Slashdot Mirror
A Windows Alternative to Linux Security Modules?
Cliffe asks: "I am a PhD candidate preparing to implement a new security (access control) model. I have been reading about Linux's LSM (which allow security frameworks to be loaded) but I was unable to find documentation for a mechanism in MS Windows which allows every individual application's access to resources to be mediated; for example, to restrict each application's access to particular files or network protocols. Is this type of mediation possible in Windows? Virus scanners and firewalls likely utilize similar capabilities. Where can the documentation be found?"
Hey, the .NET framework has an implementation of this. It only works for managed code, and it isn't as granular. (I can't say I'm terribly knowledgable about pluggable security architectures). It's called Code Access Security. I wish you well on your thesis.
Technology Consulting & Free Downloads
Tough luck dude. Learn to use and hack Linux. Really, it's quite enjoyable.
Do you insist on Windows? OK...
You will be doing what every anti-virus and copy-protection hack does: you will patch the system call table. Note that it is completely unsafe to undo this without a reboot. There are race conditions that can bluescreen the system if you try.
You can not support Win64. The system call table was hidden. Aw heck, if you're already this hacky and evil, you might as well scan memory to find something that looks like the system call table. Just look for an array of function pointers of the right size and in the right order, bearing in mind that some other hack may have hooked the system calls first.
So, system calls happen, and you track what they do. You'll have to duplicate many OS data structures or make many evil assumptions about the content of kernel memory. Track what each handle refers to, the state of that handle, etc.
See? No problem. Easy as pie. You can contribute to making Windows such a stable OS.
For files it's relatively easy, just build a filter driver that gets to look at and modify all filesystem requests. You need an IFSKit for that (there's sort of a GNU one at http://branten.se/nt/). I dunno about other calls, grab a copy of the DDK (there is one in the downloadable KMDF) and see what you can find.
You can then literally apply Linux's security modules to individual Win32 applications -- or to individual instances of the same Win32 application -- by running the Win32 app under WINE.
Or run WINE under a different OS (e.g. OpenBSD) or emulator if you want different security tools.
I've done this with/for a number of customers, & integrating the security manageability with a system which has no viruses or spyware to speak of has saved them each endless damage (and endless payments to recover from that damage).
I've also convinced other developers to make their applications portable -- which has instantly increased their productivity and their market, too, sloughing off obsolete dependencies -- and simply stopped running the users under Windows (or anything from MS). This particular tactic earns you much peace & security in one step.
Got time? Spend some of it coding or testing
To properly restrict access to files, you'll need to write a filesystem filter driver. This is how most antivirus programs work. More information here:
f ault.mspx
http://www.microsoft.com/whdc/driver/filterdrv/de
Writing a FS filter requires the IFSKit, which is expensive and does not come with an MSDN license. To filter network access, you would use a TDI filter driver. I don't know of any way of filtering calls to DeviceIoControl other than by hooking CreateFile and doing filtering there, unless there is a facility in the ifskit to fiter those "fake" filesystems.
His working implementation is available at http://www.sandboxie.com/
Maybe he'd tell you in exchange for a redesign of his site.