Under the hood of modern HIPS-es and Windows access control mechanisms
-
Upload
recrypt -
Category
Technology
-
view
1.888 -
download
4
description
Transcript of Under the hood of modern HIPS-es and Windows access control mechanisms
![Page 1: Under the hood of modern HIPS-es and Windows access control mechanisms](https://reader035.fdocuments.net/reader035/viewer/2022081400/5472bf9eb4af9fae0a8b507f/html5/thumbnails/1.jpg)
Under the hood of modern HIPS-es and Windows access control
mechanisms
02/11/2014
Defcon Russia (DCG #7812)
![Page 2: Under the hood of modern HIPS-es and Windows access control mechanisms](https://reader035.fdocuments.net/reader035/viewer/2022081400/5472bf9eb4af9fae0a8b507f/html5/thumbnails/2.jpg)
Who we are
/*
Vasily Bukasov – Security researcher, ReCrypt LLC CTO and co-founder
Dmitry Schelkunov – PhD, Security researcher, ReCrypt LLC CEO and co-founder
*/
Defcon Russia (DCG #7812) 2
![Page 3: Under the hood of modern HIPS-es and Windows access control mechanisms](https://reader035.fdocuments.net/reader035/viewer/2022081400/5472bf9eb4af9fae0a8b507f/html5/thumbnails/3.jpg)
Agenda
/*
• HIPS – Host-Based Intrusion Prevention System
• HIPS implementation approaches for Windows:
– Virtualization
– Hooks-based (old school)
– Based on Windows access control mechanisms (new trend)
– Mix of the previous two (pizza )
*/ Defcon Russia (DCG #7812) 3
![Page 4: Under the hood of modern HIPS-es and Windows access control mechanisms](https://reader035.fdocuments.net/reader035/viewer/2022081400/5472bf9eb4af9fae0a8b507f/html5/thumbnails/4.jpg)
Part I. Introduction to the Windows access control mechanisms
Defcon Russia (DCG #7812) 4
![Page 5: Under the hood of modern HIPS-es and Windows access control mechanisms](https://reader035.fdocuments.net/reader035/viewer/2022081400/5472bf9eb4af9fae0a8b507f/html5/thumbnails/5.jpg)
Security identifier
/*
• SID (security identifier) is an unique identifier within a single machine, which identifies a subject
• Logon SID is a SID which is created by Winlogon for each interactive logon session (S-1-5-5-0-xxxxx)
*/
Defcon Russia (DCG #7812) 5
![Page 6: Under the hood of modern HIPS-es and Windows access control mechanisms](https://reader035.fdocuments.net/reader035/viewer/2022081400/5472bf9eb4af9fae0a8b507f/html5/thumbnails/6.jpg)
Integrity Level
/*
• Untrusted – 0x0000
• Low – 0x1000
• Medium – 0x2000
• High – 0x3000
• System – 0x4000
*/
Defcon Russia (DCG #7812) 6
![Page 7: Under the hood of modern HIPS-es and Windows access control mechanisms](https://reader035.fdocuments.net/reader035/viewer/2022081400/5472bf9eb4af9fae0a8b507f/html5/thumbnails/7.jpg)
Access token
/*
• Identifies the security context of a process or thread
• Contents or references to information: session ID, integrity level, account, groups, privileges associated with the process or thread, etc
*/
Defcon Russia (DCG #7812) 7
![Page 8: Under the hood of modern HIPS-es and Windows access control mechanisms](https://reader035.fdocuments.net/reader035/viewer/2022081400/5472bf9eb4af9fae0a8b507f/html5/thumbnails/8.jpg)
Access token
/* • Restricted token
– Some privileges can be removed – SIDs in the token can be marked as deny-only – SIDs in the token can be marked as restricted
•Filtered admin token (Restricted token variation) – Integrity level is set to medium – Administrator-like SIDs are marked as deny-only – Most of privileges are stripped – Is used by UAC
*/
Defcon Russia (DCG #7812) 8
![Page 9: Under the hood of modern HIPS-es and Windows access control mechanisms](https://reader035.fdocuments.net/reader035/viewer/2022081400/5472bf9eb4af9fae0a8b507f/html5/thumbnails/9.jpg)
Security descriptor
/*
• Security information associated with an object, which specifies who can perform what actions on the object
