1. Windows7 安全机制 李德虎

2. Windows7 安全机制 UAC(User Account Control) ASLR(Address Space Layout Randomization) DEP(Data Execute Protection)

3. UAC User Account Control Goal: to control different accounts Protect system settings from users Privacy between users on shared computers Protect system security from malware

4. UAC Idea – Standard user & administrator, by default standard user rights Techniques – The Protected Administrator (PA) account – UAC elevation prompts – Windows Integrity Mechanism – File system and registry virtualization

5. UAC-PA account Account – PA protected administrator – Standard user Access token

6. UAC-PA account First process – Explorer.exe standard user token Other processes – Inherit token from explorer.exe or its child processes – So, by default, standard user rights

7. UAC Idea – Standard user & administrator, by default standard user rights Techniques – The Protected Administrator (PA) account – UAC elevation prompts – Windows Integrity Mechanism – File system and registry virtualization

8. UAC- elevation prompts For standard users Over the Shoulder (OTS) elevation For PA users Consent elevation

9. UAC- elevation prompts Need Administrator rights? – Most common : Application’s manifest file Sysinternals : Sigcheck asInvoker, highestAvailable, requireAdministrator – heuristics, etc.

10. UAC Idea – Standard user & administrator, by default standard user rights Techniques – The Protected Administrator (PA) account – UAC elevation prompts – Windows Integrity Mechanism – File system and registry virtualization

11. UAC-Windows Integrity Mechanism Windows Integrity Mechanism  Integrity level, integrity policy – all processes and objects have integrity levels – an object’s integrity policy can restrict the accesses for a process – Process’s IL>= Object’s IL

12. Integrity level UAC-Windows Integrity Mechanism

13. Integrity level – How is IL assigned? processes usually inherit the IL of their parents a process can also launch a process at a different IL – Sysinternals: Process Explorer or AccessChk UAC-Windows Integrity Mechanism

14. Integrity policy – default policy for most objects: No-Write-Up

15. UAC

16. Idea – Standard user & administrator, by default standard user rights Techniques – The Protected Administrator (PA) account – UAC elevation prompts – Windows Integrity Mechanism – File system and registry virtualization

17. UAC-File system virtualization Microsoft recommends that: – global application installers %ProgramFiles% directory, store executable files HKEY_LOCAL_MACHINE\Software, for settings – for different user accounts user-specific data in the per-user %AppData% directory per-user settings under HKEY_CURRENT_USER\ Software

18. UAC-File system virtualization Before Windows Vista: – Most Windows systems are single-user – Most users have been administrators Apps that incorrectly save user data and settings to these locations work anyway, but in Vista it’s different.

19. UAC-File system virtualization Legacy in Vista: – 32-bit – not running with administrative rights – does not have a manifest file indicating that it was written for Windows Vista Any operations not originating from a process classified as legacy are not virtualized.

20. UAC-File system virtualization virtualized locations: – %ProgramFiles% %ProgramData% %SystemRoot% – File Virtualization Filter Driver – Modifications to virtualized directories redirected to the user’s virtual root directory

21. UAC-registry virtualization

22. UAC-Auto elevation Goal – smoother user’s experience by reducing prompts How? – "auto elevates" Windows executables – digitally signed by the Windows publisher, which is the certificate used to sign all code included with Windows(not shipped in Windows isn't included) – located in “secure” directories: e.g.\Windows\System32

23. UAC-Auto elevation additional rules –.exe: if they specify the autoElevate property in their manifest. – Sysinternals : Sigcheck

24. UAC-Auto elevation additional rules – Microsoft Management Console, Mmc.exe –.MSC file lists the snap-ins MMC is to load  Mmc.exe gpedit.msc – Mmc.exe is a Windows executable –.MSC file(signed by Windows in a secure location) – listed on an internal list of auto-elevate.MSCs

25. UAC-Auto elevation additional rules – COM objects: must also be a Windows executable instantiated by a Windows executable(The instantiating executable doesn't need to be marked for auto- elevation) – Shell’s Copy/Move/Rename/Delete/Link Object that Explorer uses:

27. UAC Goal – security boundary between admin and non-admin code But – Usability prevents the goal from being achieved Questions – Provide a auto-elevate list? – Third-party software running in a PA account to take advantage of auto-elevation?

28. Windows7 安全机制 UAC(User Account Control) ASLR(Address Space Layout Randomization) DEP(Data Execute Protection)

29. ASLR(vista) Randomizes the addresses where objects are mapped – Images(both executables and DLLs) – heaps, stacks – the PEB and TEBs

30. ASLR For Images – system-wide configuration parameter – HKLM\SYSTEM\CurrentControlSet\Control\Sessio n Manager\Memory Management\MoveImages 0, never randomize -1, randomize any other value, randomize those with a setting IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE flag Visual Studio 2005 SP1, /DynamicBase linker option

31. ASLR Exe

32. ASLR DLL – a DLL must be loaded at the same address in each process, to be shared – a global bitmap called _MiImageBitMap – (0x78000000-0x50000000)/64KB=0x2800 bits – an 8-bit random value initialized with the RDTSC instruction once per boot

33. ASLR DLL – first DLL loaded on the system (NTDLL.DLL) 256 possible locations – subsequent DLLs depends on the address of NTDLL.DLL the order in which the DLLs are loaded To increase the randomness: SmpRandomizeDllList

34. ASLR Heap – In the past, NtAllocateVirtualMemory, a linear address space search, predictable – Vista, RtlHeapCreate, randomness

35. ASLR Stack twofold randomization – the base of the stack, chosen randomly a random 5-bit value x time stamp counter – an offset, where the stack starts, chosen randomly 9-bit random value*4B time stamp counter

36. Windows7 安全机制 UAC(User Account Control) ASLR(Address Space Layout Randomization) DEP(Data Execute Protection)

37. DEP Software DEP – an extra check in the exception dispatcher – /SafeSEH linker option, a table of all valid exception handlers – the exception handler record points to one of the valid handlers in the table

39. DEP Hardware support for NX – Windows, page-level protection – X86, a single bit, R?W? no bit to control execution – CPU after 2004, NX bit (No eXecute)

40. DEP DEP policies(Vista, server2008, win7) – OptIn – OptOut – AlwaysOn – AlwaysOff

41. DEP Enabling or disabling DEP at runtime – KPROCESS structure(DEP flags)

42. DEP Enabling or disabling DEP at runtime – NtQueryInformationProcess NtSetInformationProcess – XP SP3, Vista SP1, new API SetProcessDEPPolicy GetProcessDEPPolicy GetSystemDEPPolicy

43. ASLR&DEP Bypass DEP – Code reuse: ret2libc(Ntdll!ZwSetInformationProcess) Bypass ASLR – Search in PEB ListEntry, trivially

44. ASLR&DEP

45. When combined together, quite difficult – DEP: a call to a DEP function in a non ASLR module – ASLR: at least all the system libraries are protected But not impossible – Some application modules not protected

46. sites http://www.pretentiousname.com/misc/win7 _uac_whitelist2.html(Win7Elevate32v2.exe) http://www.pretentiousname.com/misc/win7 _uac_whitelist2.html(Win7Elevate32v2.exe) Video:http://leo.lss.com.au/W7E_VID_INT/W 7E_VID_INT.htmhttp://leo.lss.com.au/W7E_VID_INT/W 7E_VID_INT.htm Blogs: – http://technet.microsoft.com/en- us/magazine/2009.07.uac.aspx http://technet.microsoft.com/en- us/magazine/2009.07.uac.aspx – http://technet.microsoft.com/en- us/magazine/2007.06.uac.aspx http://technet.microsoft.com/en- us/magazine/2007.06.uac.aspx