Mandatory Integrity Control

Mandatory Integrity Control (MIC) is a core security feature of Windows Vista and later that adds mandatory access control to running processes based on their Integrity Level (IL). The IL represents the level of trustworthiness of an object. This mechanism's goal is to restrict the access permissions for potentially less trustworthy contexts (processes, files, and other securable objects), compared with other contexts running under the same user account that are more trusted.

Mandatory Integrity Control is defined using a new access control entry (ACE) type to represent the object's IL in its security descriptor. In Windows, Access Control Lists (ACLs) are used to grant access rights (read, write, and execute permissions) and privileges to users or groups. An IL is assigned to a subject's access token when initialized. When the subject tries to access an object (for example, a file), the Security Reference Monitor compares the integrity level in the subject's access token against the integrity level in the object's security descriptor. Windows restricts the allowed access rights depending on whether the subject's IL is higher or lower than the object, and depending on the integrity policy flags in the new access control entry (ACE). The security subsystem implements the integrity level as a mandatory label to distinguish it from the discretionary access under user control that ACLs provide.

Windows Vista defines four integrity levels: Low (SID: S-1-16-4096), Medium (SID: S-1-16-8192), High (SID: S-1-16-12288), and System (SID: S-1-16-16384).^[1] By default, processes started by a regular user gain a Medium IL and elevated processes have High IL.^[2] By introducing integrity levels, MIC allows classes of applications to be isolated, enabling scenarios like sandboxing potentially-vulnerable applications (such as Internet-facing applications). Processes with Low IL are called low-integrity processes, which have less access than processes with higher ILs where the Access control enforcement is in Windows.

Objects with Access control lists, such as Named objects, including files, registry keys or even other processes and threads, have an entry in the System Access Control List governing access to them, that defines the minimum integrity level of the process that can use the object. Windows makes sure that a process can write to or delete an object only when its integrity level is equal to or higher than the requested integrity level specified by the object.^[2] Additionally, for privacy reasons process objects with higher IL are out-of-bounds for even read access from processes with lower IL.^[3]

Consequently, a process cannot interact with another process that has a higher IL. So a process cannot perform functions such as inject a DLL into a higher IL process by using the CreateRemoteThread() function^[4] of the Windows API or send data to a different process by using the WriteProcessMemory() function.^[5]

While processes inherit the integrity level of the process that spawned it, the integrity level can be customized at the time of process creation. As well as for defining the boundary for window messages in the User Interface Privilege Isolation (UIPI) technology, Mandatory Integrity Control is used by applications like Adobe Reader, Google Chrome, Internet Explorer, and Windows Explorer to isolate documents from vulnerable objects in the system.^[1]

Internet Explorer 7 introduces a MIC-based "Protected Mode" setting to control whether a web page is opened as a low-integrity process or not (provided the operating system supports MIC), based on security zone settings, thereby preventing some classes of security vulnerabilities. Since Internet Explorer in this case runs as a Low IL process, it cannot modify system level objects—file and registry operations are instead virtualized. Adobe Reader 10 and Google Chrome are two other notable applications that are introducing the technology in order to reduce their vulnerability to malware.^[6]

Microsoft Office 2010 introduced the "Protected View" isolated sandbox environment for Excel, PowerPoint, and Word that prohibits potentially unsafe documents from modifying components, files, and other resources on a system.^[7] Protected View operates as a low-integrity process and, in Windows Vista and later versions of Windows, uses MIC and UIPI to further restrict the sandbox.^[8]

However, in some cases a higher IL process do need to execute certain functions against the lower IL process, or a lower IL process need to access resources that only a higher IL process can access (for example, when viewing a webpage in protected mode, save a file downloaded from the internet to a folder specified by the user).^[1] High IL and Low IL processes can still communicate with each other by using files, Named pipes, LPC or other shared objects. The shared object must have an integrity level as low as the Low IL process and should be shared by both the Low IL and High IL processes.^[3] Since MIC does not prevent a Low IL process from sharing objects with a higher IL process, it can trigger flaws in the higher IL process and have it work on behalf of the low IL process, thereby causing a Squatting attack.^[3] Shatter attacks, however, can be prevented by using User Interface Privilege Isolation which takes advantage of MIC.

[1]
Matthew Conover. "Analysis of the Windows Vista Security Model" (PDF). Symantec Corporation. Archived from the original (PDF) on 2008-05-16. Retrieved 2007-10-08.
[2]
Riley, Steve (22 July 2006). "Mandatory Integrity Control in Windows Vista". Microsoft Docs Archive. Microsoft.
[3]
Russinovich, Mark (12 February 2007). "PsExec, User Account Control and Security Boundaries". Windows Blog Archive. Microsoft.
[4]
"CreateRemoteThread function". Windows Dev Center. Microsoft. 5 December 2018.
[5]
"WriteProcessMemory function". Windows Dev Center. Microsoft. 5 December 2018.
[6]
Brad Arkin (2010-07-10). "Introducing Adobe Reader Protected Mode". Adobe Systems. Retrieved 2010-09-10.
[7]
"Plan Protected View settings for Office 2010". Microsoft Docs Archive. Microsoft. 5 August 2011.
[8]
Keizer, Gregg (August 19, 2009). "Microsoft struts Office 2010 'sandbox' security". Computerworld. IDG. Retrieved January 23, 2017.

"Windows Vista Integrity Mechanism Technical Reference". Microsoft Docs Archive. Microsoft. 5 July 2007.
"Introduction to the Protected Mode API". Microsoft Docs Archive. Microsoft. 15 August 2007.

[symantec-1] [1]
Matthew Conover. "Analysis of the Windows Vista Security Model" (PDF). Symantec Corporation. Archived from the original (PDF) on 2008-05-16. Retrieved 2007-10-08.

[steve-2] [2]
Riley, Steve (22 July 2006). "Mandatory Integrity Control in Windows Vista". Microsoft Docs Archive. Microsoft.

[mark-3] [3]
Russinovich, Mark (12 February 2007). "PsExec, User Account Control and Security Boundaries". Windows Blog Archive. Microsoft.

[4] [4]
"CreateRemoteThread function". Windows Dev Center. Microsoft. 5 December 2018.

[5] [5]
"WriteProcessMemory function". Windows Dev Center. Microsoft. 5 December 2018.

[6] [6]
Brad Arkin (2010-07-10). "Introducing Adobe Reader Protected Mode". Adobe Systems. Retrieved 2010-09-10.

[PlanProtectedView-7] [7]
"Plan Protected View settings for Office 2010". Microsoft Docs Archive. Microsoft. 5 August 2011.

[Office2010PVComputerworld-8] [8]
Keizer, Gregg (August 19, 2009). "Microsoft struts Office 2010 'sandbox' security". Computerworld. IDG. Retrieved January 23, 2017.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

Mandatory Integrity Control

Wikiwand in your browser!

Wikiwand in your browser!

Implementation

Application

See also

References

Further reading

External links