SlideShare a Scribd company logo

Fighting Spyware With Mandatory Access Control In Microsoft Windows Vista (Diploma Thesis Colloquium)

F
FilGov

The document summarizes a presentation on using mandatory access control (MAC) to fight spyware in Windows Vista. It introduces Windows Integrity Mechanism (WIM) and how it assigns integrity levels (IL) to processes and objects. The presentation proposes tweaking WIM by assigning web browsers and email clients a low IL and restricting their access to user files/folders through integrity policies. This would prevent exploits running in these applications from reading sensitive user data, fighting spyware more effectively and efficiently than existing methods. The concept is demonstrated through an example of blocking a malicious email attachment from accessing user files.

Technology
1 of 33
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
Diploma Thesis Colloquium
Part I
What Am I Going to Demonstrate? Mandatory access control (MAC) can be used to efficaciously and efficiently fight spyware in Microsoft Windows Vista because Even though application compatibility and user experience are affected Spyware depends on the ability to read in order to collect (sensitive) data The architecture that enables this (Microsoft Windows Integrity Mechanism [WIM]) is already implemented in this OS (Microsoft Windows Vista)
Scope and Definitions Spyware = software that collects sensitive information without appropriate user consent Effective = doing “right” things (i.e. setting right targets to achieve an overall goal [the effect]) Efficacious = getting things done (i.e. meeting targets) Efficient = doing things in the most economical way (good input to output ratio)
Part II
How Am I Going to Demonstrate? Introducing WIM and explaining how it works Demonstrating how WIM can be tweaked in order to enable my concept , and showing the result with an explicit example scenario
1. WIM C ore component of Microsoft Windows security architecture Restricts access permissions of less trustworthy applications running under same user account
1. WIM (cont.) Extends security architecture of OS by assigning integrity level (IL) to application processes and securable objects
1. WIM (cont.) IL = representation of trustworthiness of running application processes and objects Provides ability for resource managers to use pre-defined policies that block processes of lower integrity from reading, modifying, or executing objects of higher integrity Allows Microsoft Windows security model to enforce access control restrictions that cannot be defined by granting user or group permissions in access control lists (ACLs)
1. WIM (cont.) Microsoft Windows security architecture: Based on granting access rights and privileges to users or groups represented internally by security identifiers (SIDs) User logs on > Security Reference Monitor (SRM) sets user’s SID and group membership SIDs in security access token Security access token is assigned to every application process run by that user Application process opens object: Resource manager that manages object calls on SRM to make access decision SRM compares user and group SIDs in access token with access rights in security descriptor associated with object If user SID is granted full access rights in object’s ACL > application process user runs has full access to object
1.1. Extending Microsoft Windows Security Architecture WIM extends security architecture by defining new Access Control Entry (ACE) type to represent IL in object’s security descriptor (object IL) IL is also assigned to security access token when access token is initialized (subject IL) IL in access token is compared against IL in security descriptor when SRM performs access check Microsoft Windows Vista uses AccessCheck function to determine what access rights are allowed to securable objects Microsoft Windows restricts allowed access rights depending on: whether subject’s IL is higher or lower than object integrity policy flags in new access control ACE SRM implements IL as mandatory label to distinguish it from discretionary access under user control that ACLs provide
1.2. Features ILs assigned automatically to every security access token during access token creation = every process and thread has effective IL for access control SRM automatically assigns mandatory labels to specific object types There are controls on how object creator can set or initialize label on object creation
1.3. Purpose Restrict access permissions of less trustworthy applications running under same user account Microsoft Windows SRM assigns simple hierarchy of ILs to code running at different privilege levels for same user Microsoft Windows Vista incorporates concept of least privilege by enabling broader use of standard user accounts User Account Control (UAC) in Admin Approval Mode for administrator accounts = multiple applications on the same desktop running with different privilege levels
1.3. Purpose (cont.) Security problems addressed by WIM Primary : unauthorized tampering with user data and system state Secondary : information disclosure Prevented only with respect to access to process address space
1.3. Purpose (cont.) WIM does not provide a complete isolation barrier WIM is not an application sandbox
1.4. Earlier Integrity Models Biba Model Based on hierarchy of integrity labels and access policies allowed when subject IL dominates object IL WIM resembles Biba Model in following ways: uses hierarchy of integrity labels system uses set of ordered subjects, objects, and ILs subject’s IL dominates object’s IL integrity policies inhibit access to objects but are not used primarily to limit flow of information preventing information disclosure is not main goal
