Windows7安全机制

李德虎

Windows7安全机制• UAC(User Account Control)

• ASLR(Address Space Layout Randomization)

• DEP(Data Execute Protection)

UAC

• User Account Control

• Goal: to control different accountsProtect system settings from usersPrivacy between users on shared computersProtect system security from malware

UAC

• Idea– Standard user & administrator, by default

standard user rights

• Techniques– The Protected Administrator (PA) account– UAC elevation prompts– Windows Integrity Mechanism– File system and registry virtualization

UAC-PA account

• Account– PA protected administrator– Standard user

• Access token

UAC-PA account

• First process– Explorer.exe standard user token

• Other processes– Inherit token from explorer.exe or its child

processes– So, by default, standard user rights

UAC

• Idea– Standard user & administrator, by default

standard user rights

• Techniques– The Protected Administrator (PA) account– UAC elevation prompts– Windows Integrity Mechanism– File system and registry virtualization

UAC- elevation prompts• For standard users

Over the Shoulder (OTS) elevation

• For PA users

Consent elevation

UAC- elevation prompts

• Need Administrator rights?– Most common : Application’s manifest file• Sysinternals : Sigcheck• asInvoker, highestAvailable, requireAdministrator

– heuristics, etc.

UAC

• Idea– Standard user & administrator, by default

standard user rights

• Techniques– The Protected Administrator (PA) account– UAC elevation prompts– Windows Integrity Mechanism– File system and registry virtualization

UAC-Windows Integrity Mechanism

• Windows Integrity MechanismIntegrity level, integrity policy

– all processes and objects have integrity levels

– an object’s integrity policy can restrict the accesses for a process

– Process’s IL>= Object’s IL

• Integrity level

UAC-Windows Integrity Mechanism

• Integrity level

– How is IL assigned?• processes usually inherit the IL of their parents• a process can also launch a process at a different IL

– Sysinternals: Process Explorer or AccessChk

UAC-Windows Integrity Mechanism

UAC-Windows Integrity Mechanism

• Integrity policy– default policy for most objects: No-Write-Up

UAC

UAC

• Idea– Standard user & administrator, by default

standard user rights

• Techniques– The Protected Administrator (PA) account– UAC elevation prompts– Windows Integrity Mechanism– File system and registry virtualization

UAC-File system virtualization

• Microsoft recommends that:– global application installers• %ProgramFiles% directory, store executable files• HKEY_LOCAL_MACHINE\Software, for settings

– for different user accounts• user-specific data in the per-user %AppData% directory• per-user settings under HKEY_CURRENT_USER\

Software

UAC-File system virtualization

• Before Windows Vista:– Most Windows systems are single-user– Most users have been administrators

• Apps that incorrectly save user data and settings to these locations work anyway, but in Vista it’s different.

UAC-File system virtualization

• Legacy in Vista:– 32-bit– not running with administrative rights– does not have a manifest file indicating that it was

written for Windows Vista

• Any operations not originating from a process classified as legacy are not virtualized.

UAC-File system virtualization• virtualized locations:– %ProgramFiles% %ProgramData%%SystemRoot%

– File Virtualization Filter Driver

– Modifications to virtualized directories redirected to the user’s virtual root directory

UAC-registry virtualization

UAC-Auto elevation

• Goal– smoother user’s experience by reducing prompts

• How?– "auto elevates" Windows executables– digitally signed by the Windows publisher, which is

the certificate used to sign all code included with Windows(not shipped in Windows isn't included)

– located in “secure” directories: e.g.\Windows\System32

UAC-Auto elevation

• additional rules– .exe: if they specify the autoElevate property in

their manifest.– Sysinternals : Sigcheck

UAC-Auto elevation

• additional rules– Microsoft Management Console, Mmc.exe– .MSC file lists the snap-ins MMC is to load

Mmc.exe gpedit.msc

– Mmc.exe is a Windows executable– .MSC file(signed by Windows in a secure location)– listed on an internal list of auto-elevate .MSCs

UAC-Auto elevation• additional rules– COM objects:• must also be a Windows executable• instantiated by a Windows executable(The instantiating

executable doesn't need to be marked for auto-elevation)

– Shell’s Copy/Move/Rename/Delete/Link Object that Explorer uses:

UAC

• Goal– security boundary between admin and non-admin

code

• But– Usability prevents the goal from being achieved

• Questions– Provide a auto-elevate list?– Third-party software running in a PA account to

take advantage of auto-elevation?

Windows7安全机制• UAC(User Account Control)

• ASLR(Address Space Layout Randomization)

• DEP(Data Execute Protection)

ASLR(vista)

• Randomizes the addresses where objects are mapped– Images(both executables and DLLs)– heaps, stacks– the PEB and TEBs

ASLR

• For Images– system-wide configuration parameter– HKLM\SYSTEM\CurrentControlSet\Control\Session

Manager\Memory Management\MoveImages• 0, never randomize• -1, randomize• any other value, randomize those with a setting

IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE flag Visual Studio 2005 SP1, /DynamicBase linker option

ASLR

• Exe

ASLR

• DLL– a DLL must be loaded at the same address in each

process, to be shared– a global bitmap called _MiImageBitMap– (0x78000000-0x50000000)/64KB=0x2800 bits– an 8-bit random value initialized with the RDTSC

instruction once per boot

ASLR

• DLL– first DLL loaded on the system (NTDLL.DLL)• 256 possible locations

– subsequent DLLs depends on• the address of NTDLL.DLL• the order in which the DLLs are loaded• To increase the randomness: SmpRandomizeDllList

ASLR• Heap– In the past, NtAllocateVirtualMemory, a linear

address space search, predictable– Vista, RtlHeapCreate, randomness

ASLR

• Stack twofold randomization– the base of the stack, chosen randomly• a random 5-bit value x time stamp counter

– an offset, where the stack starts, chosen randomly• 9-bit random value*4B time stamp counter

Windows7安全机制• UAC(User Account Control)

• ASLR(Address Space Layout Randomization)

• DEP(Data Execute Protection)

DEP

• Software DEP– an extra check in the exception dispatcher– /SafeSEH linker option, a table of all valid

exception handlers– the exception handler record points to one of the

valid handlers in the table

DEP

• Hardware support for NX– Windows, page-level protection– X86, a single bit, R?W? no bit to control execution– CPU after 2004, NX bit (No eXecute)

DEP

• DEP policies(Vista, server2008, win7)– OptIn– OptOut– AlwaysOn– AlwaysOff

DEP

• Enabling or disabling DEP at runtime– KPROCESS structure(DEP flags)

DEP

• Enabling or disabling DEP at runtime– NtQueryInformationProcess

NtSetInformationProcess

– XP SP3, Vista SP1, new API• SetProcessDEPPolicy• GetProcessDEPPolicy • GetSystemDEPPolicy

ASLR&DEP

• Bypass DEP– Code reuse: ret2libc(Ntdll!

ZwSetInformationProcess)

• Bypass ASLR– Search in PEB ListEntry, trivially

ASLR&DEP

ASLR&DEP

• When combined together, quite difficult– DEP: a call to a DEP function in a non ASLR module– ASLR: at least all the system libraries are

protected

• But not impossible– Some application modules not protected

sites

• http://www.pretentiousname.com/misc/win7_uac_whitelist2.html(Win7Elevate32v2.exe)

• Video:http://leo.lss.com.au/W7E_VID_INT/W7E_VID_INT.htm

• Blogs:– http://technet.microsoft.com/en-us/magazine/

2009.07.uac.aspx– http://technet.microsoft.com/en-us/magazine/

2007.06.uac.aspx