Coding Around UAC's Security Limitations

Mariam writes "Free software developers from the non-profit NeoSmart Technologies have published a report detailing their experience with coding around Windows Vista's UAC limitations, including the steps they took to make their software perform system actions without requiring admin approval or UAC elevation. Their conclusion? That Windows Vista's improved security model is nothing more than a series of obstacles that in reality only make it more difficult for honest ISVs to publish working code and not actually providing any true protection from malware authors. Quoting from the post: 'Perhaps most importantly though, is the fact that Windows Vista's newly-implemented security limitations are artificial at best, easy to code around, and only there to give the impression of security. Any program that UAC blocks from starting up "for good security reasons" can be coded to work around these limitations with (relative) ease. The "architectural redesign" of Vista's security framework isn't so much a rebuilt system as much as it is a makeover, intended to give the false impression of a more secure OS.'"

Uhm, no not really a UAC work-around ...

The article uses a play out of Microsoft's playbook for Vista compatibility -- break an application that requires admin privileges into two parts: a privileged service and an unprivileged UI. Nothing to see here, move along.

Easy, but it's Not, but it is?

The "bottom line" starts off saying it wasn't easy, took much additional code, and many man hours of work. Then the next paragraph tells you it's "easy to code around".

This is the problem with Blogs. It looks like journalism, but it isn't.

A privileged service is not a "hack."

[w3woody]

So he created a service that runs with the necessary privileges to do what it needs, which communicates with a non-privileged front-end, and which requires privileges to install.

How is this a "hack"?

Perhaps the author of iReboot didn't see the rational for isolating a piece of code that needs to do something privileged and having it install and run in a user account which has sufficient permissions to allow it to run--but from a security standpoint this is no different than in Linux, where privileged code runs in a separate account from the user, and where IPC is used to communicate with that process.

More fud

[ryan_hurst]

So they created a service (daemon) that exposed a interface that had no ACL on it that allowed the caller to perform privliged opperations, they had the administrator (root) install the service and grant it administrative permissions (again, root) and then had a unprivliged application call that interface. Sounds exactly like unix to me, more over short of not having ACLs on the interface, Microsoft has white papers telling folks how to do just this. In fact a CS major would know this as "least-privliged-design" oh-no mr. bill. Only on Slashdot would this qualify as news.

Weird logical disconnect in the article

[Mark+Programmer]

With respect to the iReboot team (who seem to have written a pretty nifty piece of software and certainly know their way around programming), there is so much spin on this article that light passing near it bends.

The "Gory details" portion of the article gives a pretty good explanation of the work they had to do to make iReboot access high-permission OS features via a low-permission client. I have no idea how they got from there to "Any program that UAC blocks from starting up 'for good security reasons' can be coded to work around these limitations with (relative) ease." What they seem to be missing is that there was an installer in the loop---an installer that requires admin privileges. This is exactly the part of the process that UAC is trying to force upon Windows developers!

The most significant problems with the Windows XP security model are as much social as technical. Because the model didn't make it easy to get "serious work" done as a non-administrator, most people are running as administrators most of the time. This creates a whole culture that is very vulnerable to social engineering---simple games are being run at the same permission level as complex drive-recovery utilities and keyboard loggers.

By having people run low-privilege by default and escalating when necessary, the UAC model forces developers to be a little clearer about what their applications are doing (since things that "just worked" in WinXP now require permission in Vista). My understanding is that the way iReboot works now is the way it should always have worked, under the Windows OS model; the fact that it also worked if the user were running as an administrator was a happy accident. How well did the old iReboot work if I wasn't running as an administrator? If the answer is "It didn't," then, well, maybe they were doing it wrong the whole time.

UAC has some problems, but the fact that it puts more work on developers isn't one of them. The work is necessary because it is accounting for a weaker security model from the past. And developers should know that security isn't free.

Re:Where have I heard this before?

[IchBinEinPenguin]

> MSFT has turned a single user OS and tacked on multi user support, and then multi user security. OS X, and every *nix are Multi-user OS's.

False. Windows NT is, and always has been, a multiuser OS.


I've long thought that the single vs multi-user nature of Windows NT and Unix has more to do with user expectations than technical limitations.
Unix users were brought up on multi-user envoronments. root had to do stuff like install system-wide apps, printers etc.
Users never expected to be able to do this, and aplications developers coded knowing these limitations.

Windows users, on the other hand, evolved out of DOS users (please note that I'm talking about users not the underlying codebase). DOS users have always had unrestricted access to their system, and this expectation was inherited by modern-day Windows users.
Equally importantly, application programmers did not code with these limitations in mind.

What you end up with is a platform that's technically perfectly capable of being multi-user, but hamstrung by user expecteations and badly designed applicaitions.

Re:Where have I heard this before?

[Dolda2000]

False. Windows NT is, and always has been, a multiuser OS. Indeed -- the NT kernel is, and always has been, a multiuser kernel. That does not, however, make Windows a multiuser operating system, if I may say so. I, too, would think that the GP doesn't really know what he's talking about, but when put into another perspective, his argument that "multiuser support has been tacked onto Windows" isn't unfair in any way.

If Microsoft had indeed taken the NT kernel and built a sensible operating system above it, it would have been a multiuser system, but they didn't. Instead, they took the entire DOS and Windows 3.x world and put the NT kernel underneath it. Technically speaking, they rather tacked a single-user mindset and framework on top a multiuser kernel, making a single-user operating system. Since the NT kernel basically was written to supplant Windows anyway, it isn't entirely biased to argue that multiuser support was tacked onto Windows.

Of course, I am still not arguing against the NT kernel. Microsoft could just as well have done the same thing with the Linux kernel as well, and the result would have sucked as badly. In fact, I don't know very much about the NT kernel internals (since the documentation isn't quite as easy to get at as it is in Unix), but I would guess that it isn't an entirely bad idea at an operating system kernel. Unfortunately, the kernel alone doesn't make an operating system, and Microsoft decided to build a basically single-user system on top of the kernel.