1.4. Earlier Integrity Models (cont.) WIM: Lower value indicates less trustworthiness; higher value indicates greater trustworthiness Lower-level subject cannot modify higher-level object Subject’s IL is not dynamic Policies do not inhibit or prevent higher-integrity subjects from reading or executing lower-integrity objects Does not inhibit or prevent reading data at any level Does not enforce strict integrity policy as described in Biba Model Assumes that processes designed to handle untrusted data from unknown or untrusted sources are running at lower IL, or that untrusted data is verified before use
1.4. Earlier Integrity Models (cont.) Conclusion WIM: Similar to earlier integrity models in computer security but Does not implement any model (at least not literally) instead Limits access permissions available to processes running with different privilege or trust levels
1.5. Security descriptor fields
1.6. Mandatory Label ACE ACE HEADER AceType: SYSTEM_MANDATORY_LABEL_ACE_TYPE AceFlags: ACE type inheritance flags Container Inherit (CI): subordinate folders inherit ACE Object Inherit (OI): subordinate files inherit ACE Inherit Only (IO): ACE does not apply to current object AceSize: size of mandatory label ACE ACE MASK : mandatory label policy flags NO_WRITE_UP: default policy NO_READ_UP: used only to restrict access to virtual memory NO_EXECUTE_UP: used to restrict launch activation perm. ACE SID IL Trusted Installer: highest possbible level of trust, able to modify OS System: generally services or objects part of the OS itself (e.g. LocalSystem) High: administrators Medium: default trust level for non-administrative users and associated data Low: “Everyone” account, PMIE, temporary Internet files Untrusted: anonymous or “Guest” accounts
WIM -> Concept I explained What WIM is and how it works I will now explain/demonstrate How WIM can be tweaked in order to enable my concept The effect of the implementation of my concept in an explicit example scenario
2. My Concept Major parts: Explicit mandatory label assigned to objects created by Web browsers and e-mail clients (when necessary) Configuration tweaking of integrity policies that restrict access permissions IL assigned to Web browsers and e-mail clients
2.1. Explicit Mandatory Label What? Assign explicit low mandatory label to objects created by Web browsers and e-mail clients When? Always (or when necessary) Why? Some operations might be handled by processes running at IL higher than low How? Create object with specific low mandatory label: Process creates SDDL security descriptor that defines low IL (e.g. #define LOW_INTEGRITY_SDDL_SACL_W_L”S:(ML;;NW;;;LW)” Process converts SDDL string to security descriptor using ConvertStringSecurityDescriptorToSecurityDescriptor Process assigns security descriptor with low IL to security attributes structure Process passes security attributes parameter to call to create object, such as CreateFile What for? Prevent process from reading user data files
2.2. Integrity Policy What? Enable NO_READ_UP mandatory label policy, and CI and OI inheritance Where? User profile ( C:\Users\<username> ) When? User profile initialization Why? Most common place to store personal files (sensitive data) How? Editing user profile folder ACE: ACE HEADER > AceFlags field: CI = 1, OI = 1 ACE MASK: SYSTEM_MANDATORY_POLICY_NO_READ_UP = 1 What for? Restrict read access to user profile by subjects with lower IL (Web browsers, e-mail clients, and related subjects)
2.3. Integrity Level What? Run Web browsers and e-mail clients with low IL When? Always Why? They handle untrustworthy input How? Designing them to run with low rights (least-privilege functionality) What for? To reduce access rights available to processes, in order to limit ability of exploit running in them to read user data files
2.4. Example Scenario Microsoft Windows Vista user receives attachment in e-mail -> saves it -> executes it Currently: attachment’s process is able to read and modify user’s data After 1: attachment’s process is unable to modify user’s data, but is still able to read it After 2: attachment’s process is unable to read or modify user’s data After 3? Eventual exploit running in Web browser or e-mail client is (also) unable to read (concept) or modify (WIM) user’s data
2.5. Concept Applicability Advantages of a MAC solution like this: Transparent to user Active protection Easily implementable in Microsoft Windows Vista Fights spyware in effective and efficient manner Why better than WIM or other Microsoft Windows Vista built-in feature(s)? Prevents information disclosure with respect to areas other than virtual memory address space of processes (such as: user profile )
What Did I Talk About? I introduced and explained what WIM is I demonstrated how WIM can be tweaked in order to enable my concept, and showed the result with an explicit example scenario
Part III
Conclusion It is possible to use MAC to efficaciously and efficiently fight spyware in Windows Vista because Even though application compatibility and user experience is affected, e.g. Uploading pictures to Web sites Copy and paste Spyware depends on ability to read in order to collect (sensitive) data Architecture that enables this (WIM) is already implemented in OS (Microsoft Windows Vista)
Conclusion (cont.) Although not Effective (denies all read access attempts, even if they are legitimate) this concept is Efficacious (disables all spyware, even if unknown and/or undiscovered) and Efficient (uses few resources, since it uses no real-time scanning)
Outlook Possible further improvement: Use UAC to intercept denied read access attempts and prompt user to make true final decision on whether these read accesses can take place
Thank you Diploma Thesis Colloquium Filipe Governa Hochschule für Angewandte Wissenschaften Hamburg (HAW Hamburg) / Hamburg University of Applied Sciences Hamburg (GERMANY), 17 July 2008

More Related Content

PDF
Distributed database security with discretionary access control
Jyotishkar Dey
 
PDF
ARCHITECTURE OF A IDENTITY BASED FIREWALL SYSTEM
IJNSA Journal
 
PPTX
Database modeling and security
Neeharika Nidadavolu
 
PPTX
security and privacy in dbms and in sql database
gourav kottawar
 
PPTX
Database security
Arpana shree
 
PPTX
Distributed database security with discretionary access control
Jyotishkar Dey
 
PPT
Dbms ii mca-ch12-security-2013
Prosanta Ghosh
 
PPTX
01 database security ent-db
uncleRhyme
 
Distributed database security with discretionary access control
Jyotishkar Dey
 
ARCHITECTURE OF A IDENTITY BASED FIREWALL SYSTEM
IJNSA Journal
 
Database modeling and security
Neeharika Nidadavolu
 
security and privacy in dbms and in sql database
gourav kottawar
 
Database security
Arpana shree
 
Distributed database security with discretionary access control
Jyotishkar Dey
 
Dbms ii mca-ch12-security-2013
Prosanta Ghosh
 
01 database security ent-db
uncleRhyme
 

What's hot (20)

PPT
DB security
ERSHUBHAM TIWARI
 
PDF
Database security issues
n|u - The Open Security Community
 
PDF
Data base Access Control a look at Fine grain Access method
International Journal of Engineering Inventions www.ijeijournal.com
 
PPTX
Database security and security in networks
Prachi Gulihar
 
PPTX
Database Security
ShingalaKrupa
 
PDF
Database security
keerthusandeepreddy
 
PDF
Cloud computing &amp; dbms
Zaid Shabbir
 
PPTX
Introduccion a la seguridad Windows 7
EAE
 
PDF
Chapter 5 database security
Syaiful Ahdan
 
PPTX
Security of the database
Pratik Tamgadge
 
PPTX
Data base security & integrity
Pooja Dixit
 
PPTX
Database Security And Authentication
Sudeb Das
 
PPT
Data base security
Sara Nazir
 
PDF
Access Control: Principles and Practice
Nabeel Yoosuf
 
PPTX
Database security and privacy
Md. Ahasan Hasib
 
PDF
Database Security - IG
Anne Lee
 
PDF
GreenSQL Security
ijsrd.com
 
PPTX
Database security
Software Engineering
 
PDF
Ld3420072014
IJERA Editor
 
PDF
UserLock 9 Technical Presentation
IS Decisions
 
DB security
ERSHUBHAM TIWARI
 
Database security issues
n|u - The Open Security Community
 
Data base Access Control a look at Fine grain Access method
International Journal of Engineering Inventions www.ijeijournal.com
 
