Presentation is loading. Please wait.

Presentation is loading. Please wait.

Windows7 安全机制 李德虎. Windows7 安全机制 UAC(User Account Control) ASLR(Address Space Layout Randomization) DEP(Data Execute Protection)

Similar presentations


Presentation on theme: "Windows7 安全机制 李德虎. Windows7 安全机制 UAC(User Account Control) ASLR(Address Space Layout Randomization) DEP(Data Execute Protection)"— Presentation transcript:

1 Windows7 安全机制 李德虎

2 Windows7 安全机制 UAC(User Account Control) ASLR(Address Space Layout Randomization) DEP(Data Execute Protection)

3 UAC User Account Control Goal: to control different accounts Protect system settings from users Privacy between users on shared computers Protect system security from malware

4 UAC Idea – Standard user & administrator, by default standard user rights Techniques – The Protected Administrator (PA) account – UAC elevation prompts – Windows Integrity Mechanism – File system and registry virtualization

5 UAC-PA account Account – PA protected administrator – Standard user Access token

6 UAC-PA account First process – Explorer.exe standard user token Other processes – Inherit token from explorer.exe or its child processes – So, by default, standard user rights

7 UAC Idea – Standard user & administrator, by default standard user rights Techniques – The Protected Administrator (PA) account – UAC elevation prompts – Windows Integrity Mechanism – File system and registry virtualization

8 UAC- elevation prompts For standard users Over the Shoulder (OTS) elevation For PA users Consent elevation

9 UAC- elevation prompts Need Administrator rights? – Most common : Application’s manifest file Sysinternals : Sigcheck asInvoker, highestAvailable, requireAdministrator – heuristics, etc.

10 UAC Idea – Standard user & administrator, by default standard user rights Techniques – The Protected Administrator (PA) account – UAC elevation prompts – Windows Integrity Mechanism – File system and registry virtualization

11 UAC-Windows Integrity Mechanism Windows Integrity Mechanism  Integrity level, integrity policy – all processes and objects have integrity levels – an object’s integrity policy can restrict the accesses for a process – Process’s IL>= Object’s IL

12 Integrity level UAC-Windows Integrity Mechanism

13 Integrity level – How is IL assigned? processes usually inherit the IL of their parents a process can also launch a process at a different IL – Sysinternals: Process Explorer or AccessChk UAC-Windows Integrity Mechanism

14 Integrity policy – default policy for most objects: No-Write-Up

15 UAC

16 Idea – Standard user & administrator, by default standard user rights Techniques – The Protected Administrator (PA) account – UAC elevation prompts – Windows Integrity Mechanism – File system and registry virtualization

17 UAC-File system virtualization Microsoft recommends that: – global application installers %ProgramFiles% directory, store executable files HKEY_LOCAL_MACHINE\Software, for settings – for different user accounts user-specific data in the per-user %AppData% directory per-user settings under HKEY_CURRENT_USER\ Software

18 UAC-File system virtualization Before Windows Vista: – Most Windows systems are single-user – Most users have been administrators Apps that incorrectly save user data and settings to these locations work anyway, but in Vista it’s different.

19 UAC-File system virtualization Legacy in Vista: – 32-bit – not running with administrative rights – does not have a manifest file indicating that it was written for Windows Vista Any operations not originating from a process classified as legacy are not virtualized.

20 UAC-File system virtualization virtualized locations: – %ProgramFiles% %ProgramData% %SystemRoot% – File Virtualization Filter Driver – Modifications to virtualized directories redirected to the user’s virtual root directory

21 UAC-registry virtualization

22 UAC-Auto elevation Goal – smoother user’s experience by reducing prompts How? – "auto elevates" Windows executables – digitally signed by the Windows publisher, which is the certificate used to sign all code included with Windows(not shipped in Windows isn't included) – located in “secure” directories: e.g.\Windows\System32

23 UAC-Auto elevation additional rules –.exe: if they specify the autoElevate property in their manifest. – Sysinternals : Sigcheck

