typodupeerror

• So innocent... (Score:5, Informative)

on Saturday June 10, 2006 @08:12PM (#15510920) Journal
Tough luck dude. Learn to use and hack Linux. Really, it's quite enjoyable.

Do you insist on Windows? OK...

You will be doing what every anti-virus and copy-protection hack does: you will patch the system call table. Note that it is completely unsafe to undo this without a reboot. There are race conditions that can bluescreen the system if you try.

You can not support Win64. The system call table was hidden. Aw heck, if you're already this hacky and evil, you might as well scan memory to find something that looks like the system call table. Just look for an array of function pointers of the right size and in the right order, bearing in mind that some other hack may have hooked the system calls first.

So, system calls happen, and you track what they do. You'll have to duplicate many OS data structures or make many evil assumptions about the content of kernel memory. Track what each handle refers to, the state of that handle, etc.

See? No problem. Easy as pie. You can contribute to making Windows such a stable OS.
• Best steps moving forward (Score:1)

I don't know of any public API.
1. You should talk to your advisor to see if he would have a problem if an NDA is required, since it could affect publishability.
2. You should be checking on the MS oriented technical lists and forums. You're talking about some very deep and complicated types of coding, and your run of the mill programmer or admin is not the best resource.
• filesystem filter driver (Score:4, Informative)

by Anonymous Coward on Saturday June 10, 2006 @09:05PM (#15511052)
For files it's relatively easy, just build a filter driver that gets to look at and modify all filesystem requests. You need an IFSKit for that (there's sort of a GNU one at http://branten.se/nt/ [branten.se]). I dunno about other calls, grab a copy of the DDK (there is one in the downloadable KMDF) and see what you can find.
• Not built-in to Windows (Score:2)

Windows security is all about restricting access to files and objects with user- and group-oriented Access Control Lists (DACLs and SACLs). When a user/automated-process logs in they are given an authentication token representing their account and group memberships (even their password version/iteration), and that token gets passed around to all processes and threads they touch as tasks proceed. Some processes (such as IIS) run under special LocalSystem/LocalService/NetworkService accounts and are able to i

• Re:Not built-in to Windows (Score:2)

Last I checked couldn't you just remove the ability for anything and everything to execute a file? That would give you your control. Furthermore you can disable the ability for SYSTEM to run the process along with NETWORK SERVICE and a few other built in accounts. You could explicitly disable their ability to execute to then an application can only be executed by a specified user. Not quite as granular as something like BlackICE, ZA, Sygate, or any of the other personal firewall devices but it works especia
• Re:Not built-in to Windows (Score:3, Informative)

HP developed a clever if hackish way to restrict the rights of a Windows application [hp.com]. They wrap the application's shortcut with a RunAs to a restricted account, then they grant the application access to its temp files and they copy into the jail all files the user has implicitly granted access to by using one of the standard file dialogs.

I've got my doubts about how far you can go with that approach (for example, they admitted that network access control was a problem), but consider their approach along wit
• Filesystem Filter Driver (Score:5, Informative)

by Anonymous Coward on Saturday June 10, 2006 @10:30PM (#15511290)
To properly restrict access to files, you'll need to write a filesystem filter driver. This is how most antivirus programs work. More information here:

http://www.microsoft.com/whdc/driver/filterdrv/def ault.mspx [microsoft.com]

Writing a FS filter requires the IFSKit, which is expensive and does not come with an MSDN license. To filter network access, you would use a TDI filter driver. I don't know of any way of filtering calls to DeviceIoControl other than by hooking CreateFile and doing filtering there, unless there is a facility in the ifskit to fiter those "fake" filesystems.
• Re:Filesystem Filter Driver (Score:1)

Of course, the moderators will never see it, but hopefully the original poster will.
• Re:Filesystem Filter Driver (Score:3, Interesting)

> THIS IS THE RIGHT ANSWER.

No it isn't. Or at least it is the right answer for the wrong question. Filesystem controls are completely orthogonal to process permissions. He's not trying to just limit filesystem operations, he's looking at all operations. How is a filesystem driver going to affect whether you can open Port 12345 if your windowstation isn't on some trusted list? Or whether you can impersonate another user only if it's run app XYZ within the last X minutes (think sudo). He's trying to
• Ballsy! (Score:2, Interesting)

This guy sure has a lot of balls asking for (admittedly minor) thesis help on a site his faculty could be reading this very minute. ;)
• Re:Ballsy! (Score:2)

Well, he is asking a bunch of guys who might just know the answer to his question. That is what research is about in anycase - asking the right questions to the right people. Why should his professors mind?
• good luck with it! (Score:1)

I certainly wish you the best of luck with it.
given the design of the windows core (kernel*) I am not
sure this can be implemented without a significant redesign. :(

Linux is pretty good at this, as is the NSA offering
(called SELinux). OpenBSD is far superior in this aspect.