• Includes two access control lists (ACLs): discretionary (DACL) and system (SACL)
*/
Defcon Russia (DCG #7812) 9
![Page 10: Under the hood of modern HIPS-es and Windows access control mechanisms](https://reader035.fdocuments.net/reader035/viewer/2022081400/5472bf9eb4af9fae0a8b507f/html5/thumbnails/10.jpg)
Access checks
/*
• Mandatory access control (uses integrity levels)
• Discretionary access control (uses DACL-es)
*/
Defcon Russia (DCG #7812) 10
![Page 11: Under the hood of modern HIPS-es and Windows access control mechanisms](https://reader035.fdocuments.net/reader035/viewer/2022081400/5472bf9eb4af9fae0a8b507f/html5/thumbnails/11.jpg)
Mandatory policies
Defcon Russia (DCG #7812) 11
/* • No-Write-Up (on all objects) – used to restrict write access
coming from a lower integrity level process to the object • No-Read-Up (on process objects) – used to restrict read
access coming from a lower integrity level process to the object
• No-Execute-Up (on binaries implementing COM classes) – used to restrict execute access coming from a lower integrity level process to the object
*/
![Page 12: Under the hood of modern HIPS-es and Windows access control mechanisms](https://reader035.fdocuments.net/reader035/viewer/2022081400/5472bf9eb4af9fae0a8b507f/html5/thumbnails/12.jpg)
Mandatory access control
Defcon Russia (DCG #7812) 12
/*
With the default integrity policies, processes can open any object—with the exception of process, thread and token objects—for read access as long as the object’s DACL grants them read access
*/
![Page 13: Under the hood of modern HIPS-es and Windows access control mechanisms](https://reader035.fdocuments.net/reader035/viewer/2022081400/5472bf9eb4af9fae0a8b507f/html5/thumbnails/13.jpg)
Discretionary access control
Defcon Russia (DCG #7812) 13
/*
• For each object there is a list of entries. Each entry specifies access rights allowed or denied for a subject
• Order of the entries does matter
*/
![Page 14: Under the hood of modern HIPS-es and Windows access control mechanisms](https://reader035.fdocuments.net/reader035/viewer/2022081400/5472bf9eb4af9fae0a8b507f/html5/thumbnails/14.jpg)
Impersonation
Defcon Russia (DCG #7812) 14
/* • Roughly, impersonation is a mechanism which provides a possibility to execute a code with a security context of a target process • Two interesting impersonation properties
– Integrity level of the current thread must be more or equal to the target process's one – A target process’s token must be read-accessible from the current thread
*/
![Page 15: Under the hood of modern HIPS-es and Windows access control mechanisms](https://reader035.fdocuments.net/reader035/viewer/2022081400/5472bf9eb4af9fae0a8b507f/html5/thumbnails/15.jpg)
Part II. Existing sandboxing techniques
Defcon Russia (DCG #7812) 15
![Page 16: Under the hood of modern HIPS-es and Windows access control mechanisms](https://reader035.fdocuments.net/reader035/viewer/2022081400/5472bf9eb4af9fae0a8b507f/html5/thumbnails/16.jpg)
HIPS implementation approaches
/*
• Virtualization
• Hooks-based (old school)
• Based on Windows access control mechanisms (new trend)
• Mix of the previous two (pizza )
*/
Defcon Russia (DCG #7812) 16
![Page 17: Under the hood of modern HIPS-es and Windows access control mechanisms](https://reader035.fdocuments.net/reader035/viewer/2022081400/5472bf9eb4af9fae0a8b507f/html5/thumbnails/17.jpg)
Windows access control mechanisms
/*
• Restricted token
– Disabled SIDs
– Restricted SIDs
– Integrity level
• Another user
• Job restrictions
• Separate desktop
*/
Defcon Russia (DCG #7812) 17
![Page 18: Under the hood of modern HIPS-es and Windows access control mechanisms](https://reader035.fdocuments.net/reader035/viewer/2022081400/5472bf9eb4af9fae0a8b507f/html5/thumbnails/18.jpg)
AppContainer
/*
• Lowbox token
• Low integrity level
• Capabilities