24 UAC-Auto elevation additional rules – Microsoft Management Console, Mmc.exe –.MSC file lists the snap-ins MMC is to load  Mmc.exe gpedit.msc – Mmc.exe is a Windows executable –.MSC file(signed by Windows in a secure location) – listed on an internal list of auto-elevate.MSCs

25 UAC-Auto elevation additional rules – COM objects: must also be a Windows executable instantiated by a Windows executable(The instantiating executable doesn't need to be marked for auto- elevation) – Shell’s Copy/Move/Rename/Delete/Link Object that Explorer uses:

26

27 UAC Goal – security boundary between admin and non-admin code But – Usability prevents the goal from being achieved Questions – Provide a auto-elevate list? – Third-party software running in a PA account to take advantage of auto-elevation?

28 Windows7 安全机制 UAC(User Account Control) ASLR(Address Space Layout Randomization) DEP(Data Execute Protection)

29 ASLR(vista) Randomizes the addresses where objects are mapped – Images(both executables and DLLs) – heaps, stacks – the PEB and TEBs

30 ASLR For Images – system-wide configuration parameter – HKLM\SYSTEM\CurrentControlSet\Control\Sessio n Manager\Memory Management\MoveImages 0, never randomize -1, randomize any other value, randomize those with a setting IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE flag Visual Studio 2005 SP1, /DynamicBase linker option

31 ASLR Exe

32 ASLR DLL – a DLL must be loaded at the same address in each process, to be shared – a global bitmap called _MiImageBitMap – (0x x )/64KB=0x2800 bits – an 8-bit random value initialized with the RDTSC instruction once per boot

33 ASLR DLL – first DLL loaded on the system (NTDLL.DLL) 256 possible locations – subsequent DLLs depends on the address of NTDLL.DLL the order in which the DLLs are loaded To increase the randomness: SmpRandomizeDllList

34 ASLR Heap – In the past, NtAllocateVirtualMemory, a linear address space search, predictable – Vista, RtlHeapCreate, randomness

35 ASLR Stack twofold randomization – the base of the stack, chosen randomly a random 5-bit value x time stamp counter – an offset, where the stack starts, chosen randomly 9-bit random value*4B time stamp counter

36 Windows7 安全机制 UAC(User Account Control) ASLR(Address Space Layout Randomization) DEP(Data Execute Protection)

37 DEP Software DEP – an extra check in the exception dispatcher – /SafeSEH linker option, a table of all valid exception handlers – the exception handler record points to one of the valid handlers in the table

38

39 DEP Hardware support for NX – Windows, page-level protection – X86, a single bit, R?W? no bit to control execution – CPU after 2004, NX bit (No eXecute)

40 DEP DEP policies(Vista, server2008, win7) – OptIn – OptOut – AlwaysOn – AlwaysOff

41 DEP Enabling or disabling DEP at runtime – KPROCESS structure(DEP flags)

42 DEP Enabling or disabling DEP at runtime – NtQueryInformationProcess NtSetInformationProcess – XP SP3, Vista SP1, new API SetProcessDEPPolicy GetProcessDEPPolicy GetSystemDEPPolicy

43 ASLR&DEP Bypass DEP – Code reuse: ret2libc(Ntdll!ZwSetInformationProcess) Bypass ASLR – Search in PEB ListEntry, trivially

44 ASLR&DEP

45 When combined together, quite difficult – DEP: a call to a DEP function in a non ASLR module – ASLR: at least all the system libraries are protected But not impossible – Some application modules not protected

46 sites _uac_whitelist2.html(Win7Elevate32v2.exe) _uac_whitelist2.html(Win7Elevate32v2.exe) Video:http://leo.lss.com.au/W7E_VID_INT/W 7E_VID_INT.htmhttp://leo.lss.com.au/W7E_VID_INT/W 7E_VID_INT.htm Blogs: – us/magazine/ uac.aspx us/magazine/ uac.aspx – us/magazine/ uac.aspx us/magazine/ uac.aspx


Download ppt "Windows7 安全机制 李德虎. Windows7 安全机制 UAC(User Account Control) ASLR(Address Space Layout Randomization) DEP(Data Execute Protection)"

Similar presentations


Ads by Google