocalSystem Wireless Configuration RemoteAccess LocalSystem Removable Storage WMI System Event DHCP Client Network restricted WMI Perf Adapter App Management Notification W32time Automatic updates Secondary Logon Network Connections Rasman TrkWks COM+ Event System Browser LocalSystem BITS NLA 6to4 Demand started Rasauto Help and Support Network Service DNS Client Browser Shell Hardware Task Scheduler Restricted ICS 6to4 Detection Detection TrkWks RemoteAccess Task scheduler Themes Themes Cryptographic DHCP Client IPSEC Services Telephony Services W32time Server Windows Audio Removable Storage Rasman Cryptographic Error Reporting WMI Perf Adapter NLA Services Workstation Automatic updates Local Service Wireless Network ICS WMI Restricted Configuration Connections BITS App Management No network access System Event Rasauto Secondary Logon Notification Themes Network DNS Client Shell Hardware COM+ Event Service Detection System Local SSDP Local Service Telephony Error Reporting Service WebClient Restricted Windows Audio Event Log TCP/IP NetBIOS helper TCP/IP NetBIOS Workstation Remote Registry helper Remote Registry WebClient SSDP ProfilingProfiling
EveryEvery serviceservice hashas aa uniqueunique serviceservice identifieridentifier calledcalled aa ““serviceservice SIDSID”” S-1-80-
SCM adds the SID to service process’s token
SCM creates write- restricted token
SCM removes unneeded privileges from process token
Service places ACL on resource—only service can write to it Example:Example: eventevent loglog
Write- Eventlog ACL restricted Eventlog:W SysEvent.evt service token RestrictingRestricting services:services: knowknow thisthis
AA restrictablerestrictable serviceservice willwill setset twotwo propertiesproperties (stored(stored inin thethe registry)registry)—— One to indicate that it can be restricted One to show which privileges it requires
Note! This is a voluntary process. The service is choosing to restrict itself. It’s good development practice because it reduces the likelihood of a service being abused by malware, but it isn’t a full-on system- wide restriction mechanism. Third-party services can still run wild and free… NetworkNetwork enforcementenforcement scenariosscenarios
No ports Services that neither listen nor connect Fixed ports Services that listen or send on known fixed ports should be constrained to those ports only Configurable Administrator configures port in service’s ports administration UI; network rules and firewall automatically update their own configurations Dynamic Services that listen or send on dynamically- ports allocated ports AuditingAuditing
ManagementManagement eventsevents Initial rules configuration Rule changes Rule deletions EnforcementEnforcement eventsevents Traffic allowed Traffic denied InteractionInteraction withwith hosthost firewallsfirewalls
Configuration changes global vuln implemented immediately mitigations and Rules can’t be disabled by system lockdowns WF or third-party network Rules can’t be stopped enforcement while services are running rules For dynamic ports, netenf pushes configuration to host WF firewall rules ExampleExample rulesrules
Block any network access for BFE "V2.0; Action=Block; App=%windir%\System32\svchost.exe; Svc=bfe; Name=Block any traffic to and from bfe;“
Allow outbound PolicyAgent traffic "V2.0; Action=Allow; Dir=Out; RPort=389; Protocol=tcp; Protocol=udp; App=%windir%\System32\svchost.exe; Svc=PolicyAgent; Name=Allow PolicyAgent tcp/udp LDAP traffic to AD;“ "V2.0; Action=Block; App=%windir%\System32\svchost.exe; Svc=PolicyAgent; Name=Block any other traffic to and from PolicyAgent;“
Allow inbound/outbound traffic to Rpcss "V2.0; Action=Allow; Dir=Out; RPort=135; Protocol=tcp; Protocol=udp; App=%windir%\System32\svchost.exe; Svc=rpcss; Name=Allow outbound rpcss tcp/udp traffic;“ "V2.0; Action=Allow; Dir=in; LPort=135; Protocol=tcp; Protocol=udp; App=%windir%\System32\svchost.exe; Svc=rpcss; Name=Allow inbound tcp/udp rpcss;“ "V2.0; Action=Block; App=%windir%\System32\svchost.exe; Svc=rpcss; Name=Block any other traffic to and from rpcss;" Protect the OS and Data from Unknown Code TheThe threatsthreats
AA useruser unknowinglyunknowingly runsruns codecode fromfrom anan unknownunknown sourcesource thatthat attemptsattempts toto modifymodify oror deletedelete filesfiles CodeCode runningrunning asas LUALUA attemptsattempts aa locallocal elevationelevation ofof privilegeprivilege byby injectinginjecting codecode intointo aa processprocess runningrunning asas administratoradministrator TrojansTrojans thatthat attemptattempt toto executeexecute withwith fullfull administratoradministrator privilegeprivilege SystemSystem codecode readsreads datadata fromfrom thethe InternetInternet (an(an untrustworthyuntrustworthy source)source) thatthat containscontains corruptcorrupt datadata designeddesigned toto elevateelevate privilegeprivilege byby exploitingexploiting aa bugbug MandatoryMandatory integrityintegrity controlcontrol