Database security and security in networks
Prachi Gulihar
 
Database Security
ShingalaKrupa
 
Database security
keerthusandeepreddy
 
Cloud computing &amp; dbms
Zaid Shabbir
 
Introduccion a la seguridad Windows 7
EAE
 
Chapter 5 database security
Syaiful Ahdan
 
Security of the database
Pratik Tamgadge
 
Data base security & integrity
Pooja Dixit
 
Database Security And Authentication
Sudeb Das
 
Data base security
Sara Nazir
 
Access Control: Principles and Practice
Nabeel Yoosuf
 
Database security and privacy
Md. Ahasan Hasib
 
Database Security - IG
Anne Lee
 
GreenSQL Security
ijsrd.com
 
Database security
Software Engineering
 
Ld3420072014
IJERA Editor
 
UserLock 9 Technical Presentation
IS Decisions
 
Ad

Viewers also liked (8)

PPT
9th Grade Chapter 3 Lesson 3
MRS.KDUNCAN
 
PDF
Why Johnny STILL Can't Unit Test His Legacy Code - And What You Can Do About It
Howard Deiner
 
PPTX
Combinacion de correspondencia
Dirección Distrital de Educación 15D01 Archidona-Carlos Julio Arosemena Tola-Tena Educación
 
PPTX
Ram’s Taping for talipes
drsram
 
PPTX
Combinacion de correspondencia
informatica_educativa
 
PDF
Listing Presentation For Sellers
ebracey
 
PDF
Beer in India | Category Analysis
Sahil Kapoor
 
PPT
El estado de derecho en chile
Alejandra Caceres
 
9th Grade Chapter 3 Lesson 3
MRS.KDUNCAN
 
Why Johnny STILL Can't Unit Test His Legacy Code - And What You Can Do About It
Howard Deiner
 
Combinacion de correspondencia
Dirección Distrital de Educación 15D01 Archidona-Carlos Julio Arosemena Tola-Tena Educación
 
Ram’s Taping for talipes
drsram
 
Combinacion de correspondencia
informatica_educativa
 
Listing Presentation For Sellers
ebracey
 
Beer in India | Category Analysis
Sahil Kapoor
 
El estado de derecho en chile
Alejandra Caceres
 
Ad

Similar to Fighting Spyware With Mandatory Access Control In Microsoft Windows Vista (Diploma Thesis Colloquium) (20)

PPTX
Windows 7 Application Compatibility
micham
 
PPTX
operating system ppt tegeng2.pptxguktgjh
tegenefikadu91
 
PPT
Design for security in operating system
Bhagyashree Barde
 
PPTX
SPTechCon Boston 2013 - Introduction to Security in Microsoft Sharepoint 2013...
AntonioMaio2
 
PDF
Pazu Netflix Video Downloader Download
blouch53kp
 
PDF
Internet Download Manager (IDM) Free key
alihamzakpa039
 
PDF
Skype free Download (Latest version 2025)
mohsinrazakpa69
 
PDF
Wondershare Recoverit 13.5.11.3 Free Download
alihamzakpa061
 
PDF
Apple Logic Pro X Crack for macOS 2025 Free Download
umnazadiwe
 
DOCX
M05-Protect Application or System software.docx
endeshman
 
PDF
3D Escape crack 2025 Free key Download
mohsinrazakpa86
 
PDF
Revo Uninstaller Pro Download (Latest 2025)
alihamzakpa085
 
PPT
Ch07 Access Control Fundamentals
Information Technology
 
PDF
The Federal Information Security Management Act
Michelle Singh
 
PPT
Chapter 5-Security Mechanisms and Techniques.ppt
Lina Shimelis
 
PPTX
CISSP Domain 03 Security Architecture and Engineering.pptx
gealehegn
 
PPTX
database Security for data security .pptx
KarimAhmed722436
 
PPT
Windows Security in Operating System
Meghaj Mallick
 
PPTX
Add-Structure-and-Credibility-to-Your-Security-Portfolio-with-CIS-Controls-v8...
hoang971
 
