Upload
myles-lee
View
244
Download
4
Embed Size (px)
Citation preview
Windows7安全机制
李德虎
Windows7安全机制• UAC(User Account Control)
• ASLR(Address Space Layout Randomization)
• DEP(Data Execute Protection)
UAC
• User Account Control
• Goal: to control different accountsProtect system settings from usersPrivacy between users on shared computersProtect system security from malware
UAC
• Idea– Standard user & administrator, by default
standard user rights
• Techniques– The Protected Administrator (PA) account– UAC elevation prompts– Windows Integrity Mechanism– File system and registry virtualization
UAC-PA account
• Account– PA protected administrator– Standard user
• Access token
UAC-PA account
• First process– Explorer.exe standard user token
• Other processes– Inherit token from explorer.exe or its child
processes– So, by default, standard user rights
UAC
• Idea– Standard user & administrator, by default
standard user rights
• Techniques– The Protected Administrator (PA) account– UAC elevation prompts– Windows Integrity Mechanism– File system and registry virtualization
UAC- elevation prompts• For standard users
Over the Shoulder (OTS) elevation
• For PA users
Consent elevation
UAC- elevation prompts
• Need Administrator rights?– Most common : Application’s manifest file• Sysinternals : Sigcheck• asInvoker, highestAvailable, requireAdministrator
– heuristics, etc.
UAC
• Idea– Standard user & administrator, by default
standard user rights
• Techniques– The Protected Administrator (PA) account– UAC elevation prompts– Windows Integrity Mechanism– File system and registry virtualization
UAC-Windows Integrity Mechanism
• Windows Integrity MechanismIntegrity level, integrity policy
– all processes and objects have integrity levels
– an object’s integrity policy can restrict the accesses for a process
– Process’s IL>= Object’s IL
• Integrity level
UAC-Windows Integrity Mechanism
• Integrity level
– How is IL assigned?• processes usually inherit the IL of their parents• a process can also launch a process at a different IL
– Sysinternals: Process Explorer or AccessChk
UAC-Windows Integrity Mechanism
UAC-Windows Integrity Mechanism
• Integrity policy– default policy for most objects: No-Write-Up
UAC
UAC
• Idea– Standard user & administrator, by default
standard user rights
• Techniques– The Protected Administrator (PA) account– UAC elevation prompts– Windows Integrity Mechanism– File system and registry virtualization
UAC-File system virtualization
• Microsoft recommends that:– global application installers• %ProgramFiles% directory, store executable files• HKEY_LOCAL_MACHINE\Software, for settings
– for different user accounts• user-specific data in the per-user %AppData% directory• per-user settings under HKEY_CURRENT_USER\
Software
UAC-File system virtualization
• Before Windows Vista:– Most Windows systems are single-user– Most users have been administrators
• Apps that incorrectly save user data and settings to these locations work anyway, but in Vista it’s different.
UAC-File system virtualization
• Legacy in Vista:– 32-bit– not running with administrative rights– does not have a manifest file indicating that it was
written for Windows Vista
• Any operations not originating from a process classified as legacy are not virtualized.
UAC-File system virtualization• virtualized locations:– %ProgramFiles% %ProgramData%%SystemRoot%
– File Virtualization Filter Driver
– Modifications to virtualized directories redirected to the user’s virtual root directory
UAC-registry virtualization
UAC-Auto elevation
• Goal– smoother user’s experience by reducing prompts
• How?– "auto elevates" Windows executables– digitally signed by the Windows publisher, which is
the certificate used to sign all code included with Windows(not shipped in Windows isn't included)
– located in “secure” directories: e.g.\Windows\System32
UAC-Auto elevation
• additional rules– .exe: if they specify the autoElevate property in
their manifest.– Sysinternals : Sigcheck
UAC-Auto elevation
• additional rules– Microsoft Management Console, Mmc.exe– .MSC file lists the snap-ins MMC is to load
Mmc.exe gpedit.msc
– Mmc.exe is a Windows executable– .MSC file(signed by Windows in a secure location)– listed on an internal list of auto-elevate .MSCs
UAC-Auto elevation• additional rules– COM objects:• must also be a Windows executable• instantiated by a Windows executable(The instantiating
executable doesn't need to be marked for auto-elevation)
– Shell’s Copy/Move/Rename/Delete/Link Object that Explorer uses:
UAC
• Goal– security boundary between admin and non-admin
code
• But– Usability prevents the goal from being achieved
• Questions– Provide a auto-elevate list?– Third-party software running in a PA account to
take advantage of auto-elevation?
