Mandatory Integrity Control

From Wikipedia, the free encyclopedia

Mandatory Integrity Control (MIC, also called Integrity levels)^[1] is a new security feature in Windows Vista and Windows Server 2008, which adds Integrity Levels (IL) to processes running in a login session. It restricts the access permissions of applications that are running under the same user account and which may be less trustworthy. Windows Vista defines four integrity levels: Low (SID: S-1-16-4096), Medium (SID: S-1-16-8192), High (SID: S-1-16-12288), and System (SID: S-1-16-16384).^[1] By default, processes started by a regular user gain a Medium IL and elevated processes have High IL.^[2] Processes must be configured explicitly to run with Low IL. Processes with Low IL are called low-integrity processes. While processes inherit the integrity level of the process that spawned it, the integrity level can be customized on a per-process basis as well. For example, executables originating from the Internet are marked for and executed with Low IL. Windows controls access to objects based on ILs, as well as for defining the boundary for window messages, via User Interface Privilege Isolation.

Named objects, including files, registry keys or even other processes and threads, have an entry in the ACL governing access to them, that defines the minimum integrity level of the process that can use the object. Windows makes sure that a process can write to or delete an object only when its integrity level is equal to or higher than the requested integrity level specified by the object.^[2] Objects with higher IL are out-of-bounds for even read access.^[3]

Consequently, a process cannot interact with another process that has a higher IL. So a process cannot perform functions such as inject a DLL into a higher IL process by using the CreateRemoteThread()^[4] API function or send data to a different process by using the WriteProcessMemory()^[5] function. However, the higher IL process can execute such functions against the lower IL process.^[1] However, they can still communicate by using files, Named pipes, LPC or other shared objects. The shared object must have an integrity level as low as the low IL process and should be shared by both the Low-IL and High-IL process.^[3]

Contents 1 Security 2 See also 3 References 4 External links

[edit] Security

Access control lists (ACLs) are limited to granting access rights (read, write, and execute permissions) and privileges to users or groups. MIC allows classes of applications to be isolated, enabling scenarios like sandboxing potentially-vulnerable applications (like Internet facing application). For example, Internet Explorer 7 with protected mode runs with a Low IL to limit its access to the system. Because IE7 runs as a Low-IL process, system level objects cannot be read or modified by it.

However, since it does not prevent a low IL process from sharing objects with a higher IL process, it can trigger flaws in the higher IL process and have it work on behalf of the low IL process, thereby causing a Squatting attack.^[3] Shatter attacks, however, can be prevented by using another feature, User Interface Privilege Isolation, in conjunction with MIC.

Mandatory Integrity Control is defined using a new access control entry (ACE) type to represent the object's IL in its security descriptor. A subject IL is also assigned to the security access token when it is initialized. The integrity level in the access token is compared against the integrity level in the security descriptor when the security reference monitor performs authorization before granting access to objects. Windows restricts the allowed access rights depending on whether the subject's integrity level is higher or lower than the object, and depending on the integrity policy flags in the new access control ACE. The security subsystem implements the integrity level as a mandatory label to distinguish it from the discretionary access under user control that ACLs provide.

[edit] See also

• icacls
• Access token
• Security descriptor
• Windows SID

[edit] References

[edit] External links

• Windows Vista Integrity Mechanism technical reference on MSDN
• Introduction to Windows Integrity Control: Security Focus article

v • d • e Microsoft Windows components Core Aero · ClearType · Desktop Window Manager · DirectX · Explorer · Taskbar · Start menu · Shell (namespace · Special Folders · File associations) · Search (Saved search · iFilters) · Graphics Device Interface · WIM · Next Generation TCP/IP stack (Server Message Block) · .NET Framework · Audio · Printing (XML Paper Specification) · Active Scripting (WSH · VBScript · JScript) · COM (OLE · OLE Automation · DCOM · ActiveX · ActiveX Document · Structured storage · Transaction Server) · Previous Versions · WDDM · UAA · Win32 console Management tools Backup and Restore Center · command.com · cmd.exe · Control Panel (Applets) · Device Manager · Disk Cleanup · Disk Defragmenter · Event Viewer · Management Console · Netsh · Problem Reports and Solutions · Sysprep · System Configuration · Task Manager · System File Checker · System Restore · Windows Installer · Windows PowerShell · Windows Update · WinSAT · Windows Easy Transfer Applications Calculator · Calendar · Character Map · Contacts · DVD Maker · Fax and Scan · Internet Explorer · Journal · Mail · Magnifier · Media Center · Meeting Space · Mobile Device Center · Mobility Center · Movie Maker · Narrator · Notepad · Paint · Photo Gallery · Private Character Editor · Remote Assistance · Sidebar · Snipping Tool · Sound Recorder · Windows Media Player (11) · Windows Speech Recognition · WordPad Games Chess Titans · FreeCell · Hearts · Hold 'Em · InkBall · Mahjong Titans · Minesweeper · Purble Place · Solitaire · Spider Solitaire Kernel Ntoskrnl.exe · hal.dll · System Idle Process · Svchost.exe · Registry · Windows service · Service Control Manager · DLL · EXE · NTLDR / Boot Manager · Winlogon · Recovery Console · I/O · WinRE · WinPE · Kernel Patch Protection Services Autorun · BITS · Task Scheduler · Wireless Zero Configuration · Shadow Copy · Windows Error Reporting · Multimedia Class Scheduler · CLFS File systems NTFS (Hard link · Junction point · Mount Point · Reparse point · Symbolic link · TxF · EFS) · FAT32·FAT16·FAT12 · exFAT · CDFS · UDF · DFS · IFS Server Domains · Active Directory · DNS · Group Policy · Roaming user profiles · Folder redirection · Distributed Transaction Coordinator · MSMQ · Windows SharePoint Services · Windows Media Services · Rights Management Services · IIS · Terminal Services · WSUS · Network Access Protection · DFS Replication · Remote Differential Compression · Print Services for UNIX · Remote Installation Services · Windows Deployment Services · Windows System Resource Manager · Hyper-V Architecture NT series architecture · Object Manager · Startup process (Vista) · I/O request packets · Kernel Transaction Manager · Logical Disk Manager · Security Accounts Manager · Windows Resource Protection · LSASS · CSRSS · SMSS Security UAC · BitLocker · Defender · DEP · Protected Media Path · Mandatory Integrity Control · UIPI · Windows Firewall · Security Center Compatibility Unix subsystem (Interix) · Virtual DOS Machine · Windows on Windows · WOW64