PPTX
Software Security and Trusted Systems.pptx
fovoni
 
Windows 7 Application Compatibility
micham
 
operating system ppt tegeng2.pptxguktgjh
tegenefikadu91
 
Design for security in operating system
Bhagyashree Barde
 
SPTechCon Boston 2013 - Introduction to Security in Microsoft Sharepoint 2013...
AntonioMaio2
 
Pazu Netflix Video Downloader Download
blouch53kp
 
Internet Download Manager (IDM) Free key
alihamzakpa039
 
Skype free Download (Latest version 2025)
mohsinrazakpa69
 
Wondershare Recoverit 13.5.11.3 Free Download
alihamzakpa061
 
Apple Logic Pro X Crack for macOS 2025 Free Download
umnazadiwe
 
M05-Protect Application or System software.docx
endeshman
 
3D Escape crack 2025 Free key Download
mohsinrazakpa86
 
Revo Uninstaller Pro Download (Latest 2025)
alihamzakpa085
 
Ch07 Access Control Fundamentals
Information Technology
 
The Federal Information Security Management Act
Michelle Singh
 
Chapter 5-Security Mechanisms and Techniques.ppt
Lina Shimelis
 
CISSP Domain 03 Security Architecture and Engineering.pptx
gealehegn
 
database Security for data security .pptx
KarimAhmed722436
 
Windows Security in Operating System
Meghaj Mallick
 
Add-Structure-and-Credibility-to-Your-Security-Portfolio-with-CIS-Controls-v8...
hoang971
 
Software Security and Trusted Systems.pptx
fovoni
 

Recently uploaded (20)

PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
project resource management chapter-09.pdf
ssuser00e6e21
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
PPTX
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
PDF
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
PDF
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
PDF
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
PDF
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
August Patch Tuesday
Ivanti
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PPTX
Chapter 5: Probability Theory and Statistics
RandyFin
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
project resource management chapter-09.pdf
ssuser00e6e21
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
Encapsulation theory and applications.pdf
gurumoop
 
Approach and Philosophy of On baking technology
30anthuong17
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
August Patch Tuesday
Ivanti
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Chapter 5: Probability Theory and Statistics
RandyFin
 

Fighting Spyware With Mandatory Access Control In Microsoft Windows Vista (Diploma Thesis Colloquium)

  • 3. What Am I Going to Demonstrate? Mandatory access control (MAC) can be used to efficaciously and efficiently fight spyware in Microsoft Windows Vista because Even though application compatibility and user experience are affected Spyware depends on the ability to read in order to collect (sensitive) data The architecture that enables this (Microsoft Windows Integrity Mechanism [WIM]) is already implemented in this OS (Microsoft Windows Vista)
  • 4. Scope and Definitions Spyware = software that collects sensitive information without appropriate user consent Effective = doing “right” things (i.e. setting right targets to achieve an overall goal [the effect]) Efficacious = getting things done (i.e. meeting targets) Efficient = doing things in the most economical way (good input to output ratio)
  • 6. How Am I Going to Demonstrate? Introducing WIM and explaining how it works Demonstrating how WIM can be tweaked in order to enable my concept , and showing the result with an explicit example scenario
  • 7. 1. WIM C ore component of Microsoft Windows security architecture Restricts access permissions of less trustworthy applications running under same user account
  • 8. 1. WIM (cont.) Extends security architecture of OS by assigning integrity level (IL) to application processes and securable objects
  • 9. 1. WIM (cont.) IL = representation of trustworthiness of running application processes and objects Provides ability for resource managers to use pre-defined policies that block processes of lower integrity from reading, modifying, or executing objects of higher integrity Allows Microsoft Windows security model to enforce access control restrictions that cannot be defined by granting user or group permissions in access control lists (ACLs)
  • 10. 1. WIM (cont.) Microsoft Windows security architecture: Based on granting access rights and privileges to users or groups represented internally by security identifiers (SIDs) User logs on > Security Reference Monitor (SRM) sets user’s SID and group membership SIDs in security access token Security access token is assigned to every application process run by that user Application process opens object: Resource manager that manages object calls on SRM to make access decision SRM compares user and group SIDs in access token with access rights in security descriptor associated with object If user SID is granted full access rights in object’s ACL > application process user runs has full access to object
  • 11. 1.1. Extending Microsoft Windows Security Architecture WIM extends security architecture by defining new Access Control Entry (ACE) type to represent IL in object’s security descriptor (object IL) IL is also assigned to security access token when access token is initialized (subject IL) IL in access token is compared against IL in security descriptor when SRM performs access check Microsoft Windows Vista uses AccessCheck function to determine what access rights are allowed to securable objects Microsoft Windows restricts allowed access rights depending on: whether subject’s IL is higher or lower than object integrity policy flags in new access control ACE SRM implements IL as mandatory label to distinguish it from discretionary access under user control that ACLs provide
  • 12. 1.2. Features ILs assigned automatically to every security access token during access token creation = every process and thread has effective IL for access control SRM automatically assigns mandatory labels to specific object types There are controls on how object creator can set or initialize label on object creation
  • 13. 1.3. Purpose Restrict access permissions of less trustworthy applications running under same user account Microsoft Windows SRM assigns simple hierarchy of ILs to code running at different privilege levels for same user Microsoft Windows Vista incorporates concept of least privilege by enabling broader use of standard user accounts User Account Control (UAC) in Admin Approval Mode for administrator accounts = multiple applications on the same desktop running with different privilege levels
  • 14. 1.3. Purpose (cont.) Security problems addressed by WIM Primary : unauthorized tampering with user data and system state Secondary : information disclosure Prevented only with respect to access to process address space
  • 15. 1.3. Purpose (cont.) WIM does not provide a complete isolation barrier WIM is not an application sandbox
  • 16. 1.4. Earlier Integrity Models Biba Model Based on hierarchy of integrity labels and access policies allowed when subject IL dominates object IL WIM resembles Biba Model in following ways: uses hierarchy of integrity labels system uses set of ordered subjects, objects, and ILs subject’s IL dominates object’s IL integrity policies inhibit access to objects but are not used primarily to limit flow of information preventing information disclosure is not main goal
  • 17. 1.4. Earlier Integrity Models (cont.) WIM: Lower value indicates less trustworthiness; higher value indicates greater trustworthiness Lower-level subject cannot modify higher-level object Subject’s IL is not dynamic Policies do not inhibit or prevent higher-integrity subjects from reading or executing lower-integrity objects Does not inhibit or prevent reading data at any level Does not enforce strict integrity policy as described in Biba Model Assumes that processes designed to handle untrusted data from unknown or untrusted sources are running at lower IL, or that untrusted data is verified before use
  • 18. 1.4. Earlier Integrity Models (cont.) Conclusion WIM: Similar to earlier integrity models in computer security but Does not implement any model (at least not literally) instead Limits access permissions available to processes running with different privilege or trust levels
  • 20. 1.6. Mandatory Label ACE ACE HEADER AceType: SYSTEM_MANDATORY_LABEL_ACE_TYPE AceFlags: ACE type inheritance flags Container Inherit (CI): subordinate folders inherit ACE Object Inherit (OI): subordinate files inherit ACE Inherit Only (IO): ACE does not apply to current object AceSize: size of mandatory label ACE ACE MASK : mandatory label policy flags NO_WRITE_UP: default policy NO_READ_UP: used only to restrict access to virtual memory NO_EXECUTE_UP: used to restrict launch activation perm. ACE SID IL Trusted Installer: highest possbible level of trust, able to modify OS System: generally services or objects part of the OS itself (e.g. LocalSystem) High: administrators Medium: default trust level for non-administrative users and associated data Low: “Everyone” account, PMIE, temporary Internet files Untrusted: anonymous or “Guest” accounts
  • 21. WIM -> Concept I explained What WIM is and how it works I will now explain/demonstrate How WIM can be tweaked in order to enable my concept The effect of the implementation of my concept in an explicit example scenario
  • 22. 2. My Concept Major parts: Explicit mandatory label assigned to objects created by Web browsers and e-mail clients (when necessary) Configuration tweaking of integrity policies that restrict access permissions IL assigned to Web browsers and e-mail clients
  • 23. 2.1. Explicit Mandatory Label What? Assign explicit low mandatory label to objects created by Web browsers and e-mail clients When? Always (or when necessary) Why? Some operations might be handled by processes running at IL higher than low How? Create object with specific low mandatory label: Process creates SDDL security descriptor that defines low IL (e.g. #define LOW_INTEGRITY_SDDL_SACL_W_L”S:(ML;;NW;;;LW)” Process converts SDDL string to security descriptor using ConvertStringSecurityDescriptorToSecurityDescriptor Process assigns security descriptor with low IL to security attributes structure Process passes security attributes parameter to call to create object, such as CreateFile What for? Prevent process from reading user data files
  • 24. 2.2. Integrity Policy What? Enable NO_READ_UP mandatory label policy, and CI and OI inheritance Where? User profile ( C:\Users\<username> ) When? User profile initialization Why? Most common place to store personal files (sensitive data) How? Editing user profile folder ACE: ACE HEADER > AceFlags field: CI = 1, OI = 1 ACE MASK: SYSTEM_MANDATORY_POLICY_NO_READ_UP = 1 What for? Restrict read access to user profile by subjects with lower IL (Web browsers, e-mail clients, and related subjects)
  • 25. 2.3. Integrity Level What? Run Web browsers and e-mail clients with low IL When? Always Why? They handle untrustworthy input How? Designing them to run with low rights (least-privilege functionality) What for? To reduce access rights available to processes, in order to limit ability of exploit running in them to read user data files
  • 26. 2.4. Example Scenario Microsoft Windows Vista user receives attachment in e-mail -> saves it -> executes it Currently: attachment’s process is able to read and modify user’s data After 1: attachment’s process is unable to modify user’s data, but is still able to read it After 2: attachment’s process is unable to read or modify user’s data After 3? Eventual exploit running in Web browser or e-mail client is (also) unable to read (concept) or modify (WIM) user’s data
  • 27. 2.5. Concept Applicability Advantages of a MAC solution like this: Transparent to user Active protection Easily implementable in Microsoft Windows Vista Fights spyware in effective and efficient manner Why better than WIM or other Microsoft Windows Vista built-in feature(s)? Prevents information disclosure with respect to areas other than virtual memory address space of processes (such as: user profile )
  • 28. What Did I Talk About? I introduced and explained what WIM is I demonstrated how WIM can be tweaked in order to enable my concept, and showed the result with an explicit example scenario
  • 30. Conclusion It is possible to use MAC to efficaciously and efficiently fight spyware in Windows Vista because Even though application compatibility and user experience is affected, e.g. Uploading pictures to Web sites Copy and paste Spyware depends on ability to read in order to collect (sensitive) data Architecture that enables this (WIM) is already implemented in OS (Microsoft Windows Vista)
  • 31. Conclusion (cont.) Although not Effective (denies all read access attempts, even if they are legitimate) this concept is Efficacious (disables all spyware, even if unknown and/or undiscovered) and Efficient (uses few resources, since it uses no real-time scanning)
  • 32. Outlook Possible further improvement: Use UAC to intercept denied read access attempts and prompt user to make true final decision on whether these read accesses can take place
  • 33. Thank you Diploma Thesis Colloquium Filipe Governa Hochschule für Angewandte Wissenschaften Hamburg (HAW Hamburg) / Hamburg University of Applied Sciences Hamburg (GERMANY), 17 July 2008