A Windows Alternative to Linux Security Modules?

Cliffe asks: "I am a PhD candidate preparing to implement a new security (access control) model. I have been reading about Linux's LSM (which allow security frameworks to be loaded) but I was unable to find documentation for a mechanism in MS Windows which allows every individual application's access to resources to be mediated; for example, to restrict each application's access to particular files or network protocols. Is this type of mediation possible in Windows? Virus scanners and firewalls likely utilize similar capabilities. Where can the documentation be found?"

Meditation, you say?

[martinultima]

Well, I know that Amiga has guru meditation or whatever, but... oh, wait, it says mediation, never mind!

Re:Meditation, you say?

Congratulations, that was the lamest joke you've come up with since you were born.

Now -that- one was hilarious. Bet your parents didn't get it, though.

Voila

[packetmon]

Here are some that my help you get started:

User Access Controls

SANS Top 20 (worth reading)

Windows Server 2003 Security Guide

Overview of the Windows 2003 Server

You can migrate some of the administrative tools under Windows 2003 SMB server over to XP. But I'm under the assumption you're looking at things from a server perspective. As for firewalls, etc., you have to define if you want a true firewall as opposed to relying on Windows' shabby firewall. If so then I suggest you take a look at Juniper's Netscreen Elite 5X if you're a small business. I mention this instead of Checkpoint or others since I have used many and my best recommendation would be the Netscreen. This comes via way of having to migrate a slew of Checkpoint's along with Rainwall for management to Netscreen. Things were so shoddy with Checkpoint's IPSO, even Checkpoint wouldn't support the financial institute I was doing work for. This forced us to rethink our tools and after months worth of tiger team testing, we went with Juniper.

Re:Voila

[Eric+Smith]

I didn't find anything in the referenced pages that suggests that Windows has any inherent capability to restrict access to resources by application. This is different than restricting access by user, which has been supported since NT 3.1.

Re:Voila

[NutscrapeSucks]

Supposedly in Vista. I can't find any real technical info, but here's the marketing blurb:
http://www.microsoft.com/technet/windowsvista/eval uate/feat/secfeat.mspx#EHF

Re:Voila

[packetmon]

You apparently don't know much about groups under Windows. You create specific groups for specific resources. Much similar to *nix.

Re:Voila

[Eric+Smith]

Sure, but AFAIK that doesn't help me when I want user Joe to be able to access network drive \\foo\bar from Word but the same user Joe to NOT be able to access \\foo\bar from Firefox.

Windows groups are somewhat more flexible than Unix (Linux) groups, but they're certainly not a panacea, and they don't solve the OP's problem.

No standard API

[Eric+Smith]

As far as I'm aware, Windows doesn't have any standard API for that. Products like ZoneAlarm restrict access to resources by inserting hooks into the system in a relatively ad-hoc manner. (This is not a criticism of ZoneAlarm.)

Given Microsoft's claims about a strong focus on security in the forthcoming Windows Vista, perhaps it has an interface for security modules of the type you're suggesting.

Re:No standard API

[MustardMan]

I enjoyed having something similar to zone alarm running on my old windows PC - it was reassuring to know every single time an app tried to connect to the interweb.

I'd love to see some similar products for the mac, if anyone has some links. Ideally I'd like to limit certain applications to only be able to write to certain directories, and also be notified whenever someone is trying to do something fishy.

Re:No standard API

LittleSnitch ( http://www.obdev.at/products/littlesnitch/index.ht ml ) is a software firewall.

Re:No standard API

[MustardMan]

I tried little snitch a while back - I found it to be kinda lacking in features. My old software firewall on XP allowed me to set detailed rules per application, allowing an application to contact some addreses, but not others, to connect on certain ports, to only use certain protocols. I'd love to see something like this for the mac.

Re:No standard API

[vjl]

LittleSnitch does *exactly* that. You can have multiple rules for an application [block Firefox from visiting port 80 of microsoft.com, and apple.com, but allow port 80 for all other connections]. It can block UDP and TCP/IP. It has a very simple interface, which might be why you don't think it can do what you want, but trust me, it can. Check the parent for the URL, and download the trial.

