Windows Vista Security

  • View

  • Download

Embed Size (px)


Windows Vista Security. User Mode Security. User Account Protection (UAP) Mandatory Integrity Control(MIC) UI Privlilege Isolation (UIPI) Restricted Process Unrestricted Process (Elevation) Standard methods The Legacy Shell Trick Consent Prompts and Admin Brokers Service Isolation - PowerPoint PPT Presentation

Text of Windows Vista Security

  • Windows Vista Security

  • User Mode SecurityUser Account Protection (UAP)Mandatory Integrity Control(MIC)UI Privlilege Isolation (UIPI)Restricted ProcessUnrestricted Process (Elevation)Standard methodsThe Legacy Shell TrickConsent Prompts and Admin BrokersService IsolationFile and Registry VirtualizationRegistry VirtualizationFile VirtualizationLow Rights IE VirtualizationPossible Attacks

  • User Account Protection (UAP)Limited User AccountsStandard user accounts preferredProblem: software isnt always written for Standard user accountsAdministrators start as ProtectedRuns programs with minimal privilegesMust authenticate protected actionsCan run programs unrestricted Unprotected

  • Mandatory Integrity Control(MIC)Every securable object has an IntegrityChildren inherit integrity parentsInteractions exist at equal or lesser integrityHigher integrity can act on lower through certain functionsAny interaction allowed through IPC (BAD)Lower Integrity server can impersonate higher integrity. (ImpersonateNamedPipeClient)

  • Mandatory Integrity Control Levels

  • UI Privilege Isolation (UIPI)Added to prevent Shatter attacksLI process cant send messages to a HI ProcessSendMessagePostMessageLI process cant hook into a HI processSetWindowsHookExSetWinEventHook

  • Restricted ProcessHow is it restrictedSecurity token normally has all privilegesSome are disabled (Ignored during permission checks)Process can re-enable themSecurity token created with less privileges (CreateRestrictedToken)Some privileges removedSome privileges marked deny onlyGroup used for deny only Explicit denials for group propagateExplicit allows do not

  • Unrestricted Process (Elevation)

    Process are run elevated whenProcess is a .msi or .exe and a registered installerProcess exists in app compatibility databaseProper registry with entry value RUNASADMIN.sbd created by CompatAdmin.exeAplication Manifest (.exe.manifest) contains requestedExecutionLevel of requireAdministrator User right clicks executable and clicks Run Elevated from explorerExecuted by an already privileged process

  • The Legacy Shell TrickKill explorer from taskmanager.exe and restart it with file->new taskNew shell running with highest integrityWhy does this work?WinLogon.exe handles Secure Attention Sequence (ctrl+alt+delete and ctrl+shift+esc)taskmanager started this way is created with high integrityFile->new task creates a process with CreateProcess instead of CreateRestrictedProcessFixed in later builds of Vista

  • Consent Prompts and Admin BrokersWindows Explorer cant launch unrestricted apps on its ownRestricted TokenMedium IntegrityAppInfo Admin Broker service (runs as LocalSystem)RunAsAdminProcessconsent.exe run by AppInfoCreates processImpersonateLoggedOnUserCreateProcessAsUser (not CreateProcess)

  • Security TokenUser In Administrators GroupLocalSecurityAuthorityStandardUserTokenFull Access ConsentAdministratorCredentialsUser In Users GroupLoginLoginStandardUserTokenFullAdministratorToken

  • Service IsolationServices use to exist in the same sessionVista Services run in Isolated Session 0Services cant open dialogs on desktopNeither can services marked interactiveDialogs from interactive services are actually a Terminal Service ContextConsent Prompts?AppInfo runs consent in the users desktop session with CreateProcessAsUser

  • File and Registry VirtualizationWhy?Developers dont code applications properlyAssume the need for admin privilegesNeed to provide backwards compatibilityNeed to provide separation and safety

  • Registry VirtualizationImplemented by kernelWrite attempts to HKEY_LOCAL_MACHINE\Software redirected to HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\Software Provides per-user settings in apps that used registry for storage.Provides isolation between users.

  • File VirtualizationImplemented as a FS filter driver (luafv.sys)Example: Program filesFoo writes to c:\Program Files\foo\foo.iniFoo is running as unprivileged and failsFilter driver maps c:\Program Files\foo\foo.ini to per-user virtualized area.%UserProfile%\AppData\Local\VirtualStore\C\Progra~1\foo contains user-specific copy of foo.iniCertain executable types not virtualized (cmd, bat, exe, dll, etc..)Provides isolationProvides per-user settings (in certain cases)

  • Low Rights IE VirtualizationVirtualization not done by Filter Driver, done by AppCompat shim dllWhy?Low integrity process cant even write to the virtualized areasUses special broker applications for tasks

  • Low Rights IE Virtualization ComponentsUser runs IEUser.exe (Med integrity)IEUser.exe spawns IExplorer.exe (Low Integrity)Any admin level requests handled by IEInstall.exe

