What is the Windows Integrity Mechanism?(什麼是Windows完整性機制)

標籤：component   強制   sts   desc   組成   bit   不同類   bsp   msdn   

The Windows integrity mechanism is a core component of the Windows security architecture that restricts the access permissions of applications that are running under the same user account and that are less trustworthy.

（Windows完整性機制是Windows安全體系的核心組件，它限制了在同一使用者賬戶下低信任值的應用程式的訪問。）

The Windows Vista? integrity mechanism extends the security architecture of the operating system by assigning an integrity level to application processes and securable objects.

（WindowsVista完整性機制通過給應用程式進程和安全性實體分配完整性層級，延伸了作業系統的安全體系。）

The integrity level is a representation of the trustworthiness of running application processes and objects, such as files created by the application. The integrity mechanism provides the ability for resource managers, such as the file system, to use pre-defined policies that block processes of lower integrity, or lower trustworthiness, from reading or modifying objects of higher integrity. The integrity mechanism allows the Windows security model to enforce new access control restrictions that cannot be defined by granting user or group permissions in access control lists (ACLs).

（完整性層級是正在啟動並執行進程和對象的信任值的代表，比如應用程式建立的檔案。完整性機制提供了資源管理者的能力，比如檔案系統，根據預先設定的策略，組織低完整層級的進程或者低信用值的進程讀取或者修改高完整性層級的對象。完整性機制使得Windows安全模型強制執行新的存取控制行為，限制ACL中無法根據授權使用者或者組的存取控制。）

（ACL是強制存取控制中的BLP模型，完整性層級就是強制存取控制中的BIBA模型。）

The Windows security architecture is based primarily on granting access rights (read, write, and execute permissions) and privileges to users or groups that are represented internally by security identifiers (SIDs). When a user logs on to Windows, the security subsystem sets the user’s SID and group membership SIDs in a security access token. The security access token is assigned to every application process that is run by that user. Every time the application process opens an object, such as a file or registry key, the resource manager that manages the object calls on the security subsystem to make an access decision. The access check determines the allowed access permissions for this user. The security subsystem (also known as the Security Reference Monitor) compares the user and group SIDs in the access token with the access rights in a security descriptor that is associated with the object. If the user SID is granted full access rights in the object’s ACL, then the application process that user runs has full access to the object. For more information on the Windows security architecture, see Windows Integrity Mechanism Resources.

（Windows安全體系主要基於授權存取權限（讀、寫和允許執行）和內建於SID中的使用者或組的特權。當使用者登入Windows，安全子系統會把使用者和群組成員的SID設定在一個安全存取權杖中。安全存取權杖會被賦予使用者啟動並執行每一個進程。每當進程開啟一個對象，如檔案或者註冊表索引值，負責管理這些對象的資源管理員調用安全子系統來對這次訪問進行決策。訪問檢查決定了使用者的本次訪問是否被允許繼續執行。安全子系統（也被稱為安全引用監控器）將存取權杖中的使用者和組SID與對象的安全性描述元中的存取權限進行比較。如果使用者SID在對象的ACL中被賦予全訪問權，那麼使用者啟動並執行進程將擁有對象的全存取權限。）

Extending the Windows security architecture

The Windows integrity mechanism extends the security architecture by defining a new access control entry (ACE) type to represent an integrity level in an object’s security descriptor. The new ACE represents the object integrity level. An integrity level is also assigned to the security access token when the access token is initialized. The integrity level in the access token represents a subject integrity level. The integrity level in the access token is compared against the integrity level in the security descriptor when the security reference monitor performs an access check. Windows Vista uses the AccessCheck function to determine what access rights are allowed to a securable object. Windows restricts the allowed access rights depending on whether the subject‘s integrity level is higher or lower than the object, and depending on the integrity policy flags in the new access control ACE. The security subsystem implements the integrity level as a mandatory label to distinguish it from the discretionary access under user control that ACLs provide.

