Windows Vista Security model and vulnerabilities.
-
Upload
aleesha-leonard -
Category
Documents
-
view
216 -
download
3
Transcript of Windows Vista Security model and vulnerabilities.
![Page 1: Windows Vista Security model and vulnerabilities.](https://reader036.fdocuments.in/reader036/viewer/2022072006/56649d0b5503460f949decfe/html5/thumbnails/1.jpg)
Windows VistaSecurity model and vulnerabilities
![Page 2: Windows Vista Security model and vulnerabilities.](https://reader036.fdocuments.in/reader036/viewer/2022072006/56649d0b5503460f949decfe/html5/thumbnails/2.jpg)
Features of Vista Security Model User account protection (UAP)
New in Vista Goal: implement least-privilege user accounts Accounts created during installation are protected
administrators and subject to UAP, and are limited user accounts (LUA)
When executing without restrictions, a protected administrator user can make changes to key registry, start services, and perform all privileged functions
However, processes launched by that user (including programs) do not inherit this full range of privileges
![Page 3: Windows Vista Security model and vulnerabilities.](https://reader036.fdocuments.in/reader036/viewer/2022072006/56649d0b5503460f949decfe/html5/thumbnails/3.jpg)
LUA (continued) Some processes cannot run properly
without administrator privileges These processes can be allowed to inherit the
full privileges from the administrator at launch A pop-up box will require the user to approve
privilege escalation Claim: no process escalate its privileges without
explicit consent from the protected administrator
![Page 4: Windows Vista Security model and vulnerabilities.](https://reader036.fdocuments.in/reader036/viewer/2022072006/56649d0b5503460f949decfe/html5/thumbnails/4.jpg)
Integrity levels (privilege levels)Integrity access level System privileges
High Administrative (install to Program Files folder, write system registry entries, etc.)
Medium User (access to its Documents folder and its section of the registry)
Low Untrusted (access to Temporary Internet folders and low-privilege sections of current user’s registry)
![Page 5: Windows Vista Security model and vulnerabilities.](https://reader036.fdocuments.in/reader036/viewer/2022072006/56649d0b5503460f949decfe/html5/thumbnails/5.jpg)
Unprivileged user accounts Windows Vista (as XP) allows for the creation of
standard user accounts (without administrator privileges) Creation of such accounts require additional steps
Reasonable to expect that non-administrative accounts
will be the default in well-managed corporate networks
Reasonable to expect that administrative user accounts
will be used by home users for all activities, including
browsing the web
![Page 6: Windows Vista Security model and vulnerabilities.](https://reader036.fdocuments.in/reader036/viewer/2022072006/56649d0b5503460f949decfe/html5/thumbnails/6.jpg)
Mandatory Integrity Control (MIC) Also referred as Integrity Levels New in Vista Controlled by Access Control Entries (ACE) in
System Access Control List (SACL) Applies to all securable objects (files, processes,
registry keys, etc.) Spawned process inherit parent’s privileges MIC is enabled/disabled through a windows
registry entry
![Page 7: Windows Vista Security model and vulnerabilities.](https://reader036.fdocuments.in/reader036/viewer/2022072006/56649d0b5503460f949decfe/html5/thumbnails/7.jpg)
SACL ACE typesSID Integrity Level
S-1-16-16384 System Mandatory Level
S-1-16-12288 High Mandatory Level
S-1-16-8192 Medium Mandatory Level
S-1-16-4096 Low Mandatory Level
![Page 8: Windows Vista Security model and vulnerabilities.](https://reader036.fdocuments.in/reader036/viewer/2022072006/56649d0b5503460f949decfe/html5/thumbnails/8.jpg)
Integrity enforcement A process cannot interact with another process at a higher
integrity level directly However, it is possible for a higher integrity process to directly interact
with a lower privilege process It is possible for a process with any privilege to interact through IPC
(named pipes,etc.) A lower integrity server to impersonate a higher integrity client using
calls such as ImpersonateNamedPipeClient, as long as the impersonation level of the client allows it?!
