Please create an account to participate in the Slashdot moderation system

typodupeerror

A Windows Alternative to Linux Security Modules?54

Cliffe asks: "I am a PhD candidate preparing to implement a new security (access control) model. I have been reading about Linux's LSM (which allow security frameworks to be loaded) but I was unable to find documentation for a mechanism in MS Windows which allows every individual application's access to resources to be mediated; for example, to restrict each application's access to particular files or network protocols. Is this type of mediation possible in Windows? Virus scanners and firewalls likely utilize similar capabilities. Where can the documentation be found?"
This discussion has been archived. No new comments can be posted.

A Windows Alternative to Linux Security Modules?

• Voila (Score:3, Interesting)

on Saturday June 10, 2006 @07:02PM (#15510891) Homepage
Here are some that my help you get started:

User Access Controls [microsoft.com]

SANS Top 20 [sans.org] (worth reading)

Windows Server 2003 Security Guide [microsoft.com]

Overview of the Windows 2003 Server [microsoft.com]

You can migrate some of the administrative tools under Windows 2003 SMB server over to XP. But I'm under the assumption you're looking at things from a server perspective. As for firewalls, etc., you have to define if you want a true firewall as opposed to relying on Windows' shabby firewall. If so then I suggest you take a look at Juniper's Netscreen Elite 5X if you're a small business. I mention this instead of Checkpoint or others since I have used many and my best recommendation would be the Netscreen. This comes via way of having to migrate a slew of Checkpoint's along with Rainwall for management to Netscreen. Things were so shoddy with Checkpoint's IPSO, even Checkpoint wouldn't support the financial institute I was doing work for. This forced us to rethink our tools and after months worth of tiger team testing, we went with Juniper.

• Re:Voila (Score:3, Informative)

I didn't find anything in the referenced pages that suggests that Windows has any inherent capability to restrict access to resources by application. This is different than restricting access by user, which has been supported since NT 3.1.
• Re:Voila (Score:2, Informative)

Supposedly in Vista. I can't find any real technical info, but here's the marketing blurb:
http://www.microsoft.com/technet/windowsvista/eval uate/feat/secfeat.mspx#EHF [microsoft.com]
• Re:Voila (Score:2)

You apparently don't know much about groups under Windows. You create specific groups for specific resources. Much similar to *nix.
• that is unrelated (Score:3, Insightful)

Sure, you can create groups. You can do ACLs. You can assign privs.

None of this gets you a way to plug in a whole new security concept. Suppose that the OS did not support ACLs, but you wanted to add support. That's something that LSM would let you do.
• Re:Voila (Score:2)

Sure, but AFAIK that doesn't help me when I want user Joe to be able to access network drive \\foo\bar from Word but the same user Joe to NOT be able to access \\foo\bar from Firefox.

Windows groups are somewhat more flexible than Unix (Linux) groups, but they're certainly not a panacea, and they don't solve the OP's problem.

• No standard API (Score:2)

As far as I'm aware, Windows doesn't have any standard API for that. Products like ZoneAlarm restrict access to resources by inserting hooks into the system in a relatively ad-hoc manner. (This is not a criticism of ZoneAlarm.)

Given Microsoft's claims about a strong focus on security in the forthcoming Windows Vista, perhaps it has an interface for security modules of the type you're suggesting.

• Re:No standard API (Score:2)

I enjoyed having something similar to zone alarm running on my old windows PC - it was reassuring to know every single time an app tried to connect to the interweb.

I'd love to see some similar products for the mac, if anyone has some links. Ideally I'd like to limit certain applications to only be able to write to certain directories, and also be notified whenever someone is trying to do something fishy.
• It's called WINE, and there are other ways (Score:4, Interesting)

<SentByMSBlast-No ... .brooks.fdns.net> on Saturday June 10, 2006 @09:23PM (#15511275) Homepage
You can then literally apply Linux's [linux.org.au] security modules to individual Win32 applications -- or to individual instances of the same Win32 application -- by running the Win32 app under WINE [winehq.com].

Or run WINE under a different OS (e.g. OpenBSD [openbsd.org]) or emulator if you want different security tools.

I've done this with/for a number of customers, & integrating the security manageability with a system which has no viruses or spyware to speak of has saved them each endless damage (and endless payments to recover from that damage).

I've also convinced other developers to make their applications portable -- which has instantly increased their productivity and their market, too, sloughing off obsolete dependencies -- and simply stopped running the users under Windows (or anything from MS). This particular tactic earns you much peace & security in one step.
• well, kind of (Score:4, Informative)

on Saturday June 10, 2006 @07:06PM (#15510901) Homepage
Hey, the .NET framework has an implementation of this. It only works for managed code, and it isn't as granular. (I can't say I'm terribly knowledgable about pluggable security architectures). It's called Code Access Security [google.com]. I wish you well on your thesis.
• Function hooks (Score:2)

Some nifty things are possible if you hook functions in the WinAPI (so all calls to that function would go through your function first). Your app could then put whatever restrictions on access it you wanted (you could hook file open functions, registry open functions, etc). Here's an interesting article I found, wasn't the one I was searching for tho: http://www.codeproject.com/system/hooksys.asp [codeproject.com] Here is an article that shows how to prevent processes from launching: http://www.codeproject.com/system/sovi [codeproject.com]
• DropMyRights (Score:3, Interesting)

on Saturday June 10, 2006 @07:09PM (#15510916) Homepage

I don't know much at all about the subject, but check out DropMyRights [microsoft.com], by Michael Howard, a security guy at Microsoft.