（Windows完整性機制通過在對象的安全性描述元中定義一個代表完整性層級的ACE來擴充安全體系。新增加的ACE代表了對象的完整性層級。當存取權杖初始化的時候，完整性層級也會分配給存取權杖。存取權杖中的完整性層級代表了主體的完整性層級。當安全參考監視器執行訪問檢查的時候，存取權杖中的完整性層級與安全性描述元中的完整性層級進行比較。Windows Vista使用AccessCheck函數來決定哪些訪問可以被允許訪問對象。Windows根據主體的完整性層級高於或者低於對象的完整性層級，以及根據新增的ACE中的完整性策略標誌位來限制存取權限。安全子系統將完整性層級作為強制性標籤，與ACL中的自主訪問ACE區分出來。）

Windows integrity mechanism design goals

（Windows完整性機制的設計目標）

The Windows integrity mechanism enables a number of important scenarios in Windows Vista. In order to address the requirements, the Windows integrity mechanism‘s design had to meet the following goals.

• Integrity levels must be assigned automatically to every security access token during access token creation, so that every process and thread has an effective integrity level for access control.
• The security subsystem automatically assigns mandatory labels to specific object types.
• The system must use as few integrity levels as possible, to keep the basic architecture simple to understand and use.
• Integrity policy must be flexible to meet the access requirements of different object resource managers, and to allow for future extensibility.
• Integrity mechanism must integrate with existing security architecture to minimize impact to the large legacy of system and application code that depends on Windows security.
• There is no requirement for administrators or users to configure integrity levels for the enforcement mechanism to work correctly.

（Windows完整性機制在Vista中實現了一些重要的情境。為了表達需求，Windows完整性機制的設計不得不滿足以下目標

• 在存取權杖建立的時候，完整性層級必須自動分配給每個存取權杖，這樣每個進程和線程可以擁有一個有效完整層級，實現存取控制
• 安全子系統自動分配強制性標籤給特定的物件類型
• 系統必須使用儘可能少的完整性層級，來保證基本的安全體系便於理解和使用
• 完整性策略必須靈活，來滿足不同類型對象的資源管理員的訪問需求，並且允許以後的擴充
• 完整性機制必須與現存安全體系整合，對於大規模系統和基於Windows安全的代碼的應用程式的影響最小化
• Windows管理員或者使用者不需要其他動作就可以保證完整性機制正確工作）

The Windows integrity mechanism meets these goals by defining a new mandatory label ACE type for assigning an integrity level to objects. Details of this structure are described in a later section of this paper. However, the mandatory label ACE defines an object integrity level without changes to the existing security descriptor data structure definition or to the commonly used discretionary access control list.

The Windows integrity mechanism is based on a mandatory label that the operating system assigns in order to differentiate it from discretionary access under user control. Discretionary access control allows the object owner, or the group that is granted permission, to change the object‘s access permissions. Windows provides a graphical user interface (UI) for advanced users to view and modify the security permissions (represented by the discretionary ACL) on objects, such as files and registry keys. Mandatory labels are always assigned to specific objects, and there are controls on how the object creator can set or initialize the label on object creation. No graphical UI for managing integrity labels was implemented for Windows Vista because label management is available or necessary for relatively few areas.

Why is there a Windows integrity mechanism?

The purpose of the Windows integrity mechanism is to restrict the access permissions of applications that are running under the same user account and that are less trustworthy. Unknown, potentially malicious code that is downloaded from the Internet must be prevented from modifying system state, changing user data files, or manipulating the behavior of other application programs. The Windows security subsystem assigns a simple hierarchy of integrity levels to code running at different privilege levels for the same user. Previous versions of Windows can adjust the security access token privileges of an application process, although such adjustment is not common. Before Windows Vista, most applications ran using an administrative account with full administrator rights. Windows Vista incorporates the concept of least privilege by enabling broader use of standard user accounts. User Account Control (UAC) in Admin Approval Mode for administrator accounts means that multiple applications on the same desktop are running with different privilege levels. For example, Protected Mode Internet Explorer uses the integrity mechanism to run the Web browser in a process with limited access permissions.

The primary security problem that the Windows integrity mechanism addresses is unauthorized tampering with user data and, indirectly, with system state. A secondary problem the integrity mechanism helps with is information disclosure. However, information disclosure is prevented only with respect to access to process address space. Information sharing is very common between Windows applications, and convenient information sharing between applications is fundamental to the user experience. One example is copy and paste. Rigid security boundaries on information sharing between applications running under the same user account can severely affect application compatibility and user experience.

