Windows VistaWindows VistaSystem IntegritySystem IntegrityTechnologiesTechnologies

Windows VistaWindows VistaSystem IntegritySystem IntegrityTechnologiesTechnologies

Steve LambSteve LambTechnical Security Evangelist @ Microsoft LtdTechnical Security Evangelist @ Microsoft Ltd

Stephen.lamb@microsoft.comStephen.lamb@microsoft.comhttp://blogs.technet.com/steve_lambhttp://blogs.technet.com/steve_lamb

Why?Why?

The bad guys are everywhere!The bad guys are everywhere!

They literally want to They literally want to do you harmdo you harmThreats exist in two Threats exist in two interesting places—interesting places—

Online: system started Online: system started and shows a login screen and shows a login screen or a user is logged inor a user is logged inOffline: system is Offline: system is powered down or in powered down or in hibernationhibernation

Policies must address Policies must address bothboth

Cool stuff!Cool stuff!

Code integrity: protection against online Code integrity: protection against online attackattackBitLocker (secure startup): protection BitLocker (secure startup): protection against offline attackagainst offline attackWindows service hardeningWindows service hardeningMandatory integrity controlMandatory integrity controlInternet Explorer protected modeInternet Explorer protected mode

Protect the OSWhen RunningProtect the OSWhen Running

The threatsThe threats

Trojan that replaces a system file to install a Trojan that replaces a system file to install a rootkit and take control of the computer rootkit and take control of the computer (e.g. Fun Love or others that use root kits)(e.g. Fun Love or others that use root kits)Offline attack caused by booting an Offline attack caused by booting an alternate operating system and attempting alternate operating system and attempting to corrupt or modify Windows operating to corrupt or modify Windows operating system image filessystem image filesThird-party kernel drivers that are not Third-party kernel drivers that are not securesecureAny action by an administrator that Any action by an administrator that threatens the integrity of the operating threatens the integrity of the operating system binary filessystem binary filesRogue administrator who changes an Rogue administrator who changes an operating system binary to hide other actsoperating system binary to hide other acts

Code integrityCode integrity

Validates the integrity of each binary imageValidates the integrity of each binary imageChecks hashes for every page as it’s loadedChecks hashes for every page as it’s loadedAlso checks any image loading to a protected Also checks any image loading to a protected processprocessImplemented as a file system filter driverImplemented as a file system filter driverHashes stored in system catalog or in X.509 Hashes stored in system catalog or in X.509 certificate embedded in filecertificate embedded in file

Also validates the integrity of the boot Also validates the integrity of the boot processprocess

Checks the kernel, the HAL, boot-start driversChecks the kernel, the HAL, boot-start drivers

If validation fails, image won’t loadIf validation fails, image won’t load

Hash validation scopeHash validation scope

Windows binariesWindows binaries Yes

WHQL-certified third-party WHQL-certified third-party driversdrivers

Yes

Unsigned driversUnsigned drivers By policy

Third-party application Third-party application binariesbinaries

No

More on signaturesMore on signatures

Don’t confuse hash validation with Don’t confuse hash validation with signaturessignaturesxx

6644

All kernel mode code must be signed or it won’t All kernel mode code must be signed or it won’t loadloadThird-party drivers must be WHQL-certified or Third-party drivers must be WHQL-certified or contain a certificate from a Microsoft CAcontain a certificate from a Microsoft CANo exceptions, periodNo exceptions, periodUser mode binaries need no signature unless theyUser mode binaries need no signature unless they——

Implement cryptographic functionsImplement cryptographic functionsLoad into the software licensing serviceLoad into the software licensing service

xx3322

Signing applies only to drivers shipped with Signing applies only to drivers shipped with WindowsWindowsCan control by policy what to do with third-partyCan control by policy what to do with third-partyUnsigned kernel mode code will loadUnsigned kernel mode code will loadUser mode binaries—same as x64User mode binaries—same as x64