DropMyRights is a very simple application to help users who must run as an administrator run applications in a much-safer context -- that of a non-administrator. It does this by taking the current user's token, removing various privileges and SIDs from the token, and then using that token to start another process...

It's basically sample code, rather than a full solution, but it might give you a starting point.

Also ask Google about the .Net Framework's security model - in particular "code access security." From here [microsoft.com]:

Code access security uses the location from which executable code is obtained and other information about the identity of code as a primary factor in determining what resources the code should have access to. This information about the identity of an assembly is called evidence... It is the responsibility of the code access security system in the runtime to map this evidence into a set of permissions, which will determine what access this code has to a number of resources such as the registry or the file system.

Cheers.

• Nah, LSM is nothing like that (Score:3, Informative)

LSM lets you add a whole new security system. If you want to do a full replacement of the regular system, run everything as the same UID. It is upon LSM that SE Linux is built. For some time, there was a machine on the net that would let you ssh in as root. You really did get UID 0, the root account, but SE Linux blocked you from causing damage.

The whole DropMyRights thing is tied to the existing security model. What if you wanted to redefine what the "rights" are? For that you need LSM.

With LSM, you can im
• Re:Nah, LSM is nothing like that (Score:2)

At the source level, technically NT's security subsystem is just one module among many. There is an opaque SECURITY_DESCRIPTOR structure that describes access control on all securable objects, and an opaque token [microsoft.com] system to confer identities and privileges to a process or thread. Modifying these and making access checks with them are done through opaque functions. If one had the source code for Windows available, it probably would be possible to change the security system quite a bit and recompile; then the
• Re:DropMyRights (Score:1)

check out DropMyRights, by Michael Howard, a security guy at Microsoft.

A word of warning about that program. The program works fine so long as you only access things via the dedicated drive letters. As soon as you start accessing files and directories through the administrative UNC shares on the local machine, all the protection DropMyRights gives you is lost. If you run a command prompt with DropMyRights, you may not be able to delete C:\ntldr, but you will be able to delete \\computer\c$\ntldr. All • So innocent... (Score:5, Informative) on Saturday June 10, 2006 @07:12PM (#15510920) Journal Tough luck dude. Learn to use and hack Linux. Really, it's quite enjoyable. Do you insist on Windows? OK... You will be doing what every anti-virus and copy-protection hack does: you will patch the system call table. Note that it is completely unsafe to undo this without a reboot. There are race conditions that can bluescreen the system if you try. You can not support Win64. The system call table was hidden. Aw heck, if you're already this hacky and evil, you might as well scan memory to find something that looks like the system call table. Just look for an array of function pointers of the right size and in the right order, bearing in mind that some other hack may have hooked the system calls first. So, system calls happen, and you track what they do. You'll have to duplicate many OS data structures or make many evil assumptions about the content of kernel memory. Track what each handle refers to, the state of that handle, etc. See? No problem. Easy as pie. You can contribute to making Windows such a stable OS. • Best steps moving forward (Score:1) I don't know of any public API. 1. You should talk to your advisor to see if he would have a problem if an NDA is required, since it could affect publishability. 2. You should be checking on the MS oriented technical lists and forums. You're talking about some very deep and complicated types of coding, and your run of the mill programmer or admin is not the best resource. • filesystem filter driver (Score:4, Informative) by Anonymous Coward on Saturday June 10, 2006 @08:05PM (#15511052) For files it's relatively easy, just build a filter driver that gets to look at and modify all filesystem requests. You need an IFSKit for that (there's sort of a GNU one at http://branten.se/nt/ [branten.se]). I dunno about other calls, grab a copy of the DDK (there is one in the downloadable KMDF) and see what you can find. • Not built-in to Windows (Score:2) Windows security is all about restricting access to files and objects with user- and group-oriented Access Control Lists (DACLs and SACLs). When a user/automated-process logs in they are given an authentication token representing their account and group memberships (even their password version/iteration), and that token gets passed around to all processes and threads they touch as tasks proceed. Some processes (such as IIS) run under special LocalSystem/LocalService/NetworkService accounts and are able to i • Re:Not built-in to Windows (Score:2) Last I checked couldn't you just remove the ability for anything and everything to execute a file? That would give you your control. Furthermore you can disable the ability for SYSTEM to run the process along with NETWORK SERVICE and a few other built in accounts. You could explicitly disable their ability to execute to then an application can only be executed by a specified user. Not quite as granular as something like BlackICE