I thought I would write about a technology introduced in Windows Vista called Mandatory Integrity Control (MIC), which is an access control scheme that Microsoft developed partially based on previous work by others, in particular the Biba model.

There are several traditional access control models we use in computer security. Windows enforces access control using the Discretionary Access Control (DAC) model. In the NTFS file system, DAC allows and restricts access to files solely based on user identity. The system grants a user, or group of users, access to a file based on ownership. The owner decides, at his or her discretion, how to further assign access permission to that file. Discretionary Access Control is a system completely based on who is trying to access a file.

Mandatory Access Control (MAC), on the other hand, is an access control model that focuses more on the content of the file itself. MAC classifies all files based on a level of sensitivity or classification and only allows access to users with appropriate clearance, no matter what other controls may be in place that might permit them access. Therefore, users may only have access to a document with a Top Secret classification only if they have that level of clearance, even if you place that file in the user’s directory. Furthermore, users with the appropriate level of clearance to access a file still cannot grant access to others with a lower level. Mandatory Access Control focuses on what the file contains.

Mandatory Integrity Control is similar to Mandatory Access Control but focuses more on the trustworthiness of files based on where the files came from. MIC provides a barrier between trusted and untrusted processes, files, and other system resources.

MIC works by assigning integrity levels to everything and preventing low integrity users and processes from writing to higher integrity file and Registry locations.

Anything you can secure in Windows also has an integrity level. Anything that doesn’t specifically have an integrity level assignment will receive an integrity level of medium. Furthermore, Windows also assigns integrity levels to users. Normal users will have an integrity level of medium and administrators have an integrity level of high.

When users launch programs, those programs normally launch with the same integrity level of the user, so when medium-integrity users launch programs, those programs will run at a medium integrity level.

On Windows Vista, Internet Explorer 7 is broken down into three different processes that run at different integrity levels so that it can use the lowest integrity level it can get away with for any particular task. By default, IE uses a mode called LP IE that always runs with low integrity. There is also a IEUser process that handles running IE with a medium integrity level. Finally, there is the Application Information service allows the launching of high-integrity instances to handle admin-level tasks.

Low Integrity

Internet Explorer by default will run with low integrity and can only access a limited portion of the file system. By default, most files on the system have a medium integrity level so Internet Explorer cannot access any of those locations. The low-integrity directories that IE can write to are the low integrity cache, temp, cookies, and history directories that Internet Explorer uses for web browsing. Any web site in your Internet zone will always run with low integrity.

Medium Integrity

Internet Explorer uses a medium integrity level for all web sites that are in your trusted zone. If you are browsing to a web site in the Internet zone and wish to open a site that is in your Trusted zone, IE will prompt you to open a new window for that web site. It does this because the site in the Trusted zone will run with a medium integrity level and it needs to create a new process with the appropriate integrity level. In other words, you cannot have Trusted sites and Internet sites open in the same browser instance.

The core concept of UAC is that there is usually a prompt when you switch between tasks of different integrity levels. The idea is that no matter what kind of future attacks hackers might think of, the user will at least see a prompt before anything bad can happen.

When a browser instance is running with low integrity it can automatically save files, such as cookies or temporary internet files, without prompting the user. This is because it only saves the files to low-integrity locations. This way, if a future browser exploit allows a malicious web site to download and run a file, it will not be able to do any damage because the file will be marked as low integrity.

However, if you wish to download a file from a web site in the Internet zone and save it to your desktop or other medium-integrity location, IE will always prompt you before allowing the download. It does this because in order to save the file to a medium-integrity location, it needs to run as a medium-integrity process. Because it is switching from one integrity context to another, it will require user interaction.

It is important to be aware that when you approve the download of files from the Internet and save them to your disk, those files will be marked as medium-integrity files. That means they can run with the same privileges as the current user. IE7 protected mode doesn’t replace the need to be smart about what you download and install on your computer.

High Integrity

Sometimes you need administrative-level rights to install ActiveX components or IE add-ins. To do this, IE will spawn a new high-integrity process. This process can handle any installation issues but will always ask for approval before performing any administrative task.

Mandatory integrity control is still a new concept in Windows and it is obvious it hasn’t been fully integrated into the security model. However, it certainly is a step in the right direction.

Related posts

• No related posts.