MethodMethod toto preventprevent lowlow--integrityintegrity codecode fromfrom modifyingmodifying highhigh--integrityintegrity codecode Protect TCB files and data from modification by privileged users Protect user data from modification by unknown malicious code Protect processes running as privileged user from modification by processes running as standard user under the same user SID ClassicalClassical computercomputer securitysecurity conceptconcept knownknown sincesince thethe 1970s1970s Lots of recent work in various operating systems DonDon’’tt confuseconfuse withwith codecode integrityintegrity
CI Verifies code during module loading MIC Implements a type of information flow policy Implements an enforcement mechanism Integrity level changes trigger a security audit event
Mandatory integrity control policy is based on trustworthiness. Subjects with low degrees of trustworthiness can’t change data of a higher degrees. Subjects with high degrees of trustworthiness can’t be forced to rely on data of lower degrees. TheThe limitationslimitations ofof DACLsDACLs
NoNo protectionprotection ofof systemsystem stabilitystability Third-party installers redistribute system binaries Want to stop this, even if run by administrator NoNo protectionprotection fromfrom trickytricky softwaresoftware Non-savvy users can be convinced to install malware Runs with full capabilities of user WeakensWeakens powerpower ofof UACUAC Can’t distinguish limited version from full (possibly administrator) version of user Both versions have same user SID DefinedDefined integrityintegrity levelslevels
System High Medium Low Untrusted 0x4000 0x3000 0x2000 0x1000 0 Local Local Service Standard user World Anonymous System Network tokens (Everyone) Service Authenticated Elevated Users (full) user tokens
Shell runs here MICMIC expressionexpression
AddAdd anan integrityintegrity SIDSID toto aa useruser tokentoken atat logonlogon S-1-16-
DuringDuring accessaccess check,check, verifyverify thethe useruser passespasses integrityintegrity checkcheck againstagainst anan objectobject forfor writewrite accessaccess However, can add ACE to DACL to deny read access to low integrity users (more on this later) UserUser mustmust dominatedominate objectobject toto obtainobtain writewrite accessaccess User/process level >= object level All users pass integrity check for reading and executing MICMIC trumpstrumps DACLDACL If the DACL lets you write, but you don’t dominate the object, your write fails ConsiderConsider fourfour scenariosscenarios An attachment arrives in mail. While saving, file is written with low integrity. When executed, it runs at low integrity and can’t write to user’s data. MIC prevents process from performing capabilities at user’s level. IE downloads file from site in Internet zone. IE process that writes file to TIF runs at low integrity; thus file is receives low integrity. MIC doesn’t trust content or code from the Internet. A malicious program is running at standard user X and attempts to open process running as privileged user X for write, to bypass UAC and execute code will full privileges. MIC stops this because desired access is write. Admin (IL=high) runs downloaded program. Process runs as standard admin (IL=medium). MIC prevents processes from write-accessing resources ACLed for the administrator. ProcessesProcesses alsoalso affectedaffected
WhenWhen useruser launcheslaunches .EXE,.EXE, processprocess receivesreceives lowerlower ofof useruser’’ss oror filefile’’ss integrityintegrity levellevel (if(if itit hashas one)one) Process never runs higher than file, regardless of IL of user who started it Protects even administrators from malicious actions of downloaded code Also protects any user data, whose level is typically that of the user—it’s higher than the code ControlledControlled byby AISAIS (app(app installerinstaller service)service) Check ILs of user and file Adjust process IL accordingly Impersonate user with correct IL and continue creation ModifyingModifying integrityintegrity levelslevels
TokenToken cancan lowerlower itsits ownown levellevel Not reversible Only a TCB caller can raise SecureSecure InputInput Default: UI ring SID = object integrity SID TCB caller can elevate token UI ring Typically necessary for accessibility utilities—can now control UI but not bypass MIC control of object access ButBut II wantwant toto administeradminister mymy box!box!
FullFull privilegeprivilege tokens,tokens, includingincluding membersmembers ofof thethe locallocal AdministratorsAdministrators group,group, areare controlledcontrolled byby MICMIC Can’t delete files if their level is system Can’t lower the level of objects or files BuiltBuilt--inin ““AdministratorAdministrator”” accountaccount hashas anan additionaladditional privilegeprivilege Grants caller access to object Could grant to other users, but be careful! Granting and use of privilege is audited DenyingDenying readread accessaccess
CanCan useuse denydeny ACEACE toto preventprevent lowerlower levellevel principalsprincipals fromfrom readingreading oror executingexecuting higherhigher levellevel objectsobjects GoodGood forfor administratoradministrator programsprograms Set IL to high Add deny ACE for anything with a lower IL Prevents malware running at lower level from attempting to call admin tools UnlabeledUnlabeled objectsobjects
SystemSystem assumesassumes defaultdefault MICMIC ofof mediummedium duringduring accessaccess checkcheck PreventsPrevents untrustworthyuntrustworthy codecode runningrunning atat lowlow fromfrom modifyingmodifying unlabeledunlabeled objectsobjects Regardless of DACL OSOS filesfiles areare unlabeledunlabeled Protected from modification with an ACL
ObjectsObjects withoutwithout aa SIDSID havehave nono MICMIC considerationconsideration NonNon--goalsgoals
ProvideProvide forfor confidentialityconfidentiality ofof datadata This is the Bell-LaPadula model Although with no-read-up ACEs, you can use MIC to achieve similar behavior PreventPrevent highhigh ILIL processesprocesses fromfrom readingreading datadata atat aa lowerlower ILIL ifif thethe policypolicy allowsallows thatthat ImplementImplement dynamicdynamic integrityintegrity PreventPrevent offlineoffline attacksattacks throughthrough modificationsmodifications ofof ILsILs onon filesfiles But BitLocker could help here… Protect the OS from the Internet TheThe threatsthreats
Alas,Alas, mostmost WindowsWindows usersusers stillstill runrun asas adminadmin Meaning: the Internet runs as admin on your PC! ““DriveDrive--byby”” installsinstalls ofof spywarespyware andand virusvirus codecode ExploitsExploits ofof vulnerabilitiesvulnerabilities givegive attackersattackers fullfull remoteremote accessaccess EvenEven nonnon--adminsadmins stillstill vulnerablevulnerable toto maliciousmalicious destructiondestruction ofof personalpersonal datadata InternetInternet ExplorerExplorer protectedprotected modemode
BuiltBuilt onon mandatorymandatory integrityintegrity controlcontrol Internet Explorer runs at low integrity level ReduceReduce thethe severityseverity ofof threatsthreats toto IEIE addadd--onsons EliminateEliminate thethe silentsilent installinstall ofof maliciousmalicious codecode throughthrough softwaresoftware vulnerabilitiesvulnerabilities PreservePreserve compatibilitycompatibility wheneverwhenever possiblepossible ProvideProvide thethe capabilitycapability andand guidanceguidance forfor addadd--onsons toto restorerestore functionalityfunctionality MinimizeMinimize requiredrequired useruser involvementinvolvement SometimesSometimes calledcalled ““lowlow--rightsrights IEIE”” ProtectedProtected modemode summarysummary
RestrictsRestricts IEIE fromfrom writingwriting outsideoutside ofof thethe TemporaryTemporary InternetInternet FilesFiles (TIF)(TIF) folderfolder IE’s process has lower write privileges than LUA It builds on the Mandatory Integrity Control (MIC) which restricts writes to higher integrity folders ProtectedProtected modemode usesuses COMCOM toto callcall twotwo newnew brokerbroker processesprocesses whichwhich allowallow IEIE toto writewrite outsideoutside ofof thethe TIFTIF AA compatibilitycompatibility layerlayer allowsallows addadd--onsons toto elevateelevate
This is not a “sandboxing” technology. IE is refactored into a multi-process application, with varying ILs for each process. RefactoringRefactoring IEIE
IL=high if admin IEUser IL=medium otherwise
Intranet/Trusted Zone Internet Zone IL=medium IL=low LP IE LP IE Separate TIF
IEPolicy IL=high
Again:Again: thethe principleprinciple ofof leastleast privilegeprivilege RefactoringRefactoring atat thethe processprocess levellevel——moremore efficientefficient andand lessless expensiveexpensive thanthan aa virtualvirtual machinemachine ComponentsComponents andand zoneszones
Operation Requirements Process URL navigation and HTML rendering Least privilege LP IE Low integrity Managing user-controlled settings Least privilege IEUser Medium integrity Enforcing policy in downloaded code Full privilege IEPolicy Initiating execution High integrity (service)
Operation LP IE low LP IE medium Files downloaded in zone Low IL Medium IL Modify outside TIF No Yes Interact with other apps on desktop No Yes Inject DLL and create remote thread No Yes Renders HTML files in local zone Yes Yes InstallingInstalling fromfrom thethe WebWeb greatstuff.com Run with full privs? Trust GreatStuff? AIS Run? full priv
LP IE IEPolicy greatstuff.exe
…\My Docs\greatstuff.exe IL=high if admin IL=medium otherwise \Progs\GS\stuff.exe …\TIF\greatstuff.exe stuff.dll IL=low IL=high InIn--procproc compatibilitycompatibility layerlayer
RedirectsRedirects filefile andand registryregistry keykey writeswrites toto newnew lowlow integrityintegrity locationslocations—— HKCU\Software\Microsoft\Internet Explorer\Low Rights\Virtual Documents and Settings\%user profile%\Local Settings\Temporary Internet Files\Virtual AddedAdded toto thethe locationlocation IEIE isis tryingtrying
If IE tries to write here… …it gets redirected here HKCU\Software\FooBar HKCU\Software\MS\IE\Low Rights\Virtual\Software\FooBar C:\Documents and C:\Documents and Settings\%user Settings\%user profile%\Local profile%\FooBar Settings\Temporary Internet Files\Virtual\FooBar SteveSteve RileyRiley [email protected] http://blogs.technet.com/steriley
www.protectyourwindowsnetwork.com
ThanksThanks veryvery much!much! © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.