Untrustworthy code can try to modify user data in many ways. Some attacks may try to manipulate data directly by creating, modifying, or deleting files. Other attacks target another process running at higher privilege, with the goal of getting arbitrary code to execute in another application that does have the required level of access. There are many types of cross-process attacks. Because of the wide range of application design and implementation, the integrity mechanism cannot provide a complete isolation barrier. The Windows integrity mechanism is not intended as an application sandbox. However, it can be one of the security tools that application developers use to restrict the behavior of less trustworthy applications.

Windows Vista integrity mechanism and earlier integrity models

Some traits of the Windows integrity mechanism are similar to earlier integrity models for computer security. However, the Windows integrity mechanism is designed primarily to address tampering or elevation of privilege in the highly collaborative Windows application environment. Previous integrity models were more concerned with maintaining integrity of trustworthy processes by enforcing policies that prevent the reading of untrusted data.

The Biba security model is based on a hierarchy of integrity labels and the access policies that are allowed when a subject integrity level dominates the object integrity level. The Windows integrity mechanism resembles the Biba model in the following ways:

• It uses a hierarchy of integrity labels (integrity labels are not the same as security labels in the Bell-LePadula model).
  
• The system uses a set of ordered subjects, objects, and integrity levels.
  
• The subject’s integrity level dominates (is greater than or equal to) the object’s integrity level.
  
• Integrity policies inhibit access to objects but are not used primarily to limit the flow of information.
  
• Preventing information disclosure is not a goal of the integrity mechanism in Windows Vista.
  

The Windows integrity levels are ordered so that a lower value indicates less trustworthiness, and a higher value indicates greater trustworthiness. A lower-level subject cannot modify a higher-level object. The subject’s integrity level is not dynamic. For example, the integrity level of a subject does not change to a lower value if the process reads data from a low-integrity object. The strict integrity model in Biba does not allow a higher-integrity process to read lower-integrity data. This is sometimes called a “no-read-down” integrity policy. The Windows integrity policies, which are described in more detail below, do not inhibit or prevent higher-integrity subjects from reading or executing lower-integrity objects. There are many examples of attacks where reading malformed, untrusted input data results in an exploit of a vulnerability in an application and arbitrary code execution. The Windows integrity mechanism does not inhibit or prevent reading data at any level. Windows does not enforce a strict integrity policy described in the Biba model. The integrity design assumes that processes that are designed to handle untrusted data from an unknown or untrusted source are running at a lower integrity level, or that untrusted data is verified before use. However, the Windows integrity mechanism does not enforce that constraint.

The Windows integrity mechanism does not implement a dynamic, or "Low-Water-Mark," policy. A dynamic policy changes the integrity level of the subject as the subject opens lower-integrity objects. An issue with dynamic integrity is when a high-integrity process obtains open handles to many objects based on high integrity, and then suddenly becomes a lower-integrity subject after it opens a particular low-integrity file. Forcing all open handles to higher-integrity objects to close when the integrity level changes significantly affects the application‘s behavior. The dynamic lower-integrity process itself becomes a target object of other processes at the lower integrity level. Such processes might now be able to modify the behavior of the application (at the same lower level) that has open handles to higher-integrity objects.

The Windows integrity mechanism is not designed for integrity protection of data to support military or commercial requirements as described in the Clark-Wilson model. The Windows implementation of integrity controls does not build on the concepts of Constrained or Unconstrained Data Items and certified Transformation Procedures. However, these concepts are useful for application designers when they consider information flow from untrusted sources into higher-integrity processes.

Although the Windows integrity mechanism is similar to earlier integrity models in computer security, Windows Vista does not try to implement any of the models. Instead, the Windows integrity mechanism limits access permissions that are available to processes running with different privilege or trust levels. For more information about earlier work on integrity models by Biba and Clark-Wilson and dynamic integrity policies, see Windows Integrity Mechanism Resources.

What is the Windows Integrity Mechanism?(什麼是Windows完整性機制)