Recovering from CI failuresRecovering from CI failures

Potential problems—Potential problems—OS won’t boot: kernel code or boot-time driver OS won’t boot: kernel code or boot-time driver failed CIfailed CIOS boots, a device won’t function: non-boot-time OS boots, a device won’t function: non-boot-time driver failed CIdriver failed CIOS boots, system is “weird”: service failed CIOS boots, system is “weird”: service failed CIOS boots and behaves, task malfunctions: OS OS boots and behaves, task malfunctions: OS component failed CIcomponent failed CI

Solve boot-critical problems through Solve boot-critical problems through standard system recovery toolsstandard system recovery toolsIntegrated Windows diagnostic Integrated Windows diagnostic infrastructure helps to repair critical files; infrastructure helps to repair critical files; non-critical files can be replaced through non-critical files can be replaced through Microsoft UpdateMicrosoft Update

Code integrity non-goalsCode integrity non-goals

Protecting from attackers with physical Protecting from attackers with physical accessaccessVerifying the integrity of NTLDRVerifying the integrity of NTLDR

Requires secure startup on TPM-enabled Requires secure startup on TPM-enabled machinesmachinesRequires read-only fixed media otherwiseRequires read-only fixed media otherwise

Supporting rebinding or hotpatchingSupporting rebinding or hotpatchingThese change the on-disk imageThese change the on-disk imageCI will work if patch includes updated hashCI will work if patch includes updated hash

Boot-time checks for revocation listsBoot-time checks for revocation lists

Protect the OSWhen Not RunningProtect the OSWhen Not Running

The threatsThe threats

Computer is lost or stolenComputer is lost or stolenTheft or compromise of dataTheft or compromise of dataAttack against corporate networkAttack against corporate network

Damage to OS if attacker installs alternate Damage to OS if attacker installs alternate OSOSDifficult and time-consuming to truly erase Difficult and time-consuming to truly erase decommissioned disksdecommissioned disksExisting ways to mitigate these threats are Existing ways to mitigate these threats are too easy for user to circumventtoo easy for user to circumvent

Secure startup (“BitLocker”)Secure startup (“BitLocker”)

Ensure Ensure boot boot

integritintegrityy

Resilient Resilient against against attackattack

Protect system from offline Protect system from offline software-based attackssoftware-based attacks

Lock Lock tampered tampered systemssystems

Prevent boot if monitored Prevent boot if monitored files have been alteredfiles have been altered

Protect Protect data data

when when offlineoffline

Encrypt Encrypt user data user data and system and system filesfiles

All data on the volume is All data on the volume is encrypted: user, system, encrypted: user, system, page, hibernation, temp, page, hibernation, temp, crash dumpcrash dump

Umbrella Umbrella protectionprotection

Third-party apps benefit Third-party apps benefit when installed on encrypted when installed on encrypted volumevolume

Ease Ease equipmequipm

ent ent recyclinrecyclin

gg

Simplify Simplify recyclingrecycling

Render data useless by Render data useless by deleting TPM key storedeleting TPM key store

Speed data Speed data deletiondeletion

Erasing takes seconds, not Erasing takes seconds, not hourshours

Requires TPM 1.2 chipRequires TPM 1.2 chip

Microcontroller affixed to motherboardMicrocontroller affixed to motherboardStores keys, passwords, digital certificatesStores keys, passwords, digital certificatesFor BitLocker, TPM stores volume For BitLocker, TPM stores volume encryption keyencryption key

Key released only when system boots normally;Key released only when system boots normally; compares each boot process against previously compares each boot process against previously stored measurementsstored measurementsAny changes made to encrypted volume renders Any changes made to encrypted volume renders key irretrievablekey irretrievableNo user interaction or visibilityNo user interaction or visibilityKeys can be archived in Active Directory for the Keys can be archived in Active Directory for the inevitable “omg” momentinevitable “omg” momentProhibits use of software debuggers during bootProhibits use of software debuggers during boot

Won’t EFS protect me?Won’t EFS protect me?

Not quite—it’s good for those who know Not quite—it’s good for those who know what they’re doingwhat they’re doingUsers often store data on the desktop—is it Users often store data on the desktop—is it EFSed?EFSed?EFS doesn’t protect the operating systemEFS doesn’t protect the operating systemEFS is very strong against attacksEFS is very strong against attacks

Four levels of key protectionFour levels of key protectionProperly configured, EFS is computationally Properly configured, EFS is computationally infeasible to crackinfeasible to crack

Encryption scenariosEncryption scenariosBitLoBitLockercker

EEFFSS

RRMMSS

LaptopsLaptops

Branch office serversBranch office servers

Local single user file protection (Windows Local single user file protection (Windows partition only)partition only)

Local multi-user file protectionLocal multi-user file protection

Remote file protectionRemote file protection

Untrusted administratorUntrusted administrator

Remote document policy enforcementRemote document policy enforcement

OS co-existenceOS co-existence

BitLocker encrypts Windows BitLocker encrypts Windows partitionpartition only onlyYou won’t be able to dual-boot another OS You won’t be able to dual-boot another OS on the same partitionon the same partitionOSes on other partitions will work fineOSes on other partitions will work fineAttempts to modify the protected Windows Attempts to modify the protected Windows partition will render it unbootablepartition will render it unbootable

Replacing MBRReplacing MBRModifying even a single bitModifying even a single bit

Enabling BitLockerEnabling BitLocker

Create a 1.5GB active partitionCreate a 1.5GB active partitionThis becomes your “system” partition—where This becomes your “system” partition—where OS bootsOS bootsThe TPM boot manager uses only 50MBThe TPM boot manager uses only 50MBWindows runs from on your “boot” partition—Windows runs from on your “boot” partition—where the system liveswhere the system lives

Enable TPM chip—usually in system BIOSEnable TPM chip—usually in system BIOSEnable BitLocker in Security CentreEnable BitLocker in Security Centre

Update hard disk MBRUpdate hard disk MBREncrypt Windows “boot” partitionEncrypt Windows “boot” partition

Generate symmetric encryption keyGenerate symmetric encryption keyStore key in TPMStore key in TPMEncryption begins after rebootEncryption begins after reboot

Recovery optionsRecovery options

Useful in case of some kind of hardware Useful in case of some kind of hardware failurefailureTwo choices—Two choices—

Removable mediaRemovable mediaPasswordPassword

Also, service packs and driver upgrades Also, service packs and driver upgrades trigger a loader that recomputes and trigger a loader that recomputes and reseals TPM secretsreseals TPM secrets

Note!Note! in the password case, the keys that normally in the password case, the keys that normally are stored only within the TPM are now back on the are stored only within the TPM are now back on the

hard drive again, sort of defeating the purpose of the hard drive again, sort of defeating the purpose of the TPM!TPM!

(But at least the keys are encrypted with the (But at least the keys are encrypted with the password.)password.)

BitLocker can’t stop everythingBitLocker can’t stop everything

Hardware debuggersHardware debuggersOnline attacks—BitLocker is concerned only Online attacks—BitLocker is concerned only with the system’s startup processwith the system’s startup processPost logon attacksPost logon attacksSabotage by administratorsSabotage by administratorsPoor security maintenancePoor security maintenance

BIOS reflashingBIOS reflashingProtection against this can be enabled if you Protection against this can be enabled if you wishwish

Deployment considerationsDeployment considerations

Requires hardware and software upgradesRequires hardware and software upgradesPhase in, start with high priority computersPhase in, start with high priority computers

Mostly a feature for laptopsMostly a feature for laptopsAlso consider for desktop computers in Also consider for desktop computers in insecure environments (factory floor, kiosk, insecure environments (factory floor, kiosk, …)…)Enterprise key managementEnterprise key management

Protect ServicesFrom ExploitProtect ServicesFrom Exploit

The threatsThe threats

Remember Blaster?Remember Blaster?Took over RPCSS—made it write msblast.exe to Took over RPCSS—made it write msblast.exe to file system and added run keys to the registryfile system and added run keys to the registry

No software is perfect; someone still might No software is perfect; someone still might find a vulnerability in a servicefind a vulnerability in a serviceMalware often looks to exploit such Malware often looks to exploit such vulnerabilitiesvulnerabilitiesServices are attractiveServices are attractive

