What is the Windows Integrity mechanism? (What is Windows integrity mechanism)

The Windows integrity mechanism is a core component of the Windows security architecture that restricts the access Permiss Ions of applications that is running under the same user account and that is less trustworthy.

(Windows integrity mechanism is a core component of the Windows security architecture that restricts access to applications with low trust values under the same user account.) ）

The Windows Vista? Integrity mechanism extends the security architecture of the operating system by assigning a integrity level to Applicati On processes and securable objects.

(The WindowsVista integrity mechanism extends the security architecture of the operating system by assigning integrity levels to application processes and securable objects.) ）

The integrity level is a representation of the trustworthiness of running application processes and objects, such as files Created by the application. The integrity mechanism provides the ability for resource managers, such as the file system, to use pre-defined policies t Hat block processes of lower integrity, or lower trustworthiness, from reading or modifying objects of higher integrity. The integrity mechanism allows the Windows security model to enforce new access control restrictions this cannot be define D by granting the user or group permissions in Access control lists (ACLs).

(The integrity level is a representation of the trusted values of running processes and objects, such as files created by the application.) The integrity mechanism provides the ability of resource managers, such as file systems, to read or modify high-integrity-level objects based on pre-set policies to organize processes with low complete levels or low credit values. The integrity mechanism enables the Windows security model to enforce new access control behavior, restricting access control in ACLs that cannot be based on authorized users or groups. ）

(ACLs are BLP models in mandatory access control, and the integrity level is the BIBA model in mandatory access control.) ）

The Windows security architecture is based primarily on granting access rights (read, write, and Execute permissions) and Privileges to users or groups that is represented internally by security identifiers (SIDs). When a user logs on to Windows, the security subsystem sets the user's SID and group membership SIDs in a security access Token. The security access token is assigned to every application process, which is a run by, that user. Every time the application process opens an object, such as a file or registry key, the resource manager that manages the Object calls on the security subsystem to make an access decision. The access check determines the allowed access permissions for this user. The security subsystem (also known as the security Reference Monitor) compares the user and group SIDs in the access token With the access rights in a security descriptor, that's associated with the object. If the user SID is granted full access rights in the object ' s ACL and then the application procESS that user runs have full access to the object. For more information in the Windows security architecture, see Windows Integrity mechanism Resources.

(Windows security architecture is primarily based on the privileges of authorized access (read, write, and allow execution) and the users or groups that are built into the SID.) When a user logs on to Windows, the security subsystem sets the SID of the user and group members to a secure access token. A secure access token is given to each process that the user runs. Whenever a process opens an object, such as a file or registry key, the resource manager responsible for managing those objects invokes the security subsystem to make a decision about the access. The access check determines whether the user's access is allowed to continue execution. The security subsystem (also known as the Security Reference monitor) compares the user and group SIDs in the access token to the access rights in the object's security descriptor. If the user SID is given full access in the object's ACL, the user running the process will have full access to the object. ）

Extending the Windows security architecture

The Windows integrity mechanism extends the security architecture by defining a new access control entry (ACE) type to Rep Resent an integrity level in an object ' s security descriptor. The new ACE represents the object integrity level. An integrity level was also assigned to the security access tokens when the access token is initialized. The integrity level in the access token represents a subject integrity level. The integrity level in the access token are compared against the integrity level in the security descriptor when the Securi Ty reference Monitor performs an access check. Windows Vista uses theAccessCheckfunction to determine what access rights is allowed to a securable object. Windows restricts the allowed access rights depending on whether the subject ' s integrity level is higher or lower than the object, and depending the integrity policy flags in the new access control ACE. The security subsystem implements the integrity level as a mandatory label to distinguish it from the discretionary access Under user control that ACLs provide.