• Separate local NamedObjects directory
*/
Defcon Russia (DCG #7812) 18
![Page 19: Under the hood of modern HIPS-es and Windows access control mechanisms](https://reader035.fdocuments.net/reader035/viewer/2022081400/5472bf9eb4af9fae0a8b507f/html5/thumbnails/19.jpg)
Part III. Common pitfalls and vulnerabilities
Defcon Russia (DCG #7812) 19
![Page 20: Under the hood of modern HIPS-es and Windows access control mechanisms](https://reader035.fdocuments.net/reader035/viewer/2022081400/5472bf9eb4af9fae0a8b507f/html5/thumbnails/20.jpg)
Logon SID and broken Run As
Defcon Russia (DCG #7812) 20
/*
If we use Run As to start a process under another user, it will be started with Logon SID of the current one
*/
![Page 21: Under the hood of modern HIPS-es and Windows access control mechanisms](https://reader035.fdocuments.net/reader035/viewer/2022081400/5472bf9eb4af9fae0a8b507f/html5/thumbnails/21.jpg)
Logon SID and broken Run As
Defcon Russia (DCG #7812) 21
/*
1. Run Process Explorer
2. Run notepad.exe
3. Double click on notepad.exe in the Process Explorer window
4. Go to Security tab and click Permissions button
*/
![Page 22: Under the hood of modern HIPS-es and Windows access control mechanisms](https://reader035.fdocuments.net/reader035/viewer/2022081400/5472bf9eb4af9fae0a8b507f/html5/thumbnails/22.jpg)
Logon SID and broken Run As
Defcon Russia (DCG #7812) 22
![Page 23: Under the hood of modern HIPS-es and Windows access control mechanisms](https://reader035.fdocuments.net/reader035/viewer/2022081400/5472bf9eb4af9fae0a8b507f/html5/thumbnails/23.jpg)
Logon SID and broken Run As
Defcon Russia (DCG #7812) 23
/* • Process permissions for Logon SID are: Query limited
information, Query information, Read memory, Terminate, Synchronize and Read permissions
• Token permissions for Logon SID are: Assign as primary token, Duplicate, Impersonate, Query, Query source, and Read permissions
• Thread permissions for Logon SID are: Query limited information, Query information, Get context, Synchronize and Read permissions
*/
![Page 24: Under the hood of modern HIPS-es and Windows access control mechanisms](https://reader035.fdocuments.net/reader035/viewer/2022081400/5472bf9eb4af9fae0a8b507f/html5/thumbnails/24.jpg)
Logon SID and broken Run As
Defcon Russia (DCG #7812) 24
/* So, if a process was started under another user using Run As, then a thread of this process in most of cases can: • get another user’s process token (target process) • impersonate target’s security context • get all access rights of the target process */
![Page 25: Under the hood of modern HIPS-es and Windows access control mechanisms](https://reader035.fdocuments.net/reader035/viewer/2022081400/5472bf9eb4af9fae0a8b507f/html5/thumbnails/25.jpg)
Crossroads or how to make Run As secure
Defcon Russia (DCG #7812) 25
/* 1. CreateProcessWithLogonW. We can’t modify
default user token. Insecure 2. CreateProcessAsUser. Creates a process with the
same Logon SID. Insecure 3. CreateProcessWithTokenW. That seems to be
the only solution. But … creates a process in the current session only (MSDN lies )
*/
![Page 26: Under the hood of modern HIPS-es and Windows access control mechanisms](https://reader035.fdocuments.net/reader035/viewer/2022081400/5472bf9eb4af9fae0a8b507f/html5/thumbnails/26.jpg)
Desktop is a security boundary
Defcon Russia (DCG #7812) 26
/* • A lot of applications work incorrectly if DESKTOP_HOOKCONTROL access right is not set because runtime libraries use windows hooks quite often • If DESKTOP_HOOKCONTROL access right is set, then an application even if it was started under another user can set window hooks on the other application's windows and possibly execute arbitrary code in the context of other application */
