Mandatory Integrity Control
Encyclopedia
In the context of the Microsoft Windows
range of operating systems, Mandatory Integrity Control (MIC) or Integrity Levels (or Protected Mode in the context of applications like Internet Explorer
, Google Chrome
and Adobe Reader) is a core security feature, introduced in Windows Vista
and Windows Server 2008, that adds Integrity Levels (IL) to processes
running in a login session. (See also Security features new to Windows Vista.) This mechanism is able to selectively restrict the access permissions of certain programs or software components in contexts that are considered to be potentially less trustworthy, compared with other contexts running under the same user account that are more trusted. Windows Vista defines four integrity levels: Low (SID
: S-1-16-4096), Medium (SID: S-1-16-8192), High (SID: S-1-16-12288), and System (SID: S-1-16-16384). By default, processes started by a regular user gain a Medium IL and elevated
processes have High IL. Processes must be configured explicitly to run with Low IL. Processes with Low IL are called low-integrity processes. While processes inherit the integrity level of the process that spawned it, the integrity level can be customized on a per-process basis as well. For example, executables originating from the Internet
are marked for and executed with Low IL. Windows controls access to objects
based on ILs, as well as for defining the boundary for window messages, via User Interface Privilege Isolation
.
, including files
, registry
keys or even other processes
and threads
, have an entry in the ACL
governing access to them, that defines the minimum integrity level of the process that can use the object. Windows makes sure that a process can write to or delete an object only when its integrity level is equal to or higher than the requested integrity level specified by the object. Additionally, process objects
with higher IL are out-of-bounds for even read access.
Consequently, a process cannot interact with another process that has a higher IL. So a process cannot perform functions such as inject a DLL
into a higher IL process by using the
s, LPC
or other shared objects. The shared object must have an integrity level as low as the low IL process and should be shared by both the Low-IL and High-IL process.
-facing application).
However, since it does not prevent a low IL process from sharing objects with a higher IL process, it can trigger flaws in the higher IL process and have it work on behalf of the low IL process, thereby causing a Squatting attack
. Shatter attack
s, however, can be prevented by using another feature, User Interface Privilege Isolation
, in conjunction with MIC.
Mandatory Integrity Control is defined using a new access control entry (ACE) type to represent the object's IL in its security descriptor
. A subject IL is also assigned to the security access token
when it is initialized. The integrity level in the access token
is compared against the integrity level in the security descriptor
when the security reference monitor performs authorization before granting access to objects. Windows restricts the allowed access rights depending on whether the subject's integrity level is higher or lower than the object, and depending on the integrity policy flags in the new access control ACE. The security subsystem implements the integrity level as a mandatory label to distinguish it from the discretionary access under user control that ACLs provide.
and Internet Explorer 8
, which can run in "Protected Mode" on Windows Vista and later operating systems. In this configuration, the iexplore.exe process runs with a Low integrity level to limit its access to the underlying system, and thereby prevent some classes of security vulnerabilities; since Internet Explorer in this case runs as a Low-IL process, it cannot modify system level objects—file and registry operations are instead virtualized. Adobe Reader 10 and Google Chrome
are two other notable applications that are introducing the technology in order to limit their vulnerability to malware.
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
range of operating systems, Mandatory Integrity Control (MIC) or Integrity Levels (or Protected Mode in the context of applications like Internet Explorer
Internet Explorer
Windows Internet Explorer is a series of graphical web browsers developed by Microsoft and included as part of the Microsoft Windows line of operating systems, starting in 1995. It was first released as part of the add-on package Plus! for Windows 95 that year...
, Google Chrome
Google Chrome
Google Chrome is a web browser developed by Google that uses the WebKit layout engine. It was first released as a beta version for Microsoft Windows on September 2, 2008, and the public stable release was on December 11, 2008. The name is derived from the graphical user interface frame, or...
and Adobe Reader) is a core security feature, introduced in Windows Vista
Windows Vista
Windows Vista is an operating system released in several variations developed by Microsoft for use on personal computers, including home and business desktops, laptops, tablet PCs, and media center PCs...
and Windows Server 2008, that adds Integrity Levels (IL) to processes
Process (computing)
In computing, a process is an instance of a computer program that is being executed. It contains the program code and its current activity. Depending on the operating system , a process may be made up of multiple threads of execution that execute instructions concurrently.A computer program is a...
running in a login session. (See also Security features new to Windows Vista.) This mechanism is able to selectively restrict the access permissions of certain programs or software components in contexts that are considered to be potentially less trustworthy, compared with other contexts running under the same user account that are more trusted. Windows Vista defines four integrity levels: Low (SID
Security Identifier
In the context of the Microsoft Windows NT line of operating systems, a Security Identifier is a unique name which is assigned by a Windows Domain controller during the log on process that is used to identify a subject, such as a user or a group of users in a network of NT/2000...
: S-1-16-4096), Medium (SID: S-1-16-8192), High (SID: S-1-16-12288), and System (SID: S-1-16-16384). By default, processes started by a regular user gain a Medium IL and elevated
User Account Control
User Account Control is a technology and security infrastructure introduced with Microsoft's Windows Vista and Windows Server 2008 operating systems, with a more relaxed version also present in Windows 7 and Windows Server 2008 R2...
processes have High IL. Processes must be configured explicitly to run with Low IL. Processes with Low IL are called low-integrity processes. While processes inherit the integrity level of the process that spawned it, the integrity level can be customized on a per-process basis as well. For example, executables originating from the Internet
Internet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
are marked for and executed with Low IL. Windows controls access to objects
Object Manager (Windows)
Object Manager is a subsystem implemented as part of the Windows Executive which manages Windows resources. Each resource, which are surfaced as logical objects, resides in a namespace for categorization. Resources can be physical devices, files or folders on volumes, Registry entries or even...
based on ILs, as well as for defining the boundary for window messages, via User Interface Privilege Isolation
User Interface Privilege Isolation
User Interface Privilege Isolation is a technology introduced in Windows NT 6.0 to combat shatter attack exploits. By making use of Mandatory Integrity Control, it prevents processes with a lower "integrity level" from sending messages to higher IL processes...
.
Operation
Named objectsObject Manager (Windows)
Object Manager is a subsystem implemented as part of the Windows Executive which manages Windows resources. Each resource, which are surfaced as logical objects, resides in a namespace for categorization. Resources can be physical devices, files or folders on volumes, Registry entries or even...
, including files
Computer file
A computer file is a block of arbitrary information, or resource for storing information, which is available to a computer program and is usually based on some kind of durable storage. A file is durable in the sense that it remains available for programs to use after the current program has finished...
, registry
Windows registry
The Windows Registry is a hierarchical database that stores configuration settings and options on Microsoft Windows operating systems. It contains settings for low-level operating system components as well as the applications running on the platform: the kernel, device drivers, services, SAM, user...
keys or even other processes
Process (computing)
In computing, a process is an instance of a computer program that is being executed. It contains the program code and its current activity. Depending on the operating system , a process may be made up of multiple threads of execution that execute instructions concurrently.A computer program is a...
and threads
Thread (computer science)
In computer science, a thread of execution is the smallest unit of processing that can be scheduled by an operating system. The implementation of threads and processes differs from one operating system to another, but in most cases, a thread is contained inside a process...
, have an entry in the ACL
Access control list
An access control list , with respect to a computer file system, is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Each entry in a typical ACL specifies a subject...
governing access to them, that defines the minimum integrity level of the process that can use the object. Windows makes sure that a process can write to or delete an object only when its integrity level is equal to or higher than the requested integrity level specified by the object. Additionally, process objects
Object Manager (Windows)
Object Manager is a subsystem implemented as part of the Windows Executive which manages Windows resources. Each resource, which are surfaced as logical objects, resides in a namespace for categorization. Resources can be physical devices, files or folders on volumes, Registry entries or even...
with higher IL are out-of-bounds for even read access.