• MS Windows Internals, 4th Ed. (Score:1)

This book is awesome, takes you down into the deep caverns of hell that are the MS WinNT based OS.

Chapter 8 deals with security, and offers the following juicy nugget:

Security reference monitor

A component in the Windows Executive(\windows\system32\ntoskrnl.exe) that is responsible for defining the access token data structure to represent a security context, performing the security access checks on objects, manipulating privelages[...], and generating any resulting security audit messages.

Among others. T

• Ask tzuk at sandboxie dot com (Score:3, Informative)

on Sunday June 11, 2006 @02:40AM (#15511877)
His working implementation is available at http://www.sandboxie.com/ [sandboxie.com]

Maybe he'd tell you in exchange for a redesign of his site.
• Simplest Windows security measure (Score:2)

You know how, when you download a file with IE and try to open it on XP SP2, it asks you if you are sure because it's an unsigned executable every time? If you could just enable that for every executable by default, it would be almost impossible for a virus to get in. If you made it impossible for non-admin users to allow unsigned code, you would instantly improve security massively.

But I don't think it's possible in Windows.
• Re:Simplest Windows security measure (Score:2)

Mandatory code signing has been built-in to Windows since 2001 [microsoft.com] (with the release of XP).

I use this for some of my locked-down client machines, and it works pretty much as advertised. However, maintaining the list of allowed executables is a pain. Most 3rd-party windows developers neglect to sign their code, so you have to do a lot of manual entry of hashes. There are 3rd party management tools and scripting which can be used to overcome these problems.

• Core Force (Score:1)

http://force.coresecurity.com/ [coresecurity.com] TCP/IP, File and Registery ACL's
• Not a direct answer but... (Score:3, Insightful)

on Sunday June 11, 2006 @10:59AM (#15512789)

Cisco Security Agent [cisco.com] is a close analog to the sort of comprehensive kernel security hooking that something like LIDS [lids.org] does on Linux. If you can do some research to determine how they're doing it, that'll be a start. They hook all sorts of things, from file and network opens to attempts to sniff keystrokes and executing dynamically modified memory.

• Cisco Security Agent is a pile of crap (Score:2)

They force us to use this at work. It frequently denies access without asking the user or notifying the user. If we don't disable CSA first, we can't use any Perl script that does system() because CSA will silently deny access. The network admins can't figure out how to get Perl special-cased.

Also, much of its hooking can be bypassed by someone who knows the NT API. Many of their hooks are patches to ntdll.dll in each process's memory that can easily be bypassed.

The main "security" of CSA comes from the
• Re:Cisco Security Agent is a pile of crap (Score:2)

I might go even further and pontificate upon the idiocy of attempting to lock developer's systems down, but I'd hate to cause you to vent any more of your spleen.

• Make Windows more secure than Linux (Score:2)

Core Force [coresecurity.com] is just such an application. From the about page:

CORE FORCE provides inbound and outbound stateful packet filtering for TCP/IP protocols using a Windows port of OpenBSD's PF firewall, granular file system and registry access control and programs' integrity validation. These capabilities can be configured and enforced system-wide or on a per-application basis for specific programs such as email readers, Web browsers, media players, messaging software, etc.

Basically, the way it works by default is

• Quick Question (Score:2)

Do we all get a PHd as well if we help you? If so, can you please provide details of the institution issuing the doctorate - I want to make sure that I don't get a bad school added to my CV.
• Core Force (Score:1)

i just read about CORE FORCE [coresecurity.com] in some other discussion, and this might be what you are looking for.

From their site:

CORE FORCE provides inbound and outbound stateful packet filtering for TCP/IP protocols using a Windows port of OpenBSD's PF firewall, granular file system and registry access control and programs' integrity validation. These capabilities can be configured and enforced system-wide or on a per-application basis for specific programs such as email readers, Web browsers, media players, messagin

• VMS (Score:2)

Interesting. If I recall, VMS has a security model in which applications had rights along with users. Kind of like setuid, but granular. I believe that a process's rights were the combination of the rights of the user and of the application.

Windows NT was designed and implemented by the main VMS designer. A lot of the low-level kernel stuff is quite similar. But I don't think this feature made it across in any way.