/vjl/

well, kind of

[outcast36]

Hey, the .NET framework has an implementation of this. It only works for managed code, and it isn't as granular. (I can't say I'm terribly knowledgable about pluggable security architectures). It's called Code Access Security. I wish you well on your thesis.

Function hooks

[The+MAZZTer]

Some nifty things are possible if you hook functions in the WinAPI (so all calls to that function would go through your function first). Your app could then put whatever restrictions on access it you wanted (you could hook file open functions, registry open functions, etc). Here's an interesting article I found, wasn't the one I was searching for tho: http://www.codeproject.com/system/hooksys.asp Here is an article that shows how to prevent processes from launching: http://www.codeproject.com/system/soviet_protector .asp This might not be precisely what you wanted (a bit hackish compared to what you seem to be looking for) but it would work.

DropMyRights

[WalterGR]

I don't know much at all about the subject, but check out DropMyRights, by Michael Howard, a security guy at Microsoft.

DropMyRights is a very simple application to help users who must run as an administrator run applications in a much-safer context -- that of a non-administrator. It does this by taking the current user's token, removing various privileges and SIDs from the token, and then using that token to start another process...

It's basically sample code, rather than a full solution, but it might give you a starting point.

Also ask Google about the .Net Framework's security model - in particular "code access security." From here:

Code access security uses the location from which executable code is obtained and other information about the identity of code as a primary factor in determining what resources the code should have access to. This information about the identity of an assembly is called evidence... It is the responsibility of the code access security system in the runtime to map this evidence into a set of permissions, which will determine what access this code has to a number of resources such as the registry or the file system.

Cheers.

Re:DropMyRights

[Trepalium]

check out DropMyRights, by Michael Howard, a security guy at Microsoft.

A word of warning about that program. The program works fine so long as you only access things via the dedicated drive letters. As soon as you start accessing files and directories through the administrative UNC shares on the local machine, all the protection DropMyRights gives you is lost. If you run a command prompt with DropMyRights, you may not be able to delete C:\ntldr, but you will be able to delete \\computer\c$\ntldr. All other network operations will also work as if you had not dropped the administrator token. Be very, very careful.

Also ask Google about the .Net Framework's security model - in particular "code access security."

Then make sure you ask someone who has ever tried to use it. The only major use for CAS these days is for Microsoft's answer to Java Web Start - ClickOnce. Most .NET programs never bother trying to use it, because they're installed locally. To make things worse, if your .NET program needs to make use of a native Win32 API (there are plenty of gaps in the .NET framework), you need to request a permission that basically results in full permission.

So innocent...

[r00t]

Tough luck dude. Learn to use and hack Linux. Really, it's quite enjoyable.

Do you insist on Windows? OK...

You will be doing what every anti-virus and copy-protection hack does: you will patch the system call table. Note that it is completely unsafe to undo this without a reboot. There are race conditions that can bluescreen the system if you try.

You can not support Win64. The system call table was hidden. Aw heck, if you're already this hacky and evil, you might as well scan memory to find something that looks like the system call table. Just look for an array of function pointers of the right size and in the right order, bearing in mind that some other hack may have hooked the system calls first.

So, system calls happen, and you track what they do. You'll have to duplicate many OS data structures or make many evil assumptions about the content of kernel memory. Track what each handle refers to, the state of that handle, etc.

See? No problem. Easy as pie. You can contribute to making Windows such a stable OS.

Best steps moving forward

[Vengeful+weenie]

I don't know of any public API.

1. You should talk to your advisor to see if he would have a problem if an NDA is required, since it could affect publishability.
2. You should be checking on the MS oriented technical lists and forums. You're talking about some very deep and complicated types of coding, and your run of the mill programmer or admin is not the best resource.

filesystem filter driver

For files it's relatively easy, just build a filter driver that gets to look at and modify all filesystem requests. You need an IFSKit for that (there's sort of a GNU one at http://branten.se/nt/). I dunno about other calls, grab a copy of the DDK (there is one in the downloadable KMDF) and see what you can find.

Re:Filesystem Filter Driver

[cookd]

THIS IS THE RIGHT ANSWER.

Of course, the moderators will never see it, but hopefully the original poster will.

Re:Filesystem filter driver

[eric2hill]

Writing a FS filter requires the IFSKit, which is expensive and does not come with an MSDN license.

Just so you know, Microsoft dropped the price for the IFS kit from over $1000 to less than $150 including shipping ($25 for shipping a CD... wowza!) a few months ago. You can purchase it online at the IFS kit page. That's a much easier pill to swallow for a PhD investment.

Re:Filesystem Filter Driver

Writing a FS filter requires the IFSKit, which is expensive and does not come with an MSDN license.

It looks like development of installable file systems has been merged into the device driver kit for Windows Vista, which is now called the Windows Driver Kit, so it's no longer necessary to buy the IFS kit.

Re:Filesystem Filter Driver

[nuzak]

> THIS IS THE RIGHT ANSWER.

No it isn't. Or at least it is the right answer for the wrong question. Filesystem controls are completely orthogonal to process permissions. He's not trying to just limit filesystem operations, he's looking at all operations. How is a filesystem driver going to affect whether you can open Port 12345 if your windowstation isn't on some trusted list? Or whether you can impersonate another user only if it's run app XYZ within the last X minutes (think sudo). He's trying to extend process security descriptors, which, as far as I know, is simply not in the design of Windows. Even source licensees like Symantec and Checkpoint have still had to rely on hacking in API hooks.

Not built-in to Windows

[scdeimos]

Windows security is all about restricting access to files and objects with user- and group-oriented Access Control Lists (DACLs and SACLs). When a user/automated-process logs in they are given an authentication token representing their account and group memberships (even their password version/iteration), and that token gets passed around to all processes and threads they touch as tasks proceed. Some processes (such as IIS) run under special LocalSystem/LocalService/NetworkService accounts and are able to impersonate other user accounts before making certain API calls (such as to open a file or directory on behalf of a web-connected user). There's nothing built-in to Windows to limit access based on the applications/processes themselves.

That being said there are some things that do application/process oriented security. ZoneAlarm, for example, is a third party application that sits between the Winsock API and the connected network(s) (it's a Network Filter driver if I recall correctly): it intercepts Winsock create/open socket calls, looks up the caller's process_id and information and then compares that process's information against its own internal access control lists to determine whether or not a socket can be opened for listening or outgoing connections.

The .NET framework also has some application-oriented access controls, but again this is built on top of Windows itself.

Re:Not built-in to Windows

[Vancorps]

Last I checked couldn't you just remove the ability for anything and everything to execute a file? That would give you your control. Furthermore you can disable the ability for SYSTEM to run the process along with NETWORK SERVICE and a few other built in accounts. You could explicitly disable their ability to execute to then an application can only be executed by a specified user. Not quite as granular as something like BlackICE, ZA, Sygate, or any of the other personal firewall devices but it works especially with the ability to script the runas command.

I imagine creating a UI for this would be fairly simple and could be done without any complicated system calls.

Re:Not built-in to Windows

[Beryllium+Sphere(tm)]

HP developed a clever if hackish way to restrict the rights of a Windows application. They wrap the application's shortcut with a RunAs to a restricted account, then they grant the application access to its temp files and they copy into the jail all files the user has implicitly granted access to by using one of the standard file dialogs.

I've got my doubts about how far you can go with that approach (for example, they admitted that network access control was a problem), but consider their approach along with the strange and wonderful things you can do with Windows ACLs.

It's called WINE, and there are other ways

[leonbrooks]

You can then literally apply Linux's security modules to individual Win32 applications -- or to individual instances of the same Win32 application -- by running the Win32 app under WINE.

Or run WINE under a different OS (e.g. OpenBSD) or emulator if you want different security tools.

I've done this with/for a number of customers, & integrating the security manageability with a system which has no viruses or spyware to speak of has saved them each endless damage (and endless payments to recover from that damage).

I've also convinced other developers to make their applications portable -- which has instantly increased their productivity and their market, too, sloughing off obsolete dependencies -- and simply stopped running the users under Windows (or anything from MS). This particular tactic earns you much peace & security in one step.

Filesystem Filter Driver

To properly restrict access to files, you'll need to write a filesystem filter driver. This is how most antivirus programs work. More information here:

http://www.microsoft.com/whdc/driver/filterdrv/def ault.mspx

Writing a FS filter requires the IFSKit, which is expensive and does not come with an MSDN license. To filter network access, you would use a TDI filter driver. I don't know of any way of filtering calls to DeviceIoControl other than by hooking CreateFile and doing filtering there, unless there is a facility in the ifskit to fiter those "fake" filesystems.

Ballsy!

[scott_karana]

This guy sure has a lot of balls asking for (admittedly minor) thesis help on a site his faculty could be reading this very minute. ;)

Re:Ballsy!

[pkphilip]

Well, he is asking a bunch of guys who might just know the answer to his question. That is what research is about in anycase - asking the right questions to the right people. Why should his professors mind?

Nah, LSM is nothing like that

[r00t]

LSM lets you add a whole new security system. If you want to do a full replacement of the regular system, run everything as the same UID. It is upon LSM that SE Linux is built. For some time, there was a machine on the net that would let you ssh in as root. You really did get UID 0, the root account, but SE Linux blocked you from causing damage.

The whole DropMyRights thing is tied to the existing security model. What if you wanted to redefine what the "rights" are? For that you need LSM.

With LSM, you can implement security systems that actively prevent insider spies from emailing out your secrets. You can implement security systems that actively prevent the admin from running stuff from an untrusted source. The submitter probably want to do one of these things.

Re:Nah, LSM is nothing like that

[Foolhardy]

At the source level, technically NT's security subsystem is just one module among many. There is an opaque SECURITY_DESCRIPTOR structure that describes access control on all securable objects, and an opaque token system to confer identities and privileges to a process or thread. Modifying these and making access checks with them are done through opaque functions. If one had the source code for Windows available, it probably would be possible to change the security system quite a bit and recompile; then the only issue would be compatibility and cleanup of code that incorrectly depends on the current implementation. Unfortunately, with only the binaries available, it'd be really hard to make more than small changes since a lot of code depends on at least the size of those structures. However, I would think that patching the standard functions for token management and access checks would make some modest changes feasible. As others have said, if file access is your main focus for security, a filesystem filter is the right choice. It won't work for any other type of object, though.

That said, NT's security model since 2000 is actually quite flexible-- much moreso than Microsoft takes advantage of itself (although this is beginning to change in Vista). With restricted tokens, you can give a process an intersection of authority, like between a person's authority and an application's. For example, you could give your e-mail client only the access that you have personally AND that e-mail applications have (such as mailbox directories).

Software restriction policies can be used to create a white or blacklist of allowed binaries, either by path, hash or signature. One thing I've done for clients in the past is to prevent execution for any binaries (regardless of permissions assigned to the files) in their own profile and possibly any location they can write to. This cuts down on virus attachments a lot, since your own profile is where the files download to by default.

If you're really ambitious, you could create your own environment subsystem whose processes have no security identity (and so are unable to open objects directly), using your own server process to proxy all authorization requests however you want, thus avoiding the kernel's security mechanisms.

In closing, I'm afraid NT was never designed to have a pluggable authorization system. LSA does support pluggable authentication packages, though.

that is unrelated

[r00t]

Sure, you can create groups. You can do ACLs. You can assign privs.

None of this gets you a way to plug in a whole new security concept. Suppose that the OS did not support ACLs, but you wanted to add support. That's something that LSM would let you do.

good luck with it!

[proudhawk]

I certainly wish you the best of luck with it.
given the design of the windows core (kernel*) I am not
sure this can be implemented without a significant redesign. :(

Linux is pretty good at this, as is the NSA offering
(called SELinux). OpenBSD is far superior in this aspect.

there is one additional problems: M$ might decide to
"co-opt" your work on you if they like what it does. best
to be cautious with a shark like that.

Re:good luck with it!

[r00t]

OpenBSD is nothing in this aspect.

Perhaps FreeBSD has the needed hooks. They have been showing interest in stuff like SE Linux. OpenBSD has shown no interest.

LSM is the set of hooks that supports SE Linux. In other words, he wants to write something which makes security decisions similar to the ones that SE Linux makes. He needs the hooks.

You'd need to create a user for each process

[Myria]

To separate out like this, you'd need to have each program run as a different user, and not give that user any rights.

You can't run them as the normal user. Even if you remove all the privileges, it is still the same user SID (Windows's UID). By default, a process's ACL allows debug access for the same user. That is, if program A and program B run as the same SID, then by default process A can manipulate process B and vice versa. Thus, if you did this, the program could do NtWriteVirtualMemory on any other non-sandboxed process to inject code.

Windows Vista can separate users' processes into the normal and elevated security processes, but it does nothing to stop processes at the same level from manipulating each other.

Don't see it as a security flaw that Windows does this. It is simply following the access control list. (It's not just the ACL that matters. An owner of a kernel object may set the ACL regardless of the ACL, so as long as the owner SID remains the same the processes can manipulate one another.)

Melissa

Re:You'd need to create a user for each process

[Watson+Ladd]

Yes it is a flaw. It prevents me from making a secure setuid program if I understand correctly, as the person running it can probe its memory at will. So now I need to use a server and client.

Re:You'd need to create a user for each process

[Myria]

No, for a setuid program (Windows's "Run As"), the new application runs as a different user than the person using it. This works.

Melissa

Filesystem filter driver

[rtechie]

A AC posted this earlier and it deserves a repost since it's the best answer I've heard so far.

To properly restrict access to files, you'll need to write a filesystem filter driver. This is how most antivirus programs work. More information here:

http://www.microsoft.com/whdc/driver/filterdrv/def ault.mspx

Writing a FS filter requires the IFSKit, which is expensive and does not come with an MSDN license. To filter network access, you would use a TDI filter driver. I don't know of any way of filtering calls to DeviceIoControl other than by hooking CreateFile and doing filtering there, unless there is a facility in the ifskit to fiter those "fake" filesystems.

MS Windows Internals, 4th Ed.

[vonsneerderhooten]

This book is awesome, takes you down into the deep caverns of hell that are the MS WinNT based OS.

Chapter 8 deals with security, and offers the following juicy nugget:

Security reference monitor

A component in the Windows Executive(\windows\system32\ntoskrnl.exe) that is responsible for defining the access token data structure to represent a security context, performing the security access checks on objects, manipulating privelages[...], and generating any resulting security audit messages.

Among others. This comes from a sections called security system components. There's about 40 pages to the security chapter and they take you from authentication checks(user enters password) to actually observing the OS change a privelage. I highly recommend this book, it goes really deep into the underlying archetecture of Windows; farther than many would care to go.For those that missed it, it's
MS Windows Internals, 4th Ed., Mark E. Rissinivich and David A. Solomon, ISBN# 0-7336-1917-4

Ask tzuk at sandboxie dot com

[jspraul]

His working implementation is available at http://www.sandboxie.com/

Maybe he'd tell you in exchange for a redesign of his site.

Simplest Windows security measure

[AmiMoJo]

You know how, when you download a file with IE and try to open it on XP SP2, it asks you if you are sure because it's an unsigned executable every time? If you could just enable that for every executable by default, it would be almost impossible for a virus to get in. If you made it impossible for non-admin users to allow unsigned code, you would instantly improve security massively.

But I don't think it's possible in Windows.

Re:Simplest Windows security measure

[Thundersnatch]

Mandatory code signing has been built-in to Windows since 2001 (with the release of XP).

I use this for some of my locked-down client machines, and it works pretty much as advertised. However, maintaining the list of allowed executables is a pain. Most 3rd-party windows developers neglect to sign their code, so you have to do a lot of manual entry of hashes. There are 3rd party management tools and scripting which can be used to overcome these problems.

Core Force

[Chisara]

http://force.coresecurity.com/ TCP/IP, File and Registery ACL's

Not a direct answer but...

[bourne]

Cisco Security Agent is a close analog to the sort of comprehensive kernel security hooking that something like LIDS does on Linux. If you can do some research to determine how they're doing it, that'll be a start. They hook all sorts of things, from file and network opens to attempts to sniff keystrokes and executing dynamically modified memory.