Consequently, a process cannot interact with another process that has a higher IL. So a process cannot perform functions such as inject a DLL
DLL
DLL may refer to:* Data link layer, a layer in the OSI network architecture model* Delay-locked loop, a device to reduce clock skew in digital circuits* Doubly linked list, a data structure in computer programming...
into a higher IL process by using the
CreateRemoteThread API function or send data to a different process by using the WriteProcessMemory function. However, the higher IL process can execute such functions against the lower IL process. However, they can still communicate by using files, Named pipeNamed pipe
In computing, a named pipe is an extension to the traditional pipe concept on Unix and Unix-like systems, and is one of the methods of inter-process communication. The concept is also found in Microsoft Windows, although the semantics differ substantially...
s, LPC
Local Procedure Call
The Local Procedure Call is an internal, undocumented inter-process communication facility provided by the Microsoft Windows NT kernel for lightweight IPC between processes on the same computer...
or other shared objects. The shared object must have an integrity level as low as the low IL process and should be shared by both the Low-IL and High-IL process.
Security
Access control lists (ACLs) are limited to granting access rights (read, write, and execute permissions) and privileges to users or groups. MIC allows classes of applications to be isolated, enabling scenarios like sandboxing potentially-vulnerable applications (such as InternetInternet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
-facing application).
However, since it does not prevent a low IL process from sharing objects with a higher IL process, it can trigger flaws in the higher IL process and have it work on behalf of the low IL process, thereby causing a Squatting attack
Squatting attack
Squatting attack, in computer science, is a kind of DoS attack where a program interferes with another program through the use of shared synchronization objects in an unwanted or unexpected way....
. Shatter attack
Shatter attack
In computing, a shatter attack is a programming technique employed by crackers on Microsoft Windows operating systems that can be used to bypass security restrictions between processes in a session...
s, however, can be prevented by using another feature, User Interface Privilege Isolation
User Interface Privilege Isolation
User Interface Privilege Isolation is a technology introduced in Windows NT 6.0 to combat shatter attack exploits. By making use of Mandatory Integrity Control, it prevents processes with a lower "integrity level" from sending messages to higher IL processes...
, in conjunction with MIC.
Mandatory Integrity Control is defined using a new access control entry (ACE) type to represent the object's IL in its security descriptor
Security descriptor
Security descriptors are data structures of security information for securable Windows objects, that is objects that can be identified by a unique name...
. A subject IL is also assigned to the security access token
Access token
In Microsoft Windows operating systems, an access token contains the security information for a login session and identifies the user, the user's groups, and the user's privileges.-Overview:...
when it is initialized. The integrity level in the access token
Access token
In Microsoft Windows operating systems, an access token contains the security information for a login session and identifies the user, the user's groups, and the user's privileges.-Overview:...
is compared against the integrity level in the security descriptor
Security descriptor
Security descriptors are data structures of security information for securable Windows objects, that is objects that can be identified by a unique name...
when the security reference monitor performs authorization before granting access to objects. Windows restricts the allowed access rights depending on whether the subject's integrity level is higher or lower than the object, and depending on the integrity policy flags in the new access control ACE. The security subsystem implements the integrity level as a mandatory label to distinguish it from the discretionary access under user control that ACLs provide.
Usage
One of the most common applications for integrity controls in Windows is with Internet Explorer 7Internet Explorer 7
Windows Internet Explorer 7 is a web browser released by Microsoft in October 2006. Internet Explorer 7 is part of a long line of versions of Internet Explorer and was the first major update to the browser in more than 5 years...
and Internet Explorer 8
Internet Explorer 8
Windows Internet Explorer 8 is a web browser developed by Microsoft in the Internet Explorer browser series. The browser was released on March 19, 2009 for Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, and Windows 7. Both 32-bit and 64-bit builds are available...
, which can run in "Protected Mode" on Windows Vista and later operating systems. In this configuration, the iexplore.exe process runs with a Low integrity level to limit its access to the underlying system, and thereby prevent some classes of security vulnerabilities; since Internet Explorer in this case runs as a Low-IL process, it cannot modify system level objects—file and registry operations are instead virtualized. Adobe Reader 10 and Google Chrome
Google Chrome
Google Chrome is a web browser developed by Google that uses the WebKit layout engine. It was first released as a beta version for Microsoft Windows on September 2, 2008, and the public stable release was on December 11, 2008. The name is derived from the graphical user interface frame, or...
are two other notable applications that are introducing the technology in order to limit their vulnerability to malware.