Mandatory Integrity Control


Mandatory Integrity Control

In the context of the Microsoft Windows range of operating systems, Mandatory Integrity Control (MIC) or Integrity Levels (or Protected Mode in the context of applications like Internet Explorer, Google Chrome and Adobe Reader)[1] is a core security feature, introduced in Windows Vista and Windows Server 2008, that adds Integrity Levels (IL) to processes running in a login session. (See also Security features new to Windows Vista.) This mechanism is able to selectively restrict the access permissions of certain programs or software components in contexts that are considered to be potentially less trustworthy, compared with other contexts running under the same user account that are more trusted. Windows Vista defines four integrity levels: Low (SID: S-1-16-4096), Medium (SID: S-1-16-8192), High (SID: S-1-16-12288), and System (SID: S-1-16-16384).[1] By default, processes started by a regular user gain a Medium IL and elevated processes have High IL.[2] Processes must be configured explicitly to run with Low IL. Processes with Low IL are called low-integrity processes. While processes inherit the integrity level of the process that spawned it, the integrity level can be customized on a per-process basis as well. For example, executables originating from the Internet are marked for and executed with Low IL. Windows controls access to objects based on ILs, as well as for defining the boundary for window messages, via User Interface Privilege Isolation.

Contents

Operation

Named objects, including files, registry keys or even other processes and threads, have an entry in the ACL governing access to them, that defines the minimum integrity level of the process that can use the object. Windows makes sure that a process can write to or delete an object only when its integrity level is equal to or higher than the requested integrity level specified by the object.[2] Additionally, process objects with higher IL are out-of-bounds for even read access.[3]

Consequently, a process cannot interact with another process that has a higher IL. So a process cannot perform functions such as inject a DLL into a higher IL process by using the CreateRemoteThread()[4] API function or send data to a different process by using the WriteProcessMemory()[5] function. However, the higher IL process can execute such functions against the lower IL process.[1] However, they can still communicate by using files, Named pipes, LPC or other shared objects. The shared object must have an integrity level as low as the low IL process and should be shared by both the Low-IL and High-IL process.[3]

Security

Access control lists (ACLs) are limited to granting access rights (read, write, and execute permissions) and privileges to users or groups. MIC allows classes of applications to be isolated, enabling scenarios like sandboxing potentially-vulnerable applications (such as Internet-facing application).

However, since it does not prevent a low IL process from sharing objects with a higher IL process, it can trigger flaws in the higher IL process and have it work on behalf of the low IL process, thereby causing a Squatting attack.[3] Shatter attacks, however, can be prevented by using another feature, User Interface Privilege Isolation, in conjunction with MIC.

Mandatory Integrity Control is defined using a new access control entry (ACE) type to represent the object's IL in its security descriptor. A subject IL is also assigned to the security access token when it is initialized. The integrity level in the access token is compared against the integrity level in the security descriptor when the security reference monitor performs authorization before granting access to objects. Windows restricts the allowed access rights depending on whether the subject's integrity level is higher or lower than the object, and depending on the integrity policy flags in the new access control ACE. The security subsystem implements the integrity level as a mandatory label to distinguish it from the discretionary access under user control that ACLs provide.

Usage

One of the most common applications for integrity controls in Windows is with Internet Explorer 7 and Internet Explorer 8, which can run in "Protected Mode" on Windows Vista and later operating systems. In this configuration, the iexplore.exe process runs with a Low integrity level to limit its access to the underlying system, and thereby prevent some classes of security vulnerabilities; since Internet Explorer in this case runs as a Low-IL process, it cannot modify system level objects—file and registry operations are instead virtualized. Adobe Reader 10 and Google Chrome are two other notable applications that are introducing the technology in order to limit their vulnerability to malware.[6]

See also

References

External links


Wikimedia Foundation. 2010.

Look at other dictionaries:

  • Mandatory Integrity Control — (MIC, appelé aussi Integrity levels)[1] est une nouvelle spécification de sécurité de Windows Vista et Windows Server 2008. Il y a quatre niveaux de sécurité (IL : Integrity Level), chacun d eux étant identifié par un SID précis (Bas :… …   Wikipédia en Français

  • Mandatory access control — In computer security, mandatory access control (MAC) refers to a type of access control by which the operating system constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target.… …   Wikipedia

  • Mandatory detention in Australia — Protesters on the roof of the Villawood Immigration Detention Centre in Sydney, 2011 Mandatory detention in Australia concerns the Australian federal government s policy and system of mandatory immigration detention active from 1992 to date,… …   Wikipedia

  • List of Control Panel applets — The applets listed below are components of the Microsoft Windows control panel, which allows users to define a range of settings for their computer, monitor the status of devices such as printers and modems, and set up new hardware, programs and… …   Wikipedia

  • User Account Control — UAC (User Account Control)  компонент Microsoft Windows, впервые появившийся в Windows Vista. Этот компонент запрашивает подтверждение действий, требующих прав администратора, в целях защиты от несанкционированного использования компьютера.… …   Википедия

  • Service Control Manager — (SCM) (WindowsSystem32Services.exe)  в Microsoft Windows, сервер, реализующий технологию удалённого вызова процедур (remote procedure call  RPC). Обеспечивает создание, удаление, запуск и остановку сервисов ОС. Стартует при загрузке… …   Википедия

  • Comparison of revision control software — The following is a comparison of revision control software. The following tables includes general and technical information for notable revision control and software configuration management (SCM) software. This is an incomplete list, which may… …   Wikipedia

  • Canadian Forces Drug Control Program — Queen s Regulations and Orders (QR Os) Chapter 20 establishes the administrative law framework for the control of drug use in the Canadian Forces (CF). It prohibits CF members from involvement with most drugs, except alcohol, in order to maintain …   Wikipedia

  • Numerical control — CNC redirects here. For other uses, see CNC (disambiguation). A CNC Turning Center …   Wikipedia

  • WinFS — (short for Windows Future Storage)[1] is the code name for a cancelled[2] data storage and management system project based on relational databases, developed by Microsoft and first demonstrated in 2003 as an advanced storage subsystem for the… …   Wikipedia


Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”

We are using cookies for the best presentation of our site. Continuing to use this site, you agree with this.