M-A's

technology blog

Thursday, 15 February 2007

MIC : what they forgot to tell you

The Mandatory Integrity Control (which is implemented with Integrity Levels) is defined with 6 levels. The majority of the documentation only talks about 3 or 4 levels. At least, they are defined in winnt.h (1).

The "0" level is nice since it adds another blockage on anonymous tokens (furthermore that anonymous has been removed from everyone group in XP). The first place I heard about level 5000 is about an "installer" level (I've lost the reference). However, searching again I found true documentation about it (2). At least there, they tell upfront that it's about a protected process so it's most certainly used to implement Protected User Mode Audio (Protected Media Path or PMP).

Notice that in Process Explorer on Vista they never mention level 5000 (And they obfuscate the level with names, it's even worse on French Vista : "Niveau obligataire moyen" What?!? "3000" Ah now I understand! :) Since Process Explorer's author (Mark Russinovich) is now part of Microsoft, don't count on him anymore to reveal this kind of nice information. I think that protected processes are implemented as level 5000 is because it's an inherent ability given by MIC. Also, it is explicited that only "kernel mode CreateProcess()" can create a 5000-level process. (1) So talking about an "installer" mode is smoke. In Microsoft's document about protected processes, they tell the ISVs to forget about it (3):

Any application can attempt to create a protected process. However, due to the restrictions of running inside a protected process, the operating system requires that these processes be specially signed
Therefore, ISVs can't create protected processes that could touch the DRM audio process.

An underdocumented fact about MIC is that it's effective by default for "No-Write-Up"; it blocks write access but not read access to higher ILs. This is documented in Mark's presentation (4) at page 32. The other behaviors that can be configured through policies are No-Read-Up and No-Execute-Up. Look at the page 39 of Mark's presentation (4) to learn about the interactions of processes with different ILs.

Assuming that protected processes run at level 5000, I think that it is running with a No-Execute-Up policy. That implies that policies can change between different ILs? On the other hand, it is hardcoded only for level 5000? Who knows?

The values are stored in the SACL with a special SID to signal that it is not really an SACL entry. My first question is: how the IL propagates through containers? The icacls tool (6) has an interesting comment in its help: "Inheritance options for the integrity ACE may precede the level and are applied only to directories." Humm interesting, so the container's IL may precede the object's IL? Needs to be tested.

Finally for those who didn't know yet, the default integrity levels of objects without a specific integrity level is 3000. It is done to save space in the SECURITY_DESCRIPTOR and to implement a default security layer around objects from evil low-IL processes.

The conclusion is that there is a nebula around MIC and that the documentation is greatly deficient. I hoped that Microsoft would stop doing security by obfuscation but for MIC that's still the case.

---

References
#1 Winnt.h definitions concerning MIC
#define SECURITY_MANDATORY_LABEL_AUTHORITY {0,0,0,0,0,16}
#define SECURITY_MANDATORY_UNTRUSTED_RID (0x00000000L)
#define SECURITY_MANDATORY_LOW_RID (0x00001000L)
#define SECURITY_MANDATORY_MEDIUM_RID (0x00002000L)
#define SECURITY_MANDATORY_HIGH_RID (0x00003000L)
#define SECURITY_MANDATORY_SYSTEM_RID (0x00004000L)
#define SECURITY_MANDATORY_PROTECTED_PROCESS_RID (0x00005000L)
// SECURITY_MANDATORY_MAXIMUM_USER_RID is the highest RID that can be set by a usermode caller.
#define SECURITY_MANDATORY_MAXIMUM_USER_RID SECURITY_MANDATORY_SYSTEM_RID

#2 Well-known SIDs
http://msdn2.microsoft.com/en-us/library/aa379649.aspx

#3 Protected Processes (on Windows Vista)
http://www.microsoft.com/whdc/system/vista/process_Vista.mspx
Note: to people that had the chance to read a previous version of this document around 2006 summer can remark that the rights are slightly different in Vista's RTM.

#4 "Windows Vista User Account Control Internals", Mark Russinovich
http://www.microsoft.com/emea/itsshowtime/sessionh.aspx?videoid=360
Direct link to the powerpoint: http://microsofttech.fr.edgesuite.net/msexp/download/0370/0370_pres.zip
He is clear about a fact: Elevation is not a security boundary. But he had "the front" (place the right translation of "culot" in French) to say "There is 4 integrity levels", that's simply not true.

#5 "Windows Vista System Integrity Technologies", Steve Riley
http://www.microsoft.com/emea/itsshowtime/sessionh.aspx?videoid=223

#6 I recommend looking at the online help of those tools: icacls, accesschk, whoami.

Keywords: 100 200 300 400 500 1000 2000 3000 4000 5000

(Side note: the Blogger's HTML editor need to be redesigned, it's inefficient. Furthermore a 680x240 editor looks rather small on a 1200x1920 screen :( Blogger web site designers have some homeworks to do!)

No comments: