Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Windows Alternative to Linux Security Modules?

Posted by ryuzaki0 on from the finely-grained-security dept.

Cliffe asks: "I am a PhD candidate preparing to implement a new security (access control) model. I have been reading about Linux's LSM (which allow security frameworks to be loaded) but I was unable to find documentation for a mechanism in MS Windows which allows every individual application's access to resources to be mediated; for example, to restrict each application's access to particular files or network protocols. Is this type of mediation possible in Windows? Virus scanners and firewalls likely utilize similar capabilities. Where can the documentation be found?"

9 of 54 comments (clear)

  1. Re:Voila by Eric+Smith · · Score: 2, Informative

    I didn't find anything in the referenced pages that suggests that Windows has any inherent capability to restrict access to resources by application. This is different than restricting access by user, which has been supported since NT 3.1.

  2. well, kind of by outcast36 · · Score: 3, Informative

    Hey, the .NET framework has an implementation of this. It only works for managed code, and it isn't as granular. (I can't say I'm terribly knowledgable about pluggable security architectures). It's called Code Access Security. I wish you well on your thesis.

    --
    Technology Consulting & Free Downloads
  3. So innocent... by r00t · · Score: 4, Informative

    Tough luck dude. Learn to use and hack Linux. Really, it's quite enjoyable.

    Do you insist on Windows? OK...

    You will be doing what every anti-virus and copy-protection hack does: you will patch the system call table. Note that it is completely unsafe to undo this without a reboot. There are race conditions that can bluescreen the system if you try.

    You can not support Win64. The system call table was hidden. Aw heck, if you're already this hacky and evil, you might as well scan memory to find something that looks like the system call table. Just look for an array of function pointers of the right size and in the right order, bearing in mind that some other hack may have hooked the system calls first.

    So, system calls happen, and you track what they do. You'll have to duplicate many OS data structures or make many evil assumptions about the content of kernel memory. Track what each handle refers to, the state of that handle, etc.

    See? No problem. Easy as pie. You can contribute to making Windows such a stable OS.

  4. Re:Voila by NutscrapeSucks · · Score: 2, Informative

    Supposedly in Vista. I can't find any real technical info, but here's the marketing blurb:
    http://www.microsoft.com/technet/windowsvista/eval uate/feat/secfeat.mspx#EHF

    --
    Whenever I hear the word 'Innovation', I reach for my pistol.
  5. filesystem filter driver by Anonymous Coward · · Score: 4, Informative

    For files it's relatively easy, just build a filter driver that gets to look at and modify all filesystem requests. You need an IFSKit for that (there's sort of a GNU one at http://branten.se/nt/). I dunno about other calls, grab a copy of the DDK (there is one in the downloadable KMDF) and see what you can find.

  6. Re:Not built-in to Windows by Beryllium+Sphere(tm) · · Score: 2, Informative

    HP developed a clever if hackish way to restrict the rights of a Windows application. They wrap the application's shortcut with a RunAs to a restricted account, then they grant the application access to its temp files and they copy into the jail all files the user has implicitly granted access to by using one of the standard file dialogs.

    I've got my doubts about how far you can go with that approach (for example, they admitted that network access control was a problem), but consider their approach along with the strange and wonderful things you can do with Windows ACLs.

  7. Filesystem Filter Driver by Anonymous Coward · · Score: 5, Informative

    To properly restrict access to files, you'll need to write a filesystem filter driver. This is how most antivirus programs work. More information here:

    http://www.microsoft.com/whdc/driver/filterdrv/def ault.mspx

    Writing a FS filter requires the IFSKit, which is expensive and does not come with an MSDN license. To filter network access, you would use a TDI filter driver. I don't know of any way of filtering calls to DeviceIoControl other than by hooking CreateFile and doing filtering there, unless there is a facility in the ifskit to fiter those "fake" filesystems.

  8. Nah, LSM is nothing like that by r00t · · Score: 2, Informative

    LSM lets you add a whole new security system. If you want to do a full replacement of the regular system, run everything as the same UID. It is upon LSM that SE Linux is built. For some time, there was a machine on the net that would let you ssh in as root. You really did get UID 0, the root account, but SE Linux blocked you from causing damage.

    The whole DropMyRights thing is tied to the existing security model. What if you wanted to redefine what the "rights" are? For that you need LSM.

    With LSM, you can implement security systems that actively prevent insider spies from emailing out your secrets. You can implement security systems that actively prevent the admin from running stuff from an untrusted source. The submitter probably want to do one of these things.

  9. Ask tzuk at sandboxie dot com by jspraul · · Score: 3, Informative

    His working implementation is available at http://www.sandboxie.com/

    Maybe he'd tell you in exchange for a redesign of his site.