The Windows integrity mechanism is a core component of the Windows security architecture that restricts the access permissions of applications that are running under the same user account and that are less trustworthy.
(Windows完整性机制是Windows安全体系的核心组件,它限制了在同一用户账户下低信任值的应用程序的访问。)
The Windows Vista? integrity mechanism extends the security architecture of the operating system by assigning an integrity level to application processes and securable objects.
(WindowsVista完整性机制通过给应用程序进程和安全对象分配完整性级别,延伸了操作系统的安全体系。)
The integrity level is a representation of the trustworthiness of running application processes and objects, such as files created by the application. The integrity mechanism provides the ability for resource managers, such as the file system, to use pre-defined policies that block processes of lower integrity, or lower trustworthiness, from reading or modifying objects of higher integrity. The integrity mechanism allows the Windows security model to enforce new access control restrictions that cannot be defined by granting user or group permissions in access control lists (ACLs).
(完整性级别是正在运行的进程和对象的信任值的代表,比如应用程序创建的文件。完整性机制提供了资源管理者的能力,比如文件系统,根据预先设置的策略,组织低完整级别的进程或者低信用值的进程读取或者修改高完整性级别的对象。完整性机制使得Windows安全模型强制执行新的访问控制行为,限制ACL中无法根据授权用户或者组的访问控制。)
(ACL是强制访问控制中的BLP模型,完整性级别就是强制访问控制中的BIBA模型。)
The Windows security architecture is based primarily on granting access rights (read, write, and execute permissions) and privileges to users or groups that are represented internally by security identifiers (SIDs). When a user logs on to Windows, the security subsystem sets the user’s SID and group membership SIDs in a security access token. The security access token is assigned to every application process that is run by that user. Every time the application process opens an object, such as a file or registry key, the resource manager that manages the object calls on the security subsystem to make an access decision. The access check determines the allowed access permissions for this user. The security subsystem (also known as the Security Reference Monitor) compares the user and group SIDs in the access token with the access rights in a security descriptor that is associated with the object. If the user SID is granted full access rights in the object’s ACL, then the application process that user runs has full access to the object. For more information on the Windows security architecture, see Windows Integrity Mechanism Resources.
(Windows安全体系主要基于授权访问权限(读、写和允许执行)和内置于SID中的用户或组的特权。当用户登录Windows,安全子系统会把用户和组成员的SID设置在一个安全访问令牌中。安全访问令牌会被赋予用户运行的每一个进程。每当进程打开一个对象,如文件或者注册表键值,负责管理这些对象的资源管理器调用安全子系统来对这次访问进行决策。访问检查决定了用户的本次访问是否被允许继续执行。安全子系统(也被称为安全引用监控器)将访问令牌中的用户和组SID与对象的安全描述符中的访问权限进行比较。如果用户SID在对象的ACL中被赋予全访问权,那么用户运行的进程将拥有对象的全访问权限。)
Extending the Windows security architecture
The Windows integrity mechanism extends the security architecture by defining a new access control entry (ACE) type to represent an integrity level in an object’s security descriptor. The new ACE represents the object integrity level. An integrity level is also assigned to the security access token when the access token is initialized. The integrity level in the access token represents a subject integrity level. The integrity level in the access token is compared against the integrity level in the security descriptor when the security reference monitor performs an access check. Windows Vista uses the AccessCheck function to determine what access rights are allowed to a securable object. Windows restricts the allowed access rights depending on whether the subject‘s integrity level is higher or lower than the object, and depending on the integrity policy flags in the new access control ACE. The security subsystem implements the integrity level as a mandatory label to distinguish it from the discretionary access under user control that ACLs provide.