(The Windows Integrity mechanism extends the security architecture by defining an ace in the object's security descriptor that represents the integrity level.) The newly added ACE represents the integrity level of the object. When the access token is initialized, the integrity level is also assigned to the access token. The integrity level in the access token represents the integrity level of the principal. When the security reference monitor performs an access check, the integrity level in the access token is compared to the integrity level in the security descriptor. Windows Vista uses the AccessCheck function to determine which accesses can be allowed to access the object. Windows restricts access based on the integrity level of the principal, above or below the integrity level of the object, and on the integrity policy flag bit in the new ace. The security subsystem separates the integrity level as a mandatory tag from the discretionary access ace in the ACL. ）

Windows Integrity Mechanism Design goals

(Design goal of Windows integrity mechanism)

The Windows integrity mechanism enables a number of important scenarios in Windows vista. In order to address the requirements, the Windows integrity mechanism ' s design had to meet the following goals.

• Integrity levels must be assigned automatically to every security access tokens during access token creation, so That every process and thread have a effective integrity level for access control.
• the security subsystem automatically assigns mandatory labels to specific object types.
• the system must use as few integrity levels as possible, to keep the basic architecture simple to understand and use.
• Integrity Policy must is flexible to meet the access requirements of different object resource managers, and T o Allow for the future extensibility.
• Integrity mechanism must integrate with existing security architecture to minimize impact to the large legacy of Syst EM and application code that depends on Windows security.
• There is no requirement for administrators or users to configure integrity levels for the enforcement mechanism to WO RK correctly.

(The Windows Integrity mechanism implements some important scenarios in Vista.) To express demand, the Windows integrity mechanism is designed to meet the following goals

• At the time of the access token creation, the integrity level must be automatically assigned to each access token, so that each process and thread can have a valid full level for access control
• The security subsystem automatically assigns mandatory tags to specific object types
• The system must use as few integrity levels as possible to ensure that the basic security system is easy to understand and use
• Integrity policies must be flexible to meet the access requirements of resource managers for different types of objects, and allow future extensions
• Integrity mechanisms must be integrated with existing security systems to minimize the impact on large-scale systems and applications that are Windows-safe-based code
• The Windows administrator or user does not need additional action to ensure that the integrity mechanism works correctly)

The Windows integrity mechanism meets these goals by defining a new mandatory label aces type for assigning an integrity Le Vel to objects. Details of this structure is described in a later sections of this paper. However, the mandatory label ACE defines an object integrity level without changes to the existing security descriptor dat A structure definition or to the commonly used discretionary access control list.

The Windows integrity mechanism is based on a mandatory label, the operating system assigns in order to differentiate It from discretionary access under user control. Discretionary access control allows the object owner, or the group that's granted permission, to change the object ' s ACCE SS Permissions. Windows provides a graphical user interface (UI) for advanced users to view and modify the security permissions (represent Ed by the discretionary ACLs) on objects, such as files and registry keys. Mandatory labels is always assigned to specific objects, and there is controls on how the object creator can set or init Ialize the label on object creation. No graphical UI for managing integrity labels were implemented for Windows Vista because label management are available or n Ecessary for relatively few areas.

Why is there a Windows integrity mechanism?

The purpose of the Windows integrity mechanism is to restrict the access permissions of applications ' is running Unde R the same user account and that is less trustworthy. Unknown, potentially malicious code that's downloaded from the Internet must being prevented from modifying system state, CH Anging user data files, or manipulating the behavior of other application programs. The Windows security subsystem assigns a simple hierarchy of integrity levels to code running at different privilege level s for the same user. Previous versions of Windows can adjust the security access token privileges of an application process, although such adju Stment is not common. Before Windows vista, most applications ran using a administrative account with full Administrator rights. Windows vista incorporates the concept of least privilege by enabling broader with the standard user accounts. User account Control (UAC) in Admin Approval Mode for administrator accounts means that multiple applications on the same desktop is running with different privilege levels. For example, Protected Mode Internet Explorer uses the integrity mechanism to run the Web browser in a process with Limite d access Permissions.

The primary security problem that the Windows integrity mechanism addresses are unauthorized tampering with user data an D, indirectly, with the system state. A secondary problem The integrity mechanism helps with is information disclosure. However, information disclosure is prevented only with respect to access to process address space. Information sharing is very common between Windows applications, and convenient information sharing between applications I s fundamental to the user experience. One example is copy and paste. Rigid security boundaries on information sharing between applications running under the same user account can severely aff ECT application compatibility and user experience.

