Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Windows Alternative to Linux Security Modules?

Posted by ryuzaki0 on from the finely-grained-security dept.

Cliffe asks: "I am a PhD candidate preparing to implement a new security (access control) model. I have been reading about Linux's LSM (which allow security frameworks to be loaded) but I was unable to find documentation for a mechanism in MS Windows which allows every individual application's access to resources to be mediated; for example, to restrict each application's access to particular files or network protocols. Is this type of mediation possible in Windows? Virus scanners and firewalls likely utilize similar capabilities. Where can the documentation be found?"

16 of 54 comments (clear)

  1. Voila by packetmon · · Score: 2, Interesting
    Here are some that my help you get started:

    User Access Controls

    SANS Top 20 (worth reading)

    Windows Server 2003 Security Guide

    Overview of the Windows 2003 Server

    You can migrate some of the administrative tools under Windows 2003 SMB server over to XP. But I'm under the assumption you're looking at things from a server perspective. As for firewalls, etc., you have to define if you want a true firewall as opposed to relying on Windows' shabby firewall. If so then I suggest you take a look at Juniper's Netscreen Elite 5X if you're a small business. I mention this instead of Checkpoint or others since I have used many and my best recommendation would be the Netscreen. This comes via way of having to migrate a slew of Checkpoint's along with Rainwall for management to Netscreen. Things were so shoddy with Checkpoint's IPSO, even Checkpoint wouldn't support the financial institute I was doing work for. This forced us to rethink our tools and after months worth of tiger team testing, we went with Juniper.

    --
    Infiltrated dot Net
    1. Re:Voila by Eric+Smith · · Score: 2, Informative

      I didn't find anything in the referenced pages that suggests that Windows has any inherent capability to restrict access to resources by application. This is different than restricting access by user, which has been supported since NT 3.1.

    2. Re:Voila by NutscrapeSucks · · Score: 2, Informative

      Supposedly in Vista. I can't find any real technical info, but here's the marketing blurb:
      http://www.microsoft.com/technet/windowsvista/eval uate/feat/secfeat.mspx#EHF

      --
      Whenever I hear the word 'Innovation', I reach for my pistol.
  2. well, kind of by outcast36 · · Score: 3, Informative

    Hey, the .NET framework has an implementation of this. It only works for managed code, and it isn't as granular. (I can't say I'm terribly knowledgable about pluggable security architectures). It's called Code Access Security. I wish you well on your thesis.

    --
    Technology Consulting & Free Downloads
  3. DropMyRights by WalterGR · · Score: 2, Interesting

    I don't know much at all about the subject, but check out DropMyRights, by Michael Howard, a security guy at Microsoft.

    DropMyRights is a very simple application to help users who must run as an administrator run applications in a much-safer context -- that of a non-administrator. It does this by taking the current user's token, removing various privileges and SIDs from the token, and then using that token to start another process...

    It's basically sample code, rather than a full solution, but it might give you a starting point.

    Also ask Google about the .Net Framework's security model - in particular "code access security." From here:

    Code access security uses the location from which executable code is obtained and other information about the identity of code as a primary factor in determining what resources the code should have access to. This information about the identity of an assembly is called evidence... It is the responsibility of the code access security system in the runtime to map this evidence into a set of permissions, which will determine what access this code has to a number of resources such as the registry or the file system.

    Cheers.

    --
    The Online Slang Dictionary
  4. So innocent... by r00t · · Score: 4, Informative

    Tough luck dude. Learn to use and hack Linux. Really, it's quite enjoyable.

    Do you insist on Windows? OK...

    You will be doing what every anti-virus and copy-protection hack does: you will patch the system call table. Note that it is completely unsafe to undo this without a reboot. There are race conditions that can bluescreen the system if you try.

    You can not support Win64. The system call table was hidden. Aw heck, if you're already this hacky and evil, you might as well scan memory to find something that looks like the system call table. Just look for an array of function pointers of the right size and in the right order, bearing in mind that some other hack may have hooked the system calls first.

    So, system calls happen, and you track what they do. You'll have to duplicate many OS data structures or make many evil assumptions about the content of kernel memory. Track what each handle refers to, the state of that handle, etc.

    See? No problem. Easy as pie. You can contribute to making Windows such a stable OS.

  5. filesystem filter driver by Anonymous Coward · · Score: 4, Informative

    For files it's relatively easy, just build a filter driver that gets to look at and modify all filesystem requests. You need an IFSKit for that (there's sort of a GNU one at http://branten.se/nt/). I dunno about other calls, grab a copy of the DDK (there is one in the downloadable KMDF) and see what you can find.

    1. Re:Filesystem Filter Driver by nuzak · · Score: 2, Interesting

      > THIS IS THE RIGHT ANSWER.

      No it isn't. Or at least it is the right answer for the wrong question. Filesystem controls are completely orthogonal to process permissions. He's not trying to just limit filesystem operations, he's looking at all operations. How is a filesystem driver going to affect whether you can open Port 12345 if your windowstation isn't on some trusted list? Or whether you can impersonate another user only if it's run app XYZ within the last X minutes (think sudo). He's trying to extend process security descriptors, which, as far as I know, is simply not in the design of Windows. Even source licensees like Symantec and Checkpoint have still had to rely on hacking in API hooks.

      --
      Done with slashdot, done with nerds, getting a life.
  6. Re:Not built-in to Windows by Beryllium+Sphere(tm) · · Score: 2, Informative

    HP developed a clever if hackish way to restrict the rights of a Windows application. They wrap the application's shortcut with a RunAs to a restricted account, then they grant the application access to its temp files and they copy into the jail all files the user has implicitly granted access to by using one of the standard file dialogs.

    I've got my doubts about how far you can go with that approach (for example, they admitted that network access control was a problem), but consider their approach along with the strange and wonderful things you can do with Windows ACLs.

  7. It's called WINE, and there are other ways by leonbrooks · · Score: 3, Interesting

    You can then literally apply Linux's security modules to individual Win32 applications -- or to individual instances of the same Win32 application -- by running the Win32 app under WINE.

    Or run WINE under a different OS (e.g. OpenBSD) or emulator if you want different security tools.

    I've done this with/for a number of customers, & integrating the security manageability with a system which has no viruses or spyware to speak of has saved them each endless damage (and endless payments to recover from that damage).

    I've also convinced other developers to make their applications portable -- which has instantly increased their productivity and their market, too, sloughing off obsolete dependencies -- and simply stopped running the users under Windows (or anything from MS). This particular tactic earns you much peace & security in one step.

    --
    Got time? Spend some of it coding or testing
  8. Filesystem Filter Driver by Anonymous Coward · · Score: 5, Informative

    To properly restrict access to files, you'll need to write a filesystem filter driver. This is how most antivirus programs work. More information here:

    http://www.microsoft.com/whdc/driver/filterdrv/def ault.mspx

    Writing a FS filter requires the IFSKit, which is expensive and does not come with an MSDN license. To filter network access, you would use a TDI filter driver. I don't know of any way of filtering calls to DeviceIoControl other than by hooking CreateFile and doing filtering there, unless there is a facility in the ifskit to fiter those "fake" filesystems.

  9. Ballsy! by scott_karana · · Score: 2, Interesting

    This guy sure has a lot of balls asking for (admittedly minor) thesis help on a site his faculty could be reading this very minute. ;)

  10. Nah, LSM is nothing like that by r00t · · Score: 2, Informative

    LSM lets you add a whole new security system. If you want to do a full replacement of the regular system, run everything as the same UID. It is upon LSM that SE Linux is built. For some time, there was a machine on the net that would let you ssh in as root. You really did get UID 0, the root account, but SE Linux blocked you from causing damage.

    The whole DropMyRights thing is tied to the existing security model. What if you wanted to redefine what the "rights" are? For that you need LSM.

    With LSM, you can implement security systems that actively prevent insider spies from emailing out your secrets. You can implement security systems that actively prevent the admin from running stuff from an untrusted source. The submitter probably want to do one of these things.

  11. that is unrelated by r00t · · Score: 2, Insightful

    Sure, you can create groups. You can do ACLs. You can assign privs.

    None of this gets you a way to plug in a whole new security concept. Suppose that the OS did not support ACLs, but you wanted to add support. That's something that LSM would let you do.

  12. Ask tzuk at sandboxie dot com by jspraul · · Score: 3, Informative

    His working implementation is available at http://www.sandboxie.com/

    Maybe he'd tell you in exchange for a redesign of his site.

  13. Not a direct answer but... by bourne · · Score: 2, Insightful

    Cisco Security Agent is a close analog to the sort of comprehensive kernel security hooking that something like LIDS does on Linux. If you can do some research to determine how they're doing it, that'll be a start. They hook all sorts of things, from file and network opens to attempts to sniff keystrokes and executing dynamically modified memory.