(Windows完整性机制通过在对象的安全描述符中定义一个代表完整性级别的ACE来扩展安全体系。新增加的ACE代表了对象的完整性级别。当访问令牌初始化的时候,完整性级别也会分配给访问令牌。访问令牌中的完整性级别代表了主体的完整性级别。当安全参考监视器执行访问检查的时候,访问令牌中的完整性级别与安全描述符中的完整性级别进行比较。Windows Vista使用AccessCheck函数来决定哪些访问可以被允许访问对象。Windows根据主体的完整性级别高于或者低于对象的完整性级别,以及根据新增的ACE中的完整性策略标志位来限制访问权限。安全子系统将完整性级别作为强制性标签,与ACL中的自主访问ACE区分出来。)
Windows integrity mechanism design goals
(Windows完整性机制的设计目标)
The Windows integrity mechanism enables a number of important scenarios in Windows Vista. In order to address the requirements, the Windows integrity mechanism‘s design had to meet the following goals.
- Integrity levels must be assigned automatically to every security access token during access token creation, so that every process and thread has an effective integrity level for access control.
- The security subsystem automatically assigns mandatory labels to specific object types.
- The system must use as few integrity levels as possible, to keep the basic architecture simple to understand and use.
- Integrity policy must be flexible to meet the access
requirements of different object resource managers, and to allow for
future extensibility. - Integrity mechanism must integrate with existing security
architecture to minimize impact to the large legacy of system and
application code that depends on Windows security. - There is no requirement for administrators or users to
configure integrity levels for the enforcement mechanism to work
correctly.
(Windows完整性机制在Vista中实现了一些重要的场景。为了表达需求,Windows完整性机制的设计不得不满足以下目标
- 在访问令牌创建的时候,完整性级别必须自动分配给每个访问令牌,这样每个进程和线程可以拥有一个有效的完整级别,实现访问控制
- 安全子系统自动分配强制性标签给特定的对象类型
- 系统必须使用尽可能少的完整性级别,来保证基本的安全体系便于理解和使用
- 完整性策略必须灵活,来满足不同类型对象的资源管理器的访问需求,并且允许以后的扩展
- 完整性机制必须与现存安全体系整合,对于大规模系统和基于Windows安全的代码的应用程序的影响最小化
- Windows管理员或者用户不需要其他操作就可以保证完整性机制正确工作)
The Windows integrity mechanism meets these
goals by defining a new mandatory label ACE type for assigning an
integrity level to objects. Details of this structure are described in a
later section of this paper. However, the mandatory label ACE defines
an object integrity level without changes to the existing security
descriptor data structure definition or to the commonly used
discretionary access control list.
The Windows integrity
mechanism is based on a mandatory label that the operating system
assigns in order to differentiate it from discretionary access under
user control. Discretionary access control allows the object owner, or
the group that is granted permission, to change the object‘s access
permissions. Windows provides a graphical user interface (UI) for
advanced users to view and modify the security permissions (represented
by the discretionary ACL) on objects, such as files and registry keys.
Mandatory labels are always assigned to specific objects, and there are
controls on how the object creator can set or initialize the label on
object creation. No graphical UI for managing integrity labels was
implemented for Windows Vista because label management is available or
necessary for relatively few areas.
Why is there a Windows integrity mechanism?
The
purpose of the Windows integrity mechanism is to restrict the access
permissions of applications that are running under the same user account
and that are less trustworthy. Unknown, potentially malicious code that
is downloaded from the Internet must be prevented from modifying system
state, changing user data files, or manipulating the behavior of other
application programs. The Windows security subsystem assigns a simple
hierarchy of integrity levels to code running at different privilege
levels for the same user. Previous versions of Windows can adjust the
security access token privileges of an application process, although
such adjustment is not common. Before Windows Vista, most applications
ran using an administrative account with full administrator rights.
Windows Vista incorporates the concept of least privilege by enabling
broader use of standard user accounts. User Account Control (UAC) in
Admin Approval Mode for administrator accounts means that multiple
applications on the same desktop are running with different privilege
levels. For example, Protected Mode Internet Explorer uses the integrity
mechanism to run the Web browser in a process with limited access
permissions.
The primary security problem that the Windows
integrity mechanism addresses is unauthorized tampering with user data
and, indirectly, with system state. A secondary problem the integrity
mechanism helps with is information disclosure. However, information
disclosure is prevented only with respect to access to process address
space. Information sharing is very common between Windows applications,
and convenient information sharing between applications is fundamental
to the user experience. One example is copy and paste. Rigid security
boundaries on information sharing between applications running under the
same user account can severely affect application compatibility and
user experience.
