Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Diploma Thesis Colloquium
<ul><li>Part I </li></ul>
What Am I Going to Demonstrate? <ul><li>Mandatory access control (MAC)  can be used to efficaciously and efficiently fight...
Scope and Definitions <ul><li>Spyware  =  software that collects sensitive information without appropriate user consent </...
<ul><li>Part II </li></ul>
How Am I Going to Demonstrate? <ul><li>Introducing  WIM  and explaining how it works </li></ul><ul><li>Demonstrating  how ...
1. WIM <ul><li>C ore component of Microsoft Windows security architecture  </li></ul><ul><ul><li>Restricts access permissi...
1. WIM (cont.) <ul><li>Extends security architecture of OS by assigning integrity level (IL) to application processes and ...
1. WIM (cont.) <ul><li>IL =  representation of trustworthiness of running application processes and objects </li></ul><ul>...
1. WIM (cont.) <ul><li>Microsoft Windows security architecture: </li></ul><ul><ul><li>Based on  granting access rights and...
1.1. Extending Microsoft Windows Security Architecture <ul><li>WIM extends security architecture by defining new Access Co...
1.2. Features <ul><li>ILs assigned automatically to every security access token during access token creation = every proce...
1.3. Purpose <ul><li>Restrict access permissions of less trustworthy applications running under same user account </li></u...
1.3. Purpose (cont.) <ul><li>Security problems addressed by WIM </li></ul><ul><ul><li>Primary : unauthorized tampering wit...
1.3. Purpose (cont.) <ul><li>WIM does  not  provide a complete isolation barrier </li></ul><ul><li>WIM is  not  an applica...
1.4. Earlier Integrity Models <ul><li>Biba Model  </li></ul><ul><ul><li>Based on hierarchy of integrity labels and access ...
1.4. Earlier Integrity Models (cont.) <ul><li>WIM: </li></ul><ul><ul><li>Lower value indicates less trustworthiness; highe...
1.4. Earlier Integrity Models (cont.) <ul><li>Conclusion </li></ul><ul><ul><li>WIM: </li></ul></ul><ul><ul><ul><li>Similar...
1.5. Security descriptor fields
1.6. Mandatory Label ACE <ul><li>ACE HEADER </li></ul><ul><ul><li>AceType:  SYSTEM_MANDATORY_LABEL_ACE_TYPE </li></ul></ul...
WIM  ->  Concept <ul><li>I explained </li></ul><ul><ul><li>What WIM is and how it works </li></ul></ul><ul><li>I will now ...
2. My Concept <ul><li>Major parts: </li></ul><ul><ul><li>Explicit mandatory label  assigned to objects created by Web brow...
2.1. Explicit Mandatory Label <ul><li>What?   Assign explicit  low   mandatory label to objects created by Web browsers an...
2.2. Integrity Policy <ul><li>What?  Enable NO_READ_UP mandatory label policy, and CI and OI inheritance </li></ul><ul><li...
2.3. Integrity Level <ul><li>What?  Run Web browsers and e-mail clients with  low  IL </li></ul><ul><li>When?   Always </l...
2.4. Example Scenario <ul><li>Microsoft Windows Vista user receives attachment in e-mail  ->  saves it  ->  executes it </...
2.5. Concept Applicability <ul><li>Advantages  of a MAC solution like this: </li></ul><ul><ul><li>Transparent  to user </l...
What Did I Talk About? <ul><li>I introduced and explained what WIM is </li></ul><ul><li>I demonstrated how WIM can be twea...
<ul><li>Part III </li></ul>
Conclusion <ul><li>It is possible to use MAC to efficaciously and efficiently fight spyware in Windows Vista because </li>...
Conclusion (cont.) <ul><li>Although not  </li></ul><ul><ul><li>Effective (denies  all   read  access attempts, even if the...
Outlook <ul><li>Possible further improvement: </li></ul><ul><ul><li>Use UAC to intercept denied  read access  attempts and...