![Page 27: Under the hood of modern HIPS-es and Windows access control mechanisms](https://reader035.fdocuments.net/reader035/viewer/2022081400/5472bf9eb4af9fae0a8b507f/html5/thumbnails/27.jpg)
Up to XP
Defcon Russia (DCG #7812) 27
/* * Is the app hooking another user without access? * If so return an error. Note that this check is done * for global hooks every time the hook is called. */ if ((!RtlEqualLuid(&ptiThread->ppi->luidSession, &ptiCurrent->ppi->luidSession)) && !(ptiThread->TIF_flags & TIF_ALLOWOTHERACCOUNTHOOK)) { RIPERR0(ERROR_ACCESS_DENIED, RIP_WARNING, "Access denied to other user in zzzSetWindowsHookEx"); return NULL; }
![Page 28: Under the hood of modern HIPS-es and Windows access control mechanisms](https://reader035.fdocuments.net/reader035/viewer/2022081400/5472bf9eb4af9fae0a8b507f/html5/thumbnails/28.jpg)
Vista and above
Defcon Russia (DCG #7812) 28
![Page 29: Under the hood of modern HIPS-es and Windows access control mechanisms](https://reader035.fdocuments.net/reader035/viewer/2022081400/5472bf9eb4af9fae0a8b507f/html5/thumbnails/29.jpg)
Other pitfalls
Defcon Russia (DCG #7812) 29
/* • protection from neighbours • screenshots • keylogging • network access • clipboard access • webcam access • microphone access */
![Page 30: Under the hood of modern HIPS-es and Windows access control mechanisms](https://reader035.fdocuments.net/reader035/viewer/2022081400/5472bf9eb4af9fae0a8b507f/html5/thumbnails/30.jpg)
Part IV. Escape from sandbox
Defcon Russia (DCG #7812) 30
![Page 31: Under the hood of modern HIPS-es and Windows access control mechanisms](https://reader035.fdocuments.net/reader035/viewer/2022081400/5472bf9eb4af9fae0a8b507f/html5/thumbnails/31.jpg)
Competition of HIPS-es
Defcon Russia (DCG #7812) 31
/*
• This research was done some time ago
• 8 participants
• 1 recent but public injection technique
*/
![Page 32: Under the hood of modern HIPS-es and Windows access control mechanisms](https://reader035.fdocuments.net/reader035/viewer/2022081400/5472bf9eb4af9fae0a8b507f/html5/thumbnails/32.jpg)
Competition of HIPS-es
Defcon Russia (DCG #7812) 32
/*
• 3 participants resisted well
– The first one is x86 version only (hooks-based)
– The second one (hooks-based) is discontinued
– The third one was quite raw
*/
![Page 33: Under the hood of modern HIPS-es and Windows access control mechanisms](https://reader035.fdocuments.net/reader035/viewer/2022081400/5472bf9eb4af9fae0a8b507f/html5/thumbnails/33.jpg)
Competition of HIPS-es
Defcon Russia (DCG #7812) 33
/*
• 2 resisted in the default configuration (but gave up after ring3 unhooking )
• 1 just virtualizes hard drive and doesn’t prevent drivers loading. But it’s marketed as antimalware product
• 1 started a process with an admin token instead of filtered admin token (it seems like these guys have their own understanding of security )
*/
![Page 34: Under the hood of modern HIPS-es and Windows access control mechanisms](https://reader035.fdocuments.net/reader035/viewer/2022081400/5472bf9eb4af9fae0a8b507f/html5/thumbnails/34.jpg)
References
Defcon Russia (DCG #7812) 34
/* Microsoft.Press.Windows.Internals.Part.1.6th.Edition http://vallejo.cc/48 http://dev.chromium.org/developers/design-documents/sandbox http://news.saferbytes.it/analisi/2013/07/securing-microsoft-windows-8-appcontainers/ https://ssl.exelab.ru/f/index.php?action=vthread&forum=1&topic=18837&page=0 http://www.osronline.com/showthread.cfm?link=232226 http://rsdn.ru/forum/winapi/3865326.flat https://bromiumlabs.files.wordpress.com/2013/07/application_sandboxes_a_pen_tester_s_perspective2.pdf */
![Page 35: Under the hood of modern HIPS-es and Windows access control mechanisms](https://reader035.fdocuments.net/reader035/viewer/2022081400/5472bf9eb4af9fae0a8b507f/html5/thumbnails/35.jpg)
Contacts
Defcon Russia (DCG #7812) 35
/*
[email protected] Vasily Bukasov
[email protected] Dmitry Schelkunov
*/