Untrustworthy code can try to modify user data
in many ways. Some attacks may try to manipulate data directly by
creating, modifying, or deleting files. Other attacks target another
process running at higher privilege, with the goal of getting arbitrary
code to execute in another application that does have the required level
of access. There are many types of cross-process attacks. Because of
the wide range of application design and implementation, the integrity
mechanism cannot provide a complete isolation barrier. The Windows
integrity mechanism is not intended as an application sandbox. However,
it can be one of the security tools that application developers use to
restrict the behavior of less trustworthy applications.
Windows Vista integrity mechanism and earlier integrity models
Some
traits of the Windows integrity mechanism are similar to earlier
integrity models for computer security. However, the Windows integrity
mechanism is designed primarily to address tampering or elevation of
privilege in the highly collaborative Windows application environment.
Previous integrity models were more concerned with maintaining integrity
of trustworthy processes by enforcing policies that prevent the reading
of untrusted data.
The Biba security model is based on a
hierarchy of integrity labels and the access policies that are allowed
when a subject integrity level dominates the object integrity level. The
Windows integrity mechanism resembles the Biba model in the following
ways:
- It uses a hierarchy of integrity labels (integrity labels are
not the same as security labels in the Bell-LePadula model). - The system uses a set of ordered subjects, objects, and integrity levels.
- The subject’s integrity level dominates (is greater than or equal to) the object’s integrity level.
- Integrity policies inhibit access to objects but are not used primarily to limit the flow of information.
- Preventing information disclosure is not a goal of the integrity mechanism in Windows Vista.
The
Windows integrity levels are ordered so that a lower value indicates
less trustworthiness, and a higher value indicates greater
trustworthiness. A lower-level subject cannot modify a higher-level
object. The subject’s integrity level is not dynamic. For example, the
integrity level of a subject does not change to a lower value if the
process reads data from a low-integrity object. The strict integrity
model in Biba does not allow a higher-integrity process to read
lower-integrity data. This is sometimes called a “no-read-down”
integrity policy. The Windows integrity policies, which are described in
more detail below, do not inhibit or prevent higher-integrity subjects
from reading or executing lower-integrity objects. There are many
examples of attacks where reading malformed, untrusted input data
results in an exploit of a vulnerability in an application and arbitrary
code execution. The Windows integrity mechanism does not inhibit or
prevent reading data at any level. Windows does not enforce a strict
integrity policy described in the Biba model. The integrity design
assumes that processes that are designed to handle untrusted data from
an unknown or untrusted source are running at a lower integrity level,
or that untrusted data is verified before use. However, the Windows
integrity mechanism does not enforce that constraint.
The Windows
integrity mechanism does not implement a dynamic, or "Low-Water-Mark,"
policy. A dynamic policy changes the integrity level of the subject as
the subject opens lower-integrity objects. An issue with dynamic
integrity is when a high-integrity process obtains open handles to many
objects based on high integrity, and then suddenly becomes a
lower-integrity subject after it opens a particular low-integrity file.
Forcing all open handles to higher-integrity objects to close when the
integrity level changes significantly affects the application‘s
behavior. The dynamic lower-integrity process itself becomes a target
object of other processes at the lower integrity level. Such processes
might now be able to modify the behavior of the application (at the same
lower level) that has open handles to higher-integrity objects.
The
Windows integrity mechanism is not designed for integrity protection of
data to support military or commercial requirements as described in the
Clark-Wilson model. The Windows implementation of integrity controls
does not build on the concepts of Constrained or Unconstrained Data
Items and certified Transformation Procedures. However, these concepts
are useful for application designers when they consider information flow
from untrusted sources into higher-integrity processes.
Although
the Windows integrity mechanism is similar to earlier integrity models
in computer security, Windows Vista does not try to implement any of the
models. Instead, the Windows integrity mechanism limits access
permissions that are available to processes running with different
privilege or trust levels. For more information about earlier work on
integrity models by Biba and Clark-Wilson and dynamic integrity
policies, see Windows Integrity Mechanism Resources.