Windows7 安全机制 李德虎
Windows7 安全机制 UAC(User Account Control) ASLR(Address Space Layout Randomization) DEP(Data Execute Protection)
UAC User Account Control Goal: to control different accounts Protect system settings from users Privacy between users on shared computers Protect system security from malware
UAC Idea – Standard user & administrator, by default standard user rights Techniques – The Protected Administrator (PA) account – UAC elevation prompts – Windows Integrity Mechanism – File system and registry virtualization
UAC-PA account Account – PA protected administrator – Standard user Access token
UAC-PA account First process – Explorer.exe standard user token Other processes – Inherit token from explorer.exe or its child processes – So, by default, standard user rights
UAC Idea – Standard user & administrator, by default standard user rights Techniques – The Protected Administrator (PA) account – UAC elevation prompts – Windows Integrity Mechanism – File system and registry virtualization
UAC- elevation prompts For standard users Over the Shoulder (OTS) elevation For PA users Consent elevation
UAC- elevation prompts Need Administrator rights? – Most common : Application’s manifest file Sysinternals : Sigcheck asInvoker, highestAvailable, requireAdministrator – heuristics, etc.
UAC Idea – Standard user & administrator, by default standard user rights Techniques – The Protected Administrator (PA) account – UAC elevation prompts – Windows Integrity Mechanism – File system and registry virtualization
UAC-Windows Integrity Mechanism Windows Integrity Mechanism Integrity level, integrity policy – all processes and objects have integrity levels – an object’s integrity policy can restrict the accesses for a process – Process’s IL>= Object’s IL
Integrity level UAC-Windows Integrity Mechanism
Integrity level – How is IL assigned? processes usually inherit the IL of their parents a process can also launch a process at a different IL – Sysinternals: Process Explorer or AccessChk UAC-Windows Integrity Mechanism
Integrity policy – default policy for most objects: No-Write-Up
UAC
Idea – Standard user & administrator, by default standard user rights Techniques – The Protected Administrator (PA) account – UAC elevation prompts – Windows Integrity Mechanism – File system and registry virtualization
UAC-File system virtualization Microsoft recommends that: – global application installers %ProgramFiles% directory, store executable files HKEY_LOCAL_MACHINE\Software, for settings – for different user accounts user-specific data in the per-user %AppData% directory per-user settings under HKEY_CURRENT_USER\ Software
UAC-File system virtualization Before Windows Vista: – Most Windows systems are single-user – Most users have been administrators Apps that incorrectly save user data and settings to these locations work anyway, but in Vista it’s different.
UAC-File system virtualization Legacy in Vista: – 32-bit – not running with administrative rights – does not have a manifest file indicating that it was written for Windows Vista Any operations not originating from a process classified as legacy are not virtualized.
UAC-File system virtualization virtualized locations: – %ProgramFiles% %ProgramData% %SystemRoot% – File Virtualization Filter Driver – Modifications to virtualized directories redirected to the user’s virtual root directory
UAC-registry virtualization
UAC-Auto elevation Goal – smoother user’s experience by reducing prompts How? – "auto elevates" Windows executables – digitally signed by the Windows publisher, which is the certificate used to sign all code included with Windows(not shipped in Windows isn't included) – located in “secure” directories: e.g.\Windows\System32
UAC-Auto elevation additional rules –.exe: if they specify the autoElevate property in their manifest. – Sysinternals : Sigcheck
UAC-Auto elevation additional rules – Microsoft Management Console, Mmc.exe –.MSC file lists the snap-ins MMC is to load Mmc.exe gpedit.msc – Mmc.exe is a Windows executable –.MSC file(signed by Windows in a secure location) – listed on an internal list of auto-elevate.MSCs
UAC-Auto elevation additional rules – COM objects: must also be a Windows executable instantiated by a Windows executable(The instantiating executable doesn't need to be marked for auto- elevation) – Shell’s Copy/Move/Rename/Delete/Link Object that Explorer uses:
UAC Goal – security boundary between admin and non-admin code But – Usability prevents the goal from being achieved Questions – Provide a auto-elevate list? – Third-party software running in a PA account to take advantage of auto-elevation?
Windows7 安全机制 UAC(User Account Control) ASLR(Address Space Layout Randomization) DEP(Data Execute Protection)
ASLR(vista) Randomizes the addresses where objects are mapped – Images(both executables and DLLs) – heaps, stacks – the PEB and TEBs
ASLR For Images – system-wide configuration parameter – HKLM\SYSTEM\CurrentControlSet\Control\Sessio n Manager\Memory Management\MoveImages 0, never randomize -1, randomize any other value, randomize those with a setting IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE flag Visual Studio 2005 SP1, /DynamicBase linker option
ASLR Exe
ASLR DLL – a DLL must be loaded at the same address in each process, to be shared – a global bitmap called _MiImageBitMap – (0x x )/64KB=0x2800 bits – an 8-bit random value initialized with the RDTSC instruction once per boot
ASLR DLL – first DLL loaded on the system (NTDLL.DLL) 256 possible locations – subsequent DLLs depends on the address of NTDLL.DLL the order in which the DLLs are loaded To increase the randomness: SmpRandomizeDllList
ASLR Heap – In the past, NtAllocateVirtualMemory, a linear address space search, predictable – Vista, RtlHeapCreate, randomness
ASLR Stack twofold randomization – the base of the stack, chosen randomly a random 5-bit value x time stamp counter – an offset, where the stack starts, chosen randomly 9-bit random value*4B time stamp counter
Windows7 安全机制 UAC(User Account Control) ASLR(Address Space Layout Randomization) DEP(Data Execute Protection)
DEP Software DEP – an extra check in the exception dispatcher – /SafeSEH linker option, a table of all valid exception handlers – the exception handler record points to one of the valid handlers in the table
DEP Hardware support for NX – Windows, page-level protection – X86, a single bit, R?W? no bit to control execution – CPU after 2004, NX bit (No eXecute)
DEP DEP policies(Vista, server2008, win7) – OptIn – OptOut – AlwaysOn – AlwaysOff
DEP Enabling or disabling DEP at runtime – KPROCESS structure(DEP flags)
DEP Enabling or disabling DEP at runtime – NtQueryInformationProcess NtSetInformationProcess – XP SP3, Vista SP1, new API SetProcessDEPPolicy GetProcessDEPPolicy GetSystemDEPPolicy
ASLR&DEP Bypass DEP – Code reuse: ret2libc(Ntdll!ZwSetInformationProcess) Bypass ASLR – Search in PEB ListEntry, trivially
ASLR&DEP
When combined together, quite difficult – DEP: a call to a DEP function in a non ASLR module – ASLR: at least all the system libraries are protected But not impossible – Some application modules not protected
sites _uac_whitelist2.html(Win7Elevate32v2.exe) _uac_whitelist2.html(Win7Elevate32v2.exe) Video: 7E_VID_INT.htmhttp://leo.lss.com.au/W7E_VID_INT/W 7E_VID_INT.htm Blogs: – us/magazine/ uac.aspx us/magazine/ uac.aspx – us/magazine/ uac.aspx us/magazine/ uac.aspx