Transcript Win32 Programming

Secure Operating Systems
Lesson E: Windows Security - Overview
Where are we?


We’ve discovered SELinux is moderately
cool
How does this compare to Windows? There’s
a lot here, so we’ll just scratch the surface
Windows: History



So, Windows really does have a long history
DOS survived for a long time, until we moved
on to the NT core
The current version of Windows 8 has finally
started to move away from the backward
compatibility that has dogged us
Bitlocker


Full hard drive encryption is actually pretty
cool: Bitlocker
Can leverage the TPM, which is nice



Can provide remote attestation for hardware and
software
Not only for disk encryption; has been used for
DRM too
Can use in combination with a USB token
TPM Structure

Picture from Guillaume Piolle
Windows Integrity Control


Although we don’t think about them,
Windows uses MACLs (Mandatory Access
Control Lists)
Thus, the OS can make a security decision
based on how trusted an object is

Let’s take a look with Process Explorer (from
sysinternals)
SACLS and DACLS

SACLS beat DACLS





System Access Control List
Discretionary Access Control List
Thus, even if the DACL grants access, the SACL must
also grant access for the operation to go through
This is all documented well by MS…
http://msdn.microsoft.com/enus/library/windows/desktop/bb648648(v=vs.85).aspx
Enables things like
SYSTEM_MANDATORY_LABEL_NO_READ_UP
Managing all of this
Of course, we need



Run As… administrator
icacls templow
/setintegritylevel L for example
But of course, we never use this, except for
using the defaults, which seems like a pity,
eh?

There’s a philosophical point here
UAC (Woohoo!)





Everyone seems to hate UAC, but it does help
in terms of users making mistakes
It’s certainly not bulletproof (cue Shaun)
The idea is the principle of least privilege
The problem is that we don’t read the popups
very well
The basic idea: run with lower privileges, and
then upgrade as you need it
Service Resource Isolation






What happens when a service gets broken in to?
Let’s look
sc query type= service | more
sc showsid AdobeActiveFileMonitor9.0
psgetsid <sid>
Can create a *restricted* SID

Two checks: one on the enabled token, one on the
restricted SID
Service Refactoring


Basically, run services with base least privilege
New service hosts (low to high):






LocalServiceNoNetwork
LocalServiceRestricted
LocalServiceNetworkRestricted
NetworkServiceRestricted
NetworkServiceNetworkRestricted
LocalSystemNetworkRestricted
Restricted Network Access

Network restriction policies can be applied to
services too




Direction: ingress and egress
Protocol: what protocols should be allowed?
Principal: Rules apply to specific users
Interface: WLAN, Wireless, LAN etc.
Buffer Overflows


Let’s remind ourselves how buffer overflows
work
The compiler now adds Cookies… let’s look
at the code
Questions & Comments

What do you want to know?