Make Windows more secure than Linux

[nacturation]

Core Force is just such an application. From the about page:

CORE FORCE provides inbound and outbound stateful packet filtering for TCP/IP protocols using a Windows port of OpenBSD's PF firewall, granular file system and registry access control and programs' integrity validation. These capabilities can be configured and enforced system-wide or on a per-application basis for specific programs such as email readers, Web browsers, media players, messaging software, etc.

Basically, the way it works by default is much like ZoneAlarm. If an application hasn't been configured, you get an alert saying "XYZ.exe is trying to access 87.65.43.21... allow/deny?" And you have the option to add it as a permanent rule. Unlike ZoneAlarm, however, it's not an all-or-nothing option. You can choose to allow only outbound port 80 traffic to 12.34.56.0/24 from source port 10431 with certain TCP flags and on the 2nd network interface if you choose.

This also applies to the filesystem. Grant read/write/execute access anywhere from an entire drive, to directories, down to the individual file level. Choose whether or not permissions propogate to child files/directories. Ditto for the registry. As the about page describes, it's a powerful firewall for not just tcp/ip, but also for the filesystem and the registry.

I ran Core Force on my old machine and it was really interesting to watch just how many times Windows phones home. After a while, I just setup default deny rules for all Microsoft IP addresses. But damn if there wasn't a ton of background communication going on for all sorts of applications. It takes a while to get the configuration right and for trusted applications that you don't want to go through the hassle of configuration everything in minute detail (eg: games where you don't want to have a popup right in the middle of fragging someone), you can just assign it full rights to the system as if you're running without Core Force.

Cisco Security Agent is a pile of crap

[Myria]

They force us to use this at work. It frequently denies access without asking the user or notifying the user. If we don't disable CSA first, we can't use any Perl script that does system() because CSA will silently deny access. The network admins can't figure out how to get Perl special-cased.

Also, much of its hooking can be bypassed by someone who knows the NT API. Many of their hooks are patches to ntdll.dll in each process's memory that can easily be bypassed.

The main "security" of CSA comes from the fact that not many trojan writers have it. If they had it and designed their trojans with it in mind, they'd run circles around it. >_<

Melissa

Re:Cisco Security Agent is a pile of crap

[bourne]

I'm sorry your admins don't know how to administer it.

I might go even further and pontificate upon the idiocy of attempting to lock developer's systems down, but I'd hate to cause you to vent any more of your spleen.

Quick Question

[biglig2]

Do we all get a PHd as well if we help you? If so, can you please provide details of the institution issuing the doctorate - I want to make sure that I don't get a bad school added to my CV.

Core Force

[schweini]

i just read about CORE FORCE in some other discussion, and this might be what you are looking for.

From their site:

CORE FORCE provides inbound and outbound stateful packet filtering for TCP/IP protocols using a Windows port of OpenBSD's PF firewall, granular file system and registry access control and programs' integrity validation. These capabilities can be configured and enforced system-wide or on a per-application basis for specific programs such as email readers, Web browsers, media players, messaging software, etc.

VMS

[booch]

Interesting. If I recall, VMS has a security model in which applications had rights along with users. Kind of like setuid, but granular. I believe that a process's rights were the combination of the rights of the user and of the application.

Windows NT was designed and implemented by the main VMS designer. A lot of the low-level kernel stuff is quite similar. But I don't think this feature made it across in any way.

Linux or Windows..

[ZCliffe]

Thank you all for your advice,

Ideally I would like to implement my access control / application confinement model on both Linux and Windows. Unfortunately time will most probably prevent that (at least during my current studies). Currently I am considering various implementation options.

Linux seams to be the natural choice: it has frameworks that are unlikely to drastically change any time soon, most access control and application confinement research is conducted on Linux, and ideally I would like to contribute open source to the Linux community.

On the other hand Windows may need improved security more than Linux: both models would benefit from improvements but Windows is used by many more people and thus the advantages would benefit more people right away. Also it is currently unknown if Vista will implement mediation of security differently and that may set back my implementation efforts.

Thanks again to everyone who replied. Slashdot really is a great place.

Cliffe.