Transcript Security Analysis of the New Microsoft MAC Solution

MAC in Windows Vista
Autor : Martin ONDRÁČEK,
Product Director
E-mail : [email protected]
SODATSW spol. s r. o.; Horní 32; Brno; Czech Republic
www.sodatsw.cz
Overview
• Windows NT kernel 6.0+
- Vista, 2008, 7, 2008 R2
• Basic MAC (Mandatory Access Control) –
called Mandatory Integrity Control (MIC)
• Based on trustworthiness of code
• Users interface = User Account Control
• Per process identity
- based on file system path
- not per user
Windows Integrity Control
• New layer in Access Checks
• Based on Integrity Levels
• User’s Access Token now contain new
special SID for Integrity Levels
• Object can be assigned a single Security
Descriptor with ACE = SID x access type
• Normal resources are not stamped with
IL ACE
Defined integrity levels
Value Description
Integrity
level SID
Name
0x1000 Low integrity level
S-1-16-4096
Mandatory Label\Low
Mandatory Level
0x2000 Medium integrity
level
S-1-16-8192
Mandatory
Label\Medium
Mandatory Level
0x3000 High integrity level
S-1-16-12288
Mandatory Label\High
Mandatory Level
0x4000 System integrity
level
S-1-16-16384
Mandatory Label\System
Mandatory Level
0x0000 Untrusted level
Microsoft: „The relative identifiers are separated by intervals of 0x1000 to
allow for definition of additional levels in the future.“
Access checks
• SeAccessCheck (kernel mode security
module) checks access permissions to
objects
• It consideres process IL level first
• Process with a certain IL level can access
any object with the same or lower level
• Only secondly, the actual permissions are
considered when doing access checks
File System improvements
• NTFS permissions can store IL markings
for files and folders
– IL Read / IL Write / IL Execute
• Each marking must have a single level
assigned
– Trusted Installer/ System/ High/ Medium/
Low/ Untrusted
Read/Write markings
• Operating system objects (file, folder,
registry) can be marked with a specific
combination of IL markers
– Read – read data, permissions, attributes
– Write – write/append data, delete file/folder,
create file/folder, change permissions
• If a file is not marked explicitly, it is
considered to be marked Medium for both
Process level
• Each process is started from an
executable file which can be marked with
IL Execute marker
• If the executable is actually marked, then
the process runs with the level specified
• If the file is not marked, by default the
process runs with level depending on
user’s identity
Process level based on user
User/process type
Process level
Anonymous
Untrusted
Everyone
Low
Authenticated Users
Medium
Crypthographic/Backup/Network
Configuration Operators
High
Administrators
High
LocalSystem/LocalService/
NetworkService
System
Trusted Installer service
Trusted Installer
• process can be started with a level lower than the
previously defined
Notes
• Non marked processes and files are
running at Medium level
• Low processes are isolated to access only
low resources
• There is a single system service that can
access anything
– Trusted Installer
User IL
Different process ILs
Different process ILs
Current use
• Isolate non-trusted code into a limited access
box
– mainly to prevent malitious code from modifying
system settings and stealing data
– e.g. Internet Explorer
• Provide Microsoft with the ability to limit
system administrators from being able to
modify sensitive system resources
• Provide limited user/level boxing when
combined with traditional permissions
Possible future use
• What needs to be done
– Increase the number of levels above System
• more granular control
– Enable provision of user accounts which are
not members of Users group
• would enable complete user isolation
• This may provide enterprise level
process/user/data isolation
The end
Thanks for your attention!
Autor : Martin ONDRÁČEK,
Product Director
E-mail : [email protected]