Run without user interactionRun without user interactionMany services often have free reign over the Many services often have free reign over the system—too much accesssystem—too much accessMost services can communicate over any portMost services can communicate over any port

Service hardeningService hardening

Service Service refactorefacto

ringring

Move service from LocalSystem to Move service from LocalSystem to something less privilegedsomething less privilegedIf necessary, split service so that only the If necessary, split service so that only the part requiring LocalSystem receives that part requiring LocalSystem receives that

Service Service profilinprofilin

gg

Enables service to restrict its behaviorEnables service to restrict its behaviorResources can have ACLs that allow the Resources can have ACLs that allow the service’s ID to access only what it needsservice’s ID to access only what it needsAlso includes rules for specifying required Also includes rules for specifying required network behaviornetwork behavior

It’s about the principle of least privilege—It’s about the principle of least privilege—it’s good for people, and it’s good for servicesit’s good for people, and it’s good for services

MemoryMemory

RefactoringRefactoring

Ideally, remove the service out of Ideally, remove the service out of LocalSystemLocalSystem

If it doesn’t perform privileged operationsIf it doesn’t perform privileged operationsMake ACL changes to registry keys and driver Make ACL changes to registry keys and driver objectsobjects

Otherwise, split into two piecesOtherwise, split into two piecesThe main serviceThe main serviceThe bits that perform privileged operationsThe bits that perform privileged operationsAuthenticate the call between themAuthenticate the call between themMain serviceMain service

runs as LocalServiceruns as LocalServicePrivilegedPrivilegedLocalSystemLocalSystem

SVCHOST group refactoringSVCHOST group refactoringWindows XP Service Pack 2Windows XP Service Pack 2

LocalSystLocalSystemem

Wireless Wireless ConfigurationConfiguration

System Event System Event NotificationNotification

Network Network ConnectionsConnections

COM+ Event COM+ Event SystemSystem

NLANLA

RasautoRasauto

Shell Hardware Shell Hardware DetectionDetection

ThemesThemes

TelephonyTelephony

Windows AudioWindows Audio

Error ReportingError Reporting

WorkstationWorkstation

ICSICS

BITSBITS

RemoteAccessRemoteAccess

DHCP ClientDHCP Client

W32timeW32time

RasmanRasman

BrowserBrowser

6to46to4

Help and SupportHelp and Support

Task SchedulerTask Scheduler

TrkWksTrkWks

Cryptographic Cryptographic ServicesServices

Removable Removable StorageStorage

WMI Perf AdapterWMI Perf Adapter

Automatic Automatic updatesupdates

WMIWMI

App ManagementApp Management

Secondary LogonSecondary Logon

NetworkNetworkServiceService

DNS ClientDNS Client

Local Local ServiceService

SSDPSSDP

WebClientWebClient

TCP/IP NetBIOS helperTCP/IP NetBIOS helper

Remote RegistryRemote Registry

Windows VistaWindows Vista

LocalSystemLocalSystemNetwork Network restrictedrestricted

Removable Removable StorageStorage

WMI Perf AdapterWMI Perf Adapter

Automatic Automatic updatesupdates

TrkWksTrkWks

WMIWMI

App App ManagementManagement

Secondary Secondary LogonLogon

LocalSystemLocalSystemDemand startedDemand started

BITSBITS

Network Network ServiceService

RestrictedRestricted

DNS ClientDNS Client

ICSICS

RemoteAccessRemoteAccess

DHCP ClientDHCP Client

W32timeW32time

RasmanRasman

NLANLA

BrowserBrowser

6to46to4

Task schedulerTask scheduler

IPSEC ServicesIPSEC Services

ServerServer

Cryptographic Cryptographic ServicesServices

Local ServiceLocal Service

RestrictedRestricted No network No network accessaccess

Wireless Wireless ConfigurationConfiguration

System Event System Event NotificationNotification

Shell Hardware Shell Hardware DetectionDetection

Network Network ConnectionsConnections

RasautoRasauto

ThemesThemes

COM+ Event COM+ Event SystemSystem

Local ServiceLocal ServiceRestrictedRestricted

TelephonyTelephony

Windows AudioWindows Audio

TCP/IP NetBIOS TCP/IP NetBIOS helperhelper

WebClientWebClient

Error ReportingError Reporting

Event LogEvent Log

WorkstationWorkstation

Remote RegistryRemote Registry

SSDPSSDP

ProfilingProfiling

Every service has a unique service identifier Every service has a unique service identifier called a “service SID”called a “service SID”