Untrustworthy code can try to modify the user data in many ways. Some attacks may try to manipulate data directly by creating, modifying, or deleting files. Other attacks target another process running @ higher privilege, with the goal of getting arbitrary code to execute in an Other application that does has the required level of access. There is many types of cross-process attacks. Because of the wide range of application design and implementation, the integrity mechanism cannot provide a complete isol ation barrier. The Windows integrity mechanism is not a intended as an application sandbox. However, it can be is one of the security tools that application developers use to restrict the behavior of less trustworthy Applications.

Windows Vista integrity mechanism and earlier integrity models

Some traits of the Windows integrity mechanism is similar to earlier integrity models for computer security. However, the Windows integrity mechanism is designed primarily to address tampering or elevation of privilege in the HIGHL Y Collaborative Windows application environment. Previous Integrity models were more concerned with maintaining integrity of trustworthy processes by enforcing policies th At prevent the reading of untrusted data.

The Biba security model is based in a hierarchy of integrity labels and the access policies that's allowed when a SUBJEC T integrity level dominates the object integrity level. The Windows integrity mechanism resembles the BIBA model in the following ways:

• It uses a hierarchy of integrity labels (integrity labels is not the same as security labels in the Bell-lepad ULA model).
  
• The system uses a set of ordered subjects, objects, and integrity levels.
  
• the subject ' s integrity level dominates (was greater than or equal to) the object's integrity level.
  
• Integrity policies inhibit access to objects but is not used primarily to limit the flow of information.
  
• Preventing information disclosure is not a goal of the integrity mechanism in Windows vista.
  

The Windows integrity levels is ordered so this a lower value indicates less trustworthiness, and a higher value indicate s greater trustworthiness. A lower-level subject cannot modify a higher-level object. The subject ' s integrity level are not dynamic. For example, the integrity level of a subject does not change to a lower value if the process reads data from a Low-integr ity object. The strict integrity model in Biba does is a higher-integrity process to read lower-integrity data. This is sometimes called a "no-read-down" integrity policy. The Windows integrity policies, which is described in more detail below, does not inhibit or prevent higher-integrity Subje CTS from reading or executing lower-integrity objects. There is many examples of attacks where reading malformed, untrusted input data results in an exploit of a vulnerability In an application and arbitrary code execution. The Windows integrity mechanism does not inhibit or prevent reading data at any level. Windows Does not enforce a strict integrity policy described in the Biba model. The integrity design assumes that processes, is designed to handle untrusted data from an unknown or untrusted source Was running at a lower integrity level, or this untrusted data is verified before use. However, the Windows integrity mechanism does not enforce that constraint.

The Windows integrity mechanism does not implement a dynamic, or "Low-water-mark," policy. A Dynamic policy changes the integrity level of the subject as the subject opens Lower-integrity objects. An issue with dynamic integrity are when a high-integrity process obtains open handles to many objects based on high Integr ity, and then suddenly becomes a lower-integrity subject after it opens a particular low-integrity file. Forcing all open handles to higher-integrity objects to close when the integrity level changes significantly affects the A Pplication ' s behavior. The dynamic lower-integrity process itself becomes a target object of other processes at the lower-integrity level. Such processes might now is able to modify the behavior of the application (at the same-lower level) that have open handles To higher-integrity objects.

The Windows integrity mechanism is not designed for integrity protection of data to support military or commercial require ments as described in the Clark-wilson model. The Windows implementation of integrity controls does not build on the concepts of Constrained or unconstrained Data Items and certified transformation procedures. However, these concepts is useful for application designers when they consider information flow from untrusted sources in to higher-integrity processes.

Although the Windows integrity mechanism is similar to earlier integrity models in computer security, Windows Vista does n OT try to implement any of the models. Instead, the Windows integrity mechanism limits access permissions that is available to processes running with different Privilege or trust levels. For more information about earlier work on integrity models by Biba and Clark-wilson and dynamic integrity policies, see W indows Integrity mechanism Resources.

What is the Windows Integrity mechanism? (What is Windows integrity mechanism)