- Mandatory Integrity Control
In the context of the Microsoft Windows range of operating systems, Mandatory Integrity Control (MIC) or Integrity Levels (or Protected Mode in the context of applications like Internet Explorer, Google Chrome and Adobe Reader) is a core security feature, introduced in Windows Vista and Windows Server 2008, that adds Integrity Levels (IL) to processes running in a login session. (See also Security features new to Windows Vista.) This mechanism is able to selectively restrict the access permissions of certain programs or software components in contexts that are considered to be potentially less trustworthy, compared with other contexts running under the same user account that are more trusted. Windows Vista defines four integrity levels: Low (SID: S-1-16-4096), Medium (SID: S-1-16-8192), High (SID: S-1-16-12288), and System (SID: S-1-16-16384). By default, processes started by a regular user gain a Medium IL and elevated processes have High IL. Processes must be configured explicitly to run with Low IL. Processes with Low IL are called low-integrity processes. While processes inherit the integrity level of the process that spawned it, the integrity level can be customized on a per-process basis as well. For example, executables originating from the Internet are marked for and executed with Low IL. Windows controls access to objects based on ILs, as well as for defining the boundary for window messages, via User Interface Privilege Isolation.
Named objects, including files, registry keys or even other processes and threads, have an entry in the ACL governing access to them, that defines the minimum integrity level of the process that can use the object. Windows makes sure that a process can write to or delete an object only when its integrity level is equal to or higher than the requested integrity level specified by the object. Additionally, process objects with higher IL are out-of-bounds for even read access.
Consequently, a process cannot interact with another process that has a higher IL. So a process cannot perform functions such as inject a DLL into a higher IL process by using the
CreateRemoteThread() API function or send data to a different process by using the
WriteProcessMemory() function. However, the higher IL process can execute such functions against the lower IL process. However, they can still communicate by using files, Named pipes, LPC or other shared objects. The shared object must have an integrity level as low as the low IL process and should be shared by both the Low-IL and High-IL process.
Access control lists (ACLs) are limited to granting access rights (read, write, and execute permissions) and privileges to users or groups. MIC allows classes of applications to be isolated, enabling scenarios like sandboxing potentially-vulnerable applications (such as Internet-facing application).
However, since it does not prevent a low IL process from sharing objects with a higher IL process, it can trigger flaws in the higher IL process and have it work on behalf of the low IL process, thereby causing a Squatting attack. Shatter attacks, however, can be prevented by using another feature, User Interface Privilege Isolation, in conjunction with MIC.
Mandatory Integrity Control is defined using a new access control entry (ACE) type to represent the object's IL in its security descriptor. A subject IL is also assigned to the security access token when it is initialized. The integrity level in the access token is compared against the integrity level in the security descriptor when the security reference monitor performs authorization before granting access to objects. Windows restricts the allowed access rights depending on whether the subject's integrity level is higher or lower than the object, and depending on the integrity policy flags in the new access control ACE. The security subsystem implements the integrity level as a mandatory label to distinguish it from the discretionary access under user control that ACLs provide.
One of the most common applications for integrity controls in Windows is with Internet Explorer 7 and Internet Explorer 8, which can run in "Protected Mode" on Windows Vista and later operating systems. In this configuration, the iexplore.exe process runs with a Low integrity level to limit its access to the underlying system, and thereby prevent some classes of security vulnerabilities; since Internet Explorer in this case runs as a Low-IL process, it cannot modify system level objects—file and registry operations are instead virtualized. Adobe Reader 10 and Google Chrome are two other notable applications that are introducing the technology in order to limit their vulnerability to malware.
- ^ a b c Matthew Conover. "Analysis of the Windows Vista Security Model". Symantec Corporation. http://www.symantec.com/avcenter/reference/Windows_Vista_Security_Model_Analysis.pdf. Retrieved 2007-10-08.
- ^ a b Steve Riley. "Mandatory Integrity Control in Windows Vista". http://blogs.technet.com/steriley/archive/2006/07/21/442870.aspx. Retrieved 2007-10-08.
- ^ a b c Mark Russinovich. "PsExec, User Account Control and Security Boundaries". http://blogs.technet.com/markrussinovich/archive/2007/02/12/638372.aspx. Retrieved 2007-10-08.
- ^ "CreateRemoteThread Function (Windows)". MSDN. http://msdn2.microsoft.com/en-us/library/ms682437.aspx. Retrieved 2007-10-08.
- ^ "WriteProcessMemory Function". MSDN. http://msdn2.microsoft.com/en-us/library/ms681674.aspx. Retrieved 2007-10-08.
- ^ Brad Arkin (2010-07-10). "Introducing Adobe Reader Protected Mode". Adobe Systems. http://blogs.adobe.com/asset/2010/07/introducing-adobe-reader-protected-mode.html. Retrieved 2010-09-10.
- Introduction to the Protected Mode API
- Windows Vista Integrity Mechanism technical reference on MSDN
- Introduction to Windows Integrity Control: Security Focus article
- Escaping from Microsoft’s Protected Mode Internet Explorer
Wikimedia Foundation. 2010.
Look at other dictionaries:
Mandatory Integrity Control — (MIC, appelé aussi Integrity levels) est une nouvelle spécification de sécurité de Windows Vista et Windows Server 2008. Il y a quatre niveaux de sécurité (IL : Integrity Level), chacun d eux étant identifié par un SID précis (Bas :… … Wikipédia en Français
Mandatory access control — In computer security, mandatory access control (MAC) refers to a type of access control by which the operating system constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target.… … Wikipedia
Mandatory detention in Australia — Protesters on the roof of the Villawood Immigration Detention Centre in Sydney, 2011 Mandatory detention in Australia concerns the Australian federal government s policy and system of mandatory immigration detention active from 1992 to date,… … Wikipedia
List of Control Panel applets — The applets listed below are components of the Microsoft Windows control panel, which allows users to define a range of settings for their computer, monitor the status of devices such as printers and modems, and set up new hardware, programs and… … Wikipedia
User Account Control — UAC (User Account Control) компонент Microsoft Windows, впервые появившийся в Windows Vista. Этот компонент запрашивает подтверждение действий, требующих прав администратора, в целях защиты от несанкционированного использования компьютера.… … Википедия
Service Control Manager — (SCM) (WindowsSystem32Services.exe) в Microsoft Windows, сервер, реализующий технологию удалённого вызова процедур (remote procedure call RPC). Обеспечивает создание, удаление, запуск и остановку сервисов ОС. Стартует при загрузке… … Википедия
Comparison of revision control software — The following is a comparison of revision control software. The following tables includes general and technical information for notable revision control and software configuration management (SCM) software. This is an incomplete list, which may… … Wikipedia
Canadian Forces Drug Control Program — Queen s Regulations and Orders (QR Os) Chapter 20 establishes the administrative law framework for the control of drug use in the Canadian Forces (CF). It prohibits CF members from involvement with most drugs, except alcohol, in order to maintain … Wikipedia
Numerical control — CNC redirects here. For other uses, see CNC (disambiguation). A CNC Turning Center … Wikipedia
WinFS — (short for Windows Future Storage) is the code name for a cancelled data storage and management system project based on relational databases, developed by Microsoft and first demonstrated in 2003 as an advanced storage subsystem for the… … Wikipedia