S-1-80-S-1-80-<SHA-1 hash of logical service name><SHA-1 hash of logical service name>

A “service profile” is a set of ACLs that—A “service profile” is a set of ACLs that—Allow a service to use a resourceAllow a service to use a resourceConstrain the service to the resources it needsConstrain the service to the resources it needsDefine which network ports a service can useDefine which network ports a service can useBlock the service from using other portsBlock the service from using other ports

Now, service can run as LocalService or Now, service can run as LocalService or NetworkService and still receive additional NetworkService and still receive additional access when necessaryaccess when necessary

Restricting servicesRestricting servicesSCM computesSCM computes

service SIDservice SID

SCM adds theSCM adds theSID to serviceSID to service

process’s tokenprocess’s token

SCM creates write-SCM creates write-restricted tokenrestricted token

SCM removes SCM removes unneeded unneeded

privileges from privileges from process tokenprocess token

Service places ACL Service places ACL on resource—only on resource—only

service can write to service can write to itit

Restricting services: know thisRestricting services: know this

A restrictable service will set two properties A restrictable service will set two properties (stored in the registry)—(stored in the registry)—

One to indicate that it can be restrictedOne to indicate that it can be restrictedOne to show which privileges it requiresOne to show which privileges it requires

Note!Note! This is a voluntary process. The service This is a voluntary process. The service is choosing to restrict itself. It’s good is choosing to restrict itself. It’s good

development practice because it reduces the development practice because it reduces the likelihood of a service being abused by likelihood of a service being abused by

malware, but it isn’t a full-on system-wide malware, but it isn’t a full-on system-wide restriction mechanism. Third-party services can restriction mechanism. Third-party services can

still run wild and free…still run wild and free…

Network enforcement scenariosNetwork enforcement scenarios

No portsNo ports Services that neither listen nor connectServices that neither listen nor connect

Fixed Fixed portsports

Services that listen or send on known fixed Services that listen or send on known fixed ports should be constrained to those ports ports should be constrained to those ports onlyonly

ConfigurConfigurable able

portsports

Administrator configures port in service’s Administrator configures port in service’s administration UI; network rules and administration UI; network rules and firewall automatically update their own firewall automatically update their own configurationsconfigurations

DynamiDynamic portsc ports

Services that listen or send on dynamically-Services that listen or send on dynamically-allocated portsallocated ports

AuditingAuditing

Management eventsManagement eventsInitial rules configurationInitial rules configurationRule changesRule changesRule deletionsRule deletions

Enforcement eventsEnforcement eventsTraffic allowedTraffic allowedTraffic deniedTraffic denied

global vulnglobal vulnmitigations andmitigations and

system lockdownssystem lockdowns

networknetworkenforcementenforcement

rulesrules

Interaction with host firewallsInteraction with host firewalls

Configuration changes Configuration changes implemented implemented immediatelyimmediatelyRules can’t be disabled Rules can’t be disabled by WF or third-partyby WF or third-partyRules can’t be stopped Rules can’t be stopped while services are while services are runningrunningFor dynamic ports, For dynamic ports, netenf pushes netenf pushes configuration to WFconfiguration to WF

hosthostfirewallfirewallrulesrules

Example rulesExample rulesBlock any network access for BFE"V2.0; Action=Block; App=%windir%\System32\svchost.exe; Svc=bfe;Name=Block any traffic to and from bfe;“

Allow outbound PolicyAgent traffic"V2.0; Action=Allow; Dir=Out; RPort=389; Protocol=tcp; Protocol=udp;App=%windir%\System32\svchost.exe; Svc=PolicyAgent;Name=Allow PolicyAgent tcp/udp LDAP traffic to AD;“

"V2.0; Action=Block; App=%windir%\System32\svchost.exe; Svc=PolicyAgent;Name=Block any other traffic to and from PolicyAgent;“