Windows7安全机制• UAC(User Account Control)
• ASLR(Address Space Layout Randomization)
• DEP(Data Execute Protection)
ASLR(vista)
• Randomizes the addresses where objects are mapped– Images(both executables and DLLs)– heaps, stacks– the PEB and TEBs
ASLR
• For Images– system-wide configuration parameter– HKLM\SYSTEM\CurrentControlSet\Control\Session
Manager\Memory Management\MoveImages• 0, never randomize• -1, randomize• any other value, randomize those with a setting
IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE flag Visual Studio 2005 SP1, /DynamicBase linker option
ASLR
• Exe
ASLR
• DLL– a DLL must be loaded at the same address in each
process, to be shared– a global bitmap called _MiImageBitMap– (0x78000000-0x50000000)/64KB=0x2800 bits– an 8-bit random value initialized with the RDTSC
instruction once per boot
ASLR
• DLL– first DLL loaded on the system (NTDLL.DLL)• 256 possible locations
– subsequent DLLs depends on• the address of NTDLL.DLL• the order in which the DLLs are loaded• To increase the randomness: SmpRandomizeDllList
ASLR• Heap– In the past, NtAllocateVirtualMemory, a linear
address space search, predictable– Vista, RtlHeapCreate, randomness
ASLR
• Stack twofold randomization– the base of the stack, chosen randomly• a random 5-bit value x time stamp counter
– an offset, where the stack starts, chosen randomly• 9-bit random value*4B time stamp counter
Windows7安全机制• UAC(User Account Control)
• ASLR(Address Space Layout Randomization)
• DEP(Data Execute Protection)
DEP
• Software DEP– an extra check in the exception dispatcher– /SafeSEH linker option, a table of all valid
exception handlers– the exception handler record points to one of the
valid handlers in the table
DEP
• Hardware support for NX– Windows, page-level protection– X86, a single bit, R?W? no bit to control execution– CPU after 2004, NX bit (No eXecute)
DEP
• DEP policies(Vista, server2008, win7)– OptIn– OptOut– AlwaysOn– AlwaysOff
DEP
• Enabling or disabling DEP at runtime– KPROCESS structure(DEP flags)
DEP
• Enabling or disabling DEP at runtime– NtQueryInformationProcess
NtSetInformationProcess
– XP SP3, Vista SP1, new API• SetProcessDEPPolicy• GetProcessDEPPolicy • GetSystemDEPPolicy
ASLR&DEP
• Bypass DEP– Code reuse: ret2libc(Ntdll!
ZwSetInformationProcess)
• Bypass ASLR– Search in PEB ListEntry, trivially
ASLR&DEP
ASLR&DEP
• When combined together, quite difficult– DEP: a call to a DEP function in a non ASLR module– ASLR: at least all the system libraries are
protected
• But not impossible– Some application modules not protected
sites
• http://www.pretentiousname.com/misc/win7_uac_whitelist2.html(Win7Elevate32v2.exe)
• Video:http://leo.lss.com.au/W7E_VID_INT/W7E_VID_INT.htm
• Blogs:– http://technet.microsoft.com/en-us/magazine/
2009.07.uac.aspx– http://technet.microsoft.com/en-us/magazine/
2007.06.uac.aspx