Registry entry keys have associated privilege levels. For instance, if IE has been given low privileges, it will only have
access to a limited section of the registry even if launched by a protected administrator
![Page 9: Windows Vista Security model and vulnerabilities.](https://reader036.fdocuments.in/reader036/viewer/2022072006/56649d0b5503460f949decfe/html5/thumbnails/9.jpg)
Other restrictions A process is not generally able to send windowing
messages to higher-privilege processes sharing the desktop Need to have explicit UI privileges in SACL
Mechanisms to create processes that inherit only some of the user’s privileges via CreateRestrictedToken API. E.g: Removed privileges Match only DENY rules for an SID type
![Page 10: Windows Vista Security model and vulnerabilities.](https://reader036.fdocuments.in/reader036/viewer/2022072006/56649d0b5503460f949decfe/html5/thumbnails/10.jpg)
Elevation of process privileges Installer applications
Has extension .msi, matches common installers, or has name SETUP.EXE
Application has a compatibility entry in the registry key or a entry in the compatibility database
Manifest file contains requestedExecutionLevel or requireAdministrator entries
User manually selects “Run Elevated…” by right-clicking the application in Windows Explorer
Lauched through a privileged process without using the restricted API Fixed bug: Launched through TaskManager COM objects configured as such in the registry (either builti-in or
through user consent)
![Page 11: Windows Vista Security model and vulnerabilities.](https://reader036.fdocuments.in/reader036/viewer/2022072006/56649d0b5503460f949decfe/html5/thumbnails/11.jpg)
Lauching from Windows Explorer Windows explorer has a restricted token
and medium integrity level To launch processes at higher integrity
levels, it requests it to AppInfo Admin Broker RunAsAdminProcess system call
Requets user consent (pop-up box) Triggers CreateProcessAsUser
![Page 12: Windows Vista Security model and vulnerabilities.](https://reader036.fdocuments.in/reader036/viewer/2022072006/56649d0b5503460f949decfe/html5/thumbnails/12.jpg)
Registry virtualization Application developers have traditionally assumed
administrator privileges User-area registry files are written transparently if application
requests to write to registry and fails, lacking privilege User-area registry overrides system registry for that user Augmented by file virtualization:
C:\Progra~1 (C:\Program Files) to: %UserProfile%\AppData\Local\VirtualStore\C\P rogra~1
In this fashion, unprivileged applications can modify a localized win.ini, for instance
Special virtualization rules apply to low-integrity processes such as IE
![Page 13: Windows Vista Security model and vulnerabilities.](https://reader036.fdocuments.in/reader036/viewer/2022072006/56649d0b5503460f949decfe/html5/thumbnails/13.jpg)
IE7 in Protected Mode
IE7 in protected
mode (Low IL)
CompatibilityLayer
Inte
grity M
echan
ism
IEInstal.exeAdmin Broker
(High IL)
IEUser.exeUser Broker(Medium IL)
AdministrativeRights Required
UserRights Required
Low Rights Required
![Page 14: Windows Vista Security model and vulnerabilities.](https://reader036.fdocuments.in/reader036/viewer/2022072006/56649d0b5503460f949decfe/html5/thumbnails/14.jpg)
Registry protection Not only files protected, but registry entries Modifications of system files made only
through trusted installer Trusted installer called for updates (only accepts
signed updates)
Resolves a major security issue with earlier windows versions
![Page 15: Windows Vista Security model and vulnerabilities.](https://reader036.fdocuments.in/reader036/viewer/2022072006/56649d0b5503460f949decfe/html5/thumbnails/15.jpg)
Privilege escalation Processes by the same user can be running with medium or
high privileges Since a medium privilege process can write to the current user
registry, it can modify entries that control the behavior of the same user’s high-privilege processes (if written to that user’s registry)
By default, user processes and files have medium integrity level, while IE7 (as before) is low integrity
Examples of privilege escalation from low medium high local system are provided by Matthew Conover, Principal Security Researcher, Symantec Corporation, in “Analysis of the Windows Vista Security Model,” a SYMANTEC ADVANCED THREAT RESEARCH technical report
![Page 16: Windows Vista Security model and vulnerabilities.](https://reader036.fdocuments.in/reader036/viewer/2022072006/56649d0b5503460f949decfe/html5/thumbnails/16.jpg)
Low to Medium IE7 cannot write files in the user account or
the medium integrity area of the user registry, including adding startup items But it may be able to connect through the
loopback interface to a file sharing service and achieve the same result
![Page 17: Windows Vista Security model and vulnerabilities.](https://reader036.fdocuments.in/reader036/viewer/2022072006/56649d0b5503460f949decfe/html5/thumbnails/17.jpg)
Medium to High Program runs in the background, listening to calls
to consent.exe When it is called, it checks if it has write privileges to the
caller Overwrite the caller with its own malicious code Launched w/ high privileges
![Page 18: Windows Vista Security model and vulnerabilities.](https://reader036.fdocuments.in/reader036/viewer/2022072006/56649d0b5503460f949decfe/html5/thumbnails/18.jpg)
High to LocalSystem If the high integrity process launched is not LUA restricted,
it can Take ownership of security objects Change all registry files to grant administrators full privilege to
system modification Apply patches to libraries that disabled signature checking for
system files Modify the operating system arbitrarily
There is no longer monitoring of modification of system files
Still, overall a much stronger security architecture than earlier versions of windows