  • Ex-Possible AttacksLow Integrity IE ApproachMedium IntegrityMethod 1 Slight of Hand/Bait and switchMethod 2 Slight of Hand/Bait and switch

  • Low integrity IE ApproachUnknown IE Exploit allows injection of arbitrary codeCode is run at low integrityLow integrity code can loopback on localhost (gains default med integrity)Code can now insert files into the filesystem eg. Virtualized start menu startup folderNo longer valid as of Beta 2

  • Medium Integrity - Method 1User expects consent promptUser is slowUser clicks throughMalicious app checks for all instances of consent.exeIf called on behalf of spoof target copy our bad version over the good one

  • Medium Integrity - Method 2Global COM ObjectsHKEY_LOCAL_MACHINE\Software\Classes\CLSID User Specific COM ObjectsHKEY_CURRENT_USER\Software\Classes\CLSID User objects have prescient over systemEnumerate system COM objectsCreate paths to malicious versions in current_userNo longer valid, only local_machine keys are referred to for elevation

  • Kernel Mode SecurityBooting VistaDriver SigningPatch GuardSecure BootupRestricted user-mode access to \Device\PhysicalMemory

  • Booting Vista (Stage 1)Locates and runs bootmgr for legacy PC/AT Bios and bootmgr.efi for an efi systemThe Vista Boot Manager calls InitializeLibrary, which in turn calls BlpArchInitialize (GDT, IDT, etc.), BlpTpmInitialize (TPM), BlpIoInitialize (file systems), BlBdInitialize (debugging), BlDisplayInitialize, Boot.init replaced with BCD fileSelects boot description and runs BlImageLoadBootApplicationCalls BlFveSecureBootUnlockBootDevice and BlFveSecureBootCheckpointBootApp if Full Volume Encryption is enabled.

  • Booting Vista (Stage 2)WINLOAD.EXE replaces NTLDR.EXE as the os loaderPerforms many of the same tasks as bootmgrDiscovers disks and loads the hiveLoads OS Signed catalog

  • Booting Vista (Stage 2) cont.Verifies its own integrity and that of other system filesDoes not boot if they dont matchWill however boot if a debugger is attached except on certain key filesLoads appropriate driver for debuggingUsbFirewireSerialLoads remaining drivers in order from the hive

  • Booting Vista (Stage 3)Loads NTOSKRNL.EXEResponsible for code verification of system driversRuntime checks (PatchGuard and CI.DLL)

  • Driver SigningWindows Vista 64-bit edition onlyAll Kernel mode drivers must have a class 3 certJustification:Stability less hackish code in kernelSecurity Prevents root kitsUlterior Motives:DRM protection

  • Driver Signing (Implementation)WINLOAD.EXE - Boot driver checks NTOSKRNL.EXE All other driver (uses CI.DLL)FunctionsMinCrypL_CheckSignedFileMinCrypL_CheckImageHashMinCryptK_FindPageHashesInCatalog

  • Driver Signing (Implementation)MinCrypL_CheckSignedFileUsed by WINLOAD.EXE and CI.DLLParses certificate to check validityChecks certificate against a root certificateHard coded list of 8 certificates in binaryAdding certificates to system certificates doesnt add to this list.If certificate is signed by a root authority validate itParse public key info/RSA Public KeyConvert the key to a Safe public keyVerify signing according to PKCS1

  • Driver Signing (Implementation)MinCrypL_CheckImageHashUsed by WINLOAD.exeVerifies driver matches images in the signed catalogWalks linked list of catalogs pointed to by g_CatalogList calling I_CheckImageHashInCatalog on eachMinCryptK_FindPageHashesInCatalogUsed by CI.DLLChecks code pages of process or driver at runtime.Binary searches for matching page hash in

  • Patch GuardCan not be disabledPolls at 5-10 minute intervals to verify kernel structures are intactSSDT (System Service Descriptor Table)GDT (Global Descriptor Table)IDT (Interrupt Descriptor Table)System images (ntoskrnl.exe, ndis.sys, hal.dll)Processor MSRs (syscall)

  • Patch Guard (Implementation)Uses Obfuscation and Misdirection raise the barExample:Initializationnt!KiDivide6432 (What does it do?)Throws divide processor exceptionPatch Guard Initialization called in exception handler

  • Patch Guard (Implementation)InitializationCreates random keyCreates random rotate numberPicks a fake memory pool tagInitializes memoryZeroes itFills it with structuresEncrypts structures in memory

  • Patch Guard (Attacks)Exception Handler Hooking Verification relies on exceptions, hook the exception and turn it into a nopKeBugCheckEX Hook When called check if bug check code is 0x109 if so reset stack pointer and instruction pointer to the thread and carry onFinding the timer Find the timer event and remove it. Not reliable and not portable since it uses an unexported addressSimulating Hotpatching Use the Hotpatch api to trick windows

  • Secure BootupTPM Holds key used for full drive encryptionTakes measurments of boot items such as ROM images and firmware imagesSpecial boot code in TPM decrypts the boot loaderBoot loader asks for full drive encryption key from TPMBoots the same as detailed in Booting Vista