Thank you <ul><li>Diploma Thesis Colloquium </li></ul><ul><li>Filipe Governa </li></ul><ul><li>Hochschule für Angewandte W...
Upcoming SlideShare
Loading in …5
×

Fighting Spyware With Mandatory Access Control In Microsoft Windows Vista (Diploma Thesis Colloquium)

1,630 views

Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Fighting Spyware With Mandatory Access Control In Microsoft Windows Vista (Diploma Thesis Colloquium)

  1. 1. Diploma Thesis Colloquium
  2. 2. <ul><li>Part I </li></ul>
  3. 3. What Am I Going to Demonstrate? <ul><li>Mandatory access control (MAC) can be used to efficaciously and efficiently fight spyware in Microsoft Windows Vista because </li></ul><ul><ul><li>Even though application compatibility and user experience are affected </li></ul></ul><ul><ul><li>Spyware depends on the ability to read in order to collect (sensitive) data </li></ul></ul><ul><ul><li>The architecture that enables this (Microsoft Windows Integrity Mechanism [WIM]) is already implemented in this OS (Microsoft Windows Vista) </li></ul></ul>
  4. 4. Scope and Definitions <ul><li>Spyware = software that collects sensitive information without appropriate user consent </li></ul><ul><li>Effective = doing “right” things (i.e. setting right targets to achieve an overall goal [the effect]) </li></ul><ul><li>Efficacious = getting things done (i.e. meeting targets) </li></ul><ul><li>Efficient = doing things in the most economical way (good input to output ratio) </li></ul>
  5. 5. <ul><li>Part II </li></ul>
  6. 6. How Am I Going to Demonstrate? <ul><li>Introducing WIM and explaining how it works </li></ul><ul><li>Demonstrating how WIM can be tweaked in order to enable my concept , and showing the result with an explicit example scenario </li></ul>
  7. 7. 1. WIM <ul><li>C ore component of Microsoft Windows security architecture </li></ul><ul><ul><li>Restricts access permissions of less trustworthy applications running under same user account </li></ul></ul>
  8. 8. 1. WIM (cont.) <ul><li>Extends security architecture of OS by assigning integrity level (IL) to application processes and securable objects </li></ul>
  9. 9. 1. WIM (cont.) <ul><li>IL = representation of trustworthiness of running application processes and objects </li></ul><ul><li>Provides ability for resource managers to use pre-defined policies that block processes of lower integrity from reading, modifying, or executing objects of higher integrity </li></ul><ul><li>Allows Microsoft Windows security model to enforce access control restrictions that cannot be defined by granting user or group permissions in access control lists (ACLs) </li></ul>
  10. 10. 1. WIM (cont.) <ul><li>Microsoft Windows security architecture: </li></ul><ul><ul><li>Based on granting access rights and privileges to users or groups represented internally by security identifiers (SIDs) </li></ul></ul><ul><ul><li>User logs on > Security Reference Monitor (SRM) sets user’s SID and group membership SIDs in security access token </li></ul></ul><ul><ul><li>Security access token is assigned to every application process run by that user </li></ul></ul><ul><ul><li>Application process opens object: </li></ul></ul><ul><ul><ul><li>Resource manager that manages object calls on SRM to make access decision </li></ul></ul></ul><ul><ul><ul><li>SRM compares user and group SIDs in access token with access rights in security descriptor associated with object </li></ul></ul></ul><ul><ul><ul><li>If user SID is granted full access rights in object’s ACL > application process user runs has full access to object </li></ul></ul></ul>
  11. 11. 1.1. Extending Microsoft Windows Security Architecture <ul><li>WIM extends security architecture by defining new Access Control Entry (ACE) type to represent IL in object’s security descriptor (object IL) </li></ul><ul><li>IL is also assigned to security access token when access token is initialized (subject IL) </li></ul><ul><li>IL in access token is compared against IL in security descriptor when SRM performs access check </li></ul><ul><li>Microsoft Windows Vista uses AccessCheck function to determine what access rights are allowed to securable objects </li></ul><ul><li>Microsoft Windows restricts allowed access rights depending on: </li></ul><ul><ul><li>whether subject’s IL is higher or lower than object </li></ul></ul><ul><ul><li>integrity policy flags in new access control ACE </li></ul></ul><ul><li>SRM implements IL as mandatory label to distinguish it from discretionary access under user control that ACLs provide </li></ul>
  12. 12. 1.2. Features <ul><li>ILs assigned automatically to every security access token during access token creation = every process and thread has effective IL for access control </li></ul><ul><li>SRM automatically assigns mandatory labels to specific object types </li></ul><ul><li>There are controls on how object creator can set or initialize label on object creation </li></ul>
  13. 13. 1.3. Purpose <ul><li>Restrict access permissions of less trustworthy applications running under same user account </li></ul><ul><li>Microsoft Windows SRM assigns simple hierarchy of ILs to code running at different privilege levels for same user </li></ul><ul><li>Microsoft Windows Vista incorporates concept of least privilege by enabling broader use of standard user accounts </li></ul><ul><li>User Account Control (UAC) in Admin Approval Mode for administrator accounts = multiple applications on the same desktop running with different privilege levels </li></ul>
  14. 14. 1.3. Purpose (cont.) <ul><li>Security problems addressed by WIM </li></ul><ul><ul><li>Primary : unauthorized tampering with user data and system state </li></ul></ul><ul><ul><li>Secondary : information disclosure </li></ul></ul><ul><ul><ul><li>Prevented only with respect to access to process address space </li></ul></ul></ul>
  15. 15. 1.3. Purpose (cont.) <ul><li>WIM does not provide a complete isolation barrier </li></ul><ul><li>WIM is not an application sandbox </li></ul>
  16. 16. 1.4. Earlier Integrity Models <ul><li>Biba Model </li></ul><ul><ul><li>Based on hierarchy of integrity labels and access policies allowed when subject IL dominates object IL </li></ul></ul><ul><li>WIM resembles Biba Model in following ways: </li></ul><ul><ul><li>uses hierarchy of integrity labels </li></ul></ul><ul><ul><li>system uses set of ordered subjects, objects, and ILs </li></ul></ul><ul><ul><li>subject’s IL dominates object’s IL </li></ul></ul><ul><ul><li>integrity policies inhibit access to objects but are not used primarily to limit flow of information </li></ul></ul><ul><ul><li>preventing information disclosure is not main goal </li></ul></ul>
  17. 17. 1.4. Earlier Integrity Models (cont.) <ul><li>WIM: </li></ul><ul><ul><li>Lower value indicates less trustworthiness; higher value indicates greater trustworthiness </li></ul></ul><ul><ul><ul><li>Lower-level subject cannot modify higher-level object </li></ul></ul></ul><ul><ul><li>Subject’s IL is not dynamic </li></ul></ul><ul><ul><li>Policies do not inhibit or prevent higher-integrity subjects from reading or executing lower-integrity objects </li></ul></ul><ul><ul><ul><li>Does not inhibit or prevent reading data at any level </li></ul></ul></ul><ul><ul><li>Does not enforce strict integrity policy as described in Biba Model </li></ul></ul><ul><ul><ul><li>Assumes that processes designed to handle untrusted data from unknown or untrusted sources are running at lower IL, or that untrusted data is verified before use </li></ul></ul></ul>
  18. 18. 1.4. Earlier Integrity Models (cont.) <ul><li>Conclusion </li></ul><ul><ul><li>WIM: </li></ul></ul><ul><ul><ul><li>Similar to earlier integrity models in computer security </li></ul></ul></ul><ul><ul><ul><li>but </li></ul></ul></ul><ul><ul><ul><li>Does not implement any model (at least not literally) </li></ul></ul></ul><ul><ul><ul><li>instead </li></ul></ul></ul><ul><ul><ul><li>Limits access permissions available to processes running with different privilege or trust levels </li></ul></ul></ul>
  19. 19. 1.5. Security descriptor fields
  20. 20. 1.6. Mandatory Label ACE <ul><li>ACE HEADER </li></ul><ul><ul><li>AceType: SYSTEM_MANDATORY_LABEL_ACE_TYPE </li></ul></ul><ul><ul><li>AceFlags: ACE type inheritance flags </li></ul></ul><ul><ul><ul><li>Container Inherit (CI): subordinate folders inherit ACE </li></ul></ul></ul><ul><ul><ul><li>Object Inherit (OI): subordinate files inherit ACE </li></ul></ul></ul><ul><ul><ul><li>Inherit Only (IO): ACE does not apply to current object </li></ul></ul></ul><ul><ul><li>AceSize: size of mandatory label ACE </li></ul></ul><ul><li>ACE MASK : mandatory label policy flags </li></ul><ul><ul><li>NO_WRITE_UP: default policy </li></ul></ul><ul><ul><li>NO_READ_UP: used only to restrict access to virtual memory </li></ul></ul><ul><ul><li>NO_EXECUTE_UP: used to restrict launch activation perm. </li></ul></ul><ul><li>ACE SID </li></ul><ul><ul><li>IL </li></ul></ul><ul><ul><ul><li>Trusted Installer: highest possbible level of trust, able to modify OS </li></ul></ul></ul><ul><ul><ul><li>System: generally services or objects part of the OS itself (e.g. LocalSystem) </li></ul></ul></ul><ul><ul><ul><li>High: administrators </li></ul></ul></ul><ul><ul><ul><li>Medium: default trust level for non-administrative users and associated data </li></ul></ul></ul><ul><ul><ul><li>Low: “Everyone” account, PMIE, temporary Internet files </li></ul></ul></ul><ul><ul><ul><li>Untrusted: anonymous or “Guest” accounts </li></ul></ul></ul>
  21. 21. WIM -> Concept <ul><li>I explained </li></ul><ul><ul><li>What WIM is and how it works </li></ul></ul><ul><li>I will now explain/demonstrate </li></ul><ul><ul><li>How WIM can be tweaked in order to enable my concept </li></ul></ul><ul><ul><li>The effect of the implementation of my concept in an explicit example scenario </li></ul></ul>
  22. 22. 2. My Concept <ul><li>Major parts: </li></ul><ul><ul><li>Explicit mandatory label assigned to objects created by Web browsers and e-mail clients (when necessary) </li></ul></ul><ul><ul><li>Configuration tweaking of integrity policies that restrict access permissions </li></ul></ul><ul><ul><li>IL assigned to Web browsers and e-mail clients </li></ul></ul>
  23. 23. 2.1. Explicit Mandatory Label <ul><li>What? Assign explicit low mandatory label to objects created by Web browsers and e-mail clients </li></ul><ul><li>When? Always (or when necessary) </li></ul><ul><li>Why? Some operations might be handled by processes running at IL higher than low </li></ul><ul><li>How? Create object with specific low mandatory label: </li></ul><ul><ul><li>Process creates SDDL security descriptor that defines low IL (e.g. #define LOW_INTEGRITY_SDDL_SACL_W_L”S:(ML;;NW;;;LW)” </li></ul></ul><ul><ul><li>Process converts SDDL string to security descriptor using ConvertStringSecurityDescriptorToSecurityDescriptor </li></ul></ul><ul><ul><li>Process assigns security descriptor with low IL to security attributes structure </li></ul></ul><ul><ul><li>Process passes security attributes parameter to call to create object, such as CreateFile </li></ul></ul><ul><li>What for? Prevent process from reading user data files </li></ul>
  24. 24. 2.2. Integrity Policy <ul><li>What? Enable NO_READ_UP mandatory label policy, and CI and OI inheritance </li></ul><ul><li>Where? User profile ( C:Users<username> ) </li></ul><ul><li>When? User profile initialization </li></ul><ul><li>Why? Most common place to store personal files (sensitive data) </li></ul><ul><li>How? Editing user profile folder ACE: </li></ul><ul><ul><li>ACE HEADER > AceFlags field: CI = 1, OI = 1 </li></ul></ul><ul><ul><li>ACE MASK: SYSTEM_MANDATORY_POLICY_NO_READ_UP = 1 </li></ul></ul><ul><li>What for? Restrict read access to user profile by subjects with lower IL (Web browsers, e-mail clients, and related subjects) </li></ul>
  25. 25. 2.3. Integrity Level <ul><li>What? Run Web browsers and e-mail clients with low IL </li></ul><ul><li>When? Always </li></ul><ul><li>Why? They handle untrustworthy input </li></ul><ul><li>How? Designing them to run with low rights (least-privilege functionality) </li></ul><ul><li>What for? To reduce access rights available to processes, in order to limit ability of exploit running in them to read user data files </li></ul>
  26. 26. 2.4. Example Scenario <ul><li>Microsoft Windows Vista user receives attachment in e-mail -> saves it -> executes it </li></ul><ul><ul><li>Currently: attachment’s process is able to read and modify user’s data </li></ul></ul><ul><ul><li>After 1: attachment’s process is unable to modify user’s data, but is still able to read it </li></ul></ul><ul><ul><li>After 2: attachment’s process is unable to read or modify user’s data </li></ul></ul><ul><ul><li>After 3? Eventual exploit running in Web browser or e-mail client is (also) unable to read (concept) or modify (WIM) user’s data </li></ul></ul>
  27. 27. 2.5. Concept Applicability <ul><li>Advantages of a MAC solution like this: </li></ul><ul><ul><li>Transparent to user </li></ul></ul><ul><ul><li>Active protection </li></ul></ul><ul><ul><li>Easily implementable in Microsoft Windows Vista </li></ul></ul><ul><ul><li>Fights spyware in effective and efficient manner </li></ul></ul><ul><li>Why better than WIM or other Microsoft Windows Vista built-in feature(s)? </li></ul><ul><ul><li>Prevents information disclosure with respect to areas other than virtual memory address space of processes (such as: user profile ) </li></ul></ul>
  28. 28. What Did I Talk About? <ul><li>I introduced and explained what WIM is </li></ul><ul><li>I demonstrated how WIM can be tweaked in order to enable my concept, and showed the result with an explicit example scenario </li></ul>
  29. 29. <ul><li>Part III </li></ul>
  30. 30. Conclusion <ul><li>It is possible to use MAC to efficaciously and efficiently fight spyware in Windows Vista because </li></ul><ul><ul><li>Even though application compatibility and user experience is affected, e.g. </li></ul></ul><ul><ul><ul><li>Uploading pictures to Web sites </li></ul></ul></ul><ul><ul><ul><li>Copy and paste </li></ul></ul></ul><ul><ul><li>Spyware depends on ability to read in order to collect (sensitive) data </li></ul></ul><ul><ul><li>Architecture that enables this (WIM) is already implemented in OS (Microsoft Windows Vista) </li></ul></ul>
  31. 31. Conclusion (cont.) <ul><li>Although not </li></ul><ul><ul><li>Effective (denies all read access attempts, even if they are legitimate) </li></ul></ul><ul><li>this concept is </li></ul><ul><ul><li>Efficacious (disables all spyware, even if unknown and/or undiscovered) and </li></ul></ul><ul><ul><li>Efficient (uses few resources, since it uses no real-time scanning) </li></ul></ul>
  32. 32. Outlook <ul><li>Possible further improvement: </li></ul><ul><ul><li>Use UAC to intercept denied read access attempts and prompt user to make true final decision on whether these read accesses can take place </li></ul></ul>
  33. 33. Thank you <ul><li>Diploma Thesis Colloquium </li></ul><ul><li>Filipe Governa </li></ul><ul><li>Hochschule für Angewandte Wissenschaften Hamburg </li></ul><ul><li>(HAW Hamburg) </li></ul><ul><li>/ </li></ul><ul><li>Hamburg University of Applied Sciences </li></ul><ul><li>Hamburg (GERMANY), 17 July 2008 </li></ul>

×