Allow inbound/outbound traffic to Rpcss"V2.0; Action=Allow; Dir=Out; RPort=135; Protocol=tcp; Protocol=udp;App=%windir%\System32\svchost.exe; Svc=rpcss;Name=Allow outbound rpcss tcp/udp traffic;“

"V2.0; Action=Allow; Dir=in; LPort=135; Protocol=tcp; Protocol=udp;App=%windir%\System32\svchost.exe; Svc=rpcss; Name=Allow inbound tcp/udp rpcss;“

"V2.0; Action=Block; App=%windir%\System32\svchost.exe; Svc=rpcss;Name=Block any other traffic to and from rpcss;"

Protect the OS and Datafrom Unknown Code

Protect the OS and Datafrom Unknown Code

The threatsThe threats

A user unknowingly runs code from an A user unknowingly runs code from an unknown source that attempts to modify or unknown source that attempts to modify or delete filesdelete filesCode running as LUA attempts a local Code running as LUA attempts a local elevation of privilege by injecting code into elevation of privilege by injecting code into a process running as administratora process running as administratorTrojans that attempt to execute with full Trojans that attempt to execute with full administrator privilegeadministrator privilegeSystem code reads data from the Internet System code reads data from the Internet (an untrustworthy source) that contains (an untrustworthy source) that contains corrupt data designed to elevate privilege corrupt data designed to elevate privilege by exploiting a bugby exploiting a bug

Mandatory integrity controlMandatory integrity control

Method to prevent low-integrity code from Method to prevent low-integrity code from modifying high-integrity codemodifying high-integrity code

Protect TCB files and data from modification by Protect TCB files and data from modification by privileged usersprivileged usersProtect user data from modification by unknown Protect user data from modification by unknown malicious codemalicious codeProtect processes running as privileged user Protect processes running as privileged user from modification by processes running as from modification by processes running as standard user under the same user SIDstandard user under the same user SID

Classical computer security concept known Classical computer security concept known since the 1970ssince the 1970s

Lots of recent work in various operating systemsLots of recent work in various operating systems

Don’t confuse with code Don’t confuse with code integrityintegrity

CICI Verifies executable code during module Verifies executable code during module loadingloading

MIMICC

Implements a type of information flow policyImplements a type of information flow policyImplements an enforcement mechanismImplements an enforcement mechanismIntegrity level changes trigger a security Integrity level changes trigger a security audit eventaudit event

Mandatory integrity control policy is based on Mandatory integrity control policy is based on trustworthinesstrustworthiness. Subjects with . Subjects with lowlow degrees of degrees of trustworthiness can’t change data of a trustworthiness can’t change data of a higherhigher

degrees. Subjects with degrees. Subjects with highhigh degrees of degrees of trustworthiness can’t be forced to rely on data of trustworthiness can’t be forced to rely on data of

lowerlower degrees. degrees.

Defined integrity levelsDefined integrity levels

SysteSystemm

HighHigh MediumMedium LowLow UntrustedUntrusted

400400 300300 200200 100100 00

LocalLocalSysteSystemm

Local Local ServiceService

NetworkNetworkServiceService

ElevatedElevated(full) user (full) user tokenstokens

Standard Standard user tokensuser tokens

AuthenticatAuthenticatededUsersUsers

WorldWorld(Everyon(Everyone)e)

AnonymouAnonymouss

All otherAll othertokenstokens

Shell runs hereShell runs here

Consider four scenariosConsider four scenariosAn attachment arrives in mail. While saving, file is An attachment arrives in mail. While saving, file is written with written with lowlow integrity. When executed, it runs at integrity. When executed, it runs at lowlow integrity and can’t write to user’s data. integrity and can’t write to user’s data. MIC MIC prevents process from performing capabilities at prevents process from performing capabilities at user’s level.user’s level.IE downloads file from site in Internet zone. IE IE downloads file from site in Internet zone. IE process that writes file to TIF runs at process that writes file to TIF runs at lowlow integrity; integrity; thus file is receives thus file is receives lowlow integrity. integrity. MIC doesn’t trust MIC doesn’t trust content or code from the Internet.content or code from the Internet.A malicious program is running at A malicious program is running at standardstandard user X user X and attempts to open process running as and attempts to open process running as privilegedprivileged user X for write, to bypass UAP and execute code will user X for write, to bypass UAP and execute code will full privileges. full privileges. MIC stops this because desired access MIC stops this because desired access is write.is write.Admin (IL=high) runs downloaded program. Process Admin (IL=high) runs downloaded program. Process runs as runs as standardstandard (not full) admin (IL=low). (not full) admin (IL=low). MIC MIC prevents processes from write-accessing resources prevents processes from write-accessing resources ACLed for the administrator.ACLed for the administrator.

But I want to administer my But I want to administer my box!box!

Full privilege tokens, including members of Full privilege tokens, including members of the local Administrators group, are the local Administrators group, are controlled by MICcontrolled by MIC

Can’t delete files (considered a write access)Can’t delete files (considered a write access)Can’t lower IL of objects or filesCan’t lower IL of objects or files

Built-in “Administrator” account has an Built-in “Administrator” account has an additional privilegeadditional privilege

Grants caller access to objectGrants caller access to objectCould grant to other users, but be careful!Could grant to other users, but be careful!Granting and use of privilege is auditedGranting and use of privilege is audited

Non-goalsNon-goals

Provide for confidentiality of dataProvide for confidentiality of dataThis is the Bell-LaPadula modelThis is the Bell-LaPadula modelAlthough with no-read-up ACEs, you can use MIC Although with no-read-up ACEs, you can use MIC to achieve similar behaviorto achieve similar behavior

Prevent high IL processes from reading data Prevent high IL processes from reading data at a lower IL if the policy allows thatat a lower IL if the policy allows thatImplement dynamic integrityImplement dynamic integrityPrevent offline attacks through Prevent offline attacks through modifications of ILs on filesmodifications of ILs on files

But BitLocker could help here…But BitLocker could help here…

Protect the OSfrom the InternetProtect the OSfrom the Internet

The threatsThe threats

Alas, most Windows users still run as adminAlas, most Windows users still run as adminMeaning: the Internet runs as admin on your PC!Meaning: the Internet runs as admin on your PC!

““Drive-by” installs of spyware and virus Drive-by” installs of spyware and virus codecodeExploits of vulnerabilities give attackers full Exploits of vulnerabilities give attackers full remote accessremote accessEven non-admins still vulnerable to Even non-admins still vulnerable to malicious destruction of personal datamalicious destruction of personal data

Internet Explorer protected Internet Explorer protected modemode

Built on mandatory integrity controlBuilt on mandatory integrity controlInternet Explorer runs at low integrity levelInternet Explorer runs at low integrity level

Reduce the severity of threats to IE add-onsReduce the severity of threats to IE add-onsEliminate the silent install of malicious code Eliminate the silent install of malicious code through software vulnerabilitiesthrough software vulnerabilitiesPreserve compatibility whenever possiblePreserve compatibility whenever possibleProvide the capability and guidance for add-Provide the capability and guidance for add-ons to restore functionalityons to restore functionalityMinimize required user involvementMinimize required user involvementSometimes called “low-rights IE”Sometimes called “low-rights IE”

Protected mode summaryProtected mode summary

Restricts IE from writing outside of the Restricts IE from writing outside of the Temporary Internet Files (TIF) folderTemporary Internet Files (TIF) folder

IE’s process has lower write privileges than LUAIE’s process has lower write privileges than LUAIt builds on the Mandatory Integrity Control (MIC) It builds on the Mandatory Integrity Control (MIC) which restricts writes to higher integrity folderswhich restricts writes to higher integrity folders

Protected mode uses COM to call two new Protected mode uses COM to call two new broker processes which allow IE to write broker processes which allow IE to write outside of the TIFoutside of the TIFA compatibility layer allows add-ons to A compatibility layer allows add-ons to elevateelevateThis is not a “sandboxing” technology. IE is refactored This is not a “sandboxing” technology. IE is refactored

into a multi-process application, with varying ILs for into a multi-process application, with varying ILs for each process.each process.

Refactoring IERefactoring IE

LP IELP IE

IEUserIEUserIL=high if adminIL=high if adminIL=medium otherwise IL=medium otherwise

LP IELP IEInternet ZoneInternet Zone

IL=lowIL=low

Intranet/Trusted ZoneIntranet/Trusted ZoneIL=mediumIL=mediumSeparate TIFSeparate TIF

IEPolicyIEPolicy IL=highIL=high

Again: the principle of least privilegeAgain: the principle of least privilegeRefactoring at the process level—more Refactoring at the process level—more efficient and less expensive than a virtual efficient and less expensive than a virtual machinemachine

Components and zonesComponents and zones

OperationOperation RequirementsRequirements ProceProcessss

URL navigation and HTML URL navigation and HTML renderingrendering

Least privilegeLeast privilegeLow integrityLow integrity

LP IELP IE

Managing user-controlled Managing user-controlled settingssettings

Least privilegeLeast privilegeMedium Medium integrityintegrity

IEUserIEUser

Enforcing policy in downloaded Enforcing policy in downloaded codecodeInitiating executionInitiating execution

Full privilegeFull privilegeHigh integrityHigh integrity

IEPolicIEPolicyy(service)(service)OperationOperation LP IE LP IE

lowlowLP IE LP IE mediummedium

Files downloaded in zoneFiles downloaded in zone Low ILLow IL Medium Medium ILIL

Modify outside TIFModify outside TIF NoNo YesYes

Interact with other apps on Interact with other apps on desktopdesktop

NoNo YesYes

Inject DLL and create remote Inject DLL and create remote threadthread

NoNo YesYes

Renders HTML files in local Renders HTML files in local zonezone

YesYes YesYes

Installing from the WebInstalling from the Web

LP IELP IE IEPolicyIEPolicy

Run?Run?

greatstuff.comgreatstuff.com

……\TIF\greatstuff.exe\TIF\greatstuff.exe

TrustTrustGreatStuff?GreatStuff?

IL=lowIL=low

……\My Docs\greatstuff.exe\My Docs\greatstuff.exeIL=high if adminIL=high if adminIL=medium otherwise IL=medium otherwise

AISAIS

Run withRun withfull privs?full privs?

greatstuff.exegreatstuff.exe

\Progs\GS\stuff.exe\Progs\GS\stuff.exestuff.dllstuff.dll

IL=highIL=high

full privfull priv

In-proc compatibility layerIn-proc compatibility layer

Redirects file and registry key writes to new Redirects file and registry key writes to new low integrity locations—low integrity locations—

HKCU\Software\Microsoft\Internet Explorer\Low HKCU\Software\Microsoft\Internet Explorer\Low Rights\VirtualRights\VirtualDocuments and Settings\%user profile%\Local Documents and Settings\%user profile%\Local Settings\Temporary Internet Files\VirtualSettings\Temporary Internet Files\Virtual

Added to the location IE is tryingAdded to the location IE is trying

If IE tries to write If IE tries to write here…here…

……it gets redirected hereit gets redirected here

HKCU\Software\FooBarHKCU\Software\FooBar HKCUHKCU\Software\MS\IE\Low Rights\Virtual\Software\\Software\FooBarFooBar

C:\Documents and C:\Documents and Settings\%user profileSettings\%user profile%\FooBar%\FooBar

C:\Documents and Settings\C:\Documents and Settings\%user profile%%user profile%\Local Settings\Temporary Internet Files\Virtual\FooBar\FooBar

Anything Else Good?Anything Else Good?

Thanks to Steve Riley for the slidesThanks to Steve Riley for the slidessteve.riley@microsoft.comsteve.riley@microsoft.com

http://blogs.technet.com/sterileyhttp://blogs.technet.com/steriley

© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.

MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Steve LambSteve LambTechnical Security Evangelist @ Microsoft LtdTechnical Security Evangelist @ Microsoft Ltd

Stephen.lamb@microsoft.comStephen.lamb@microsoft.comhttp://blogs.technet.com/steve_lambhttp://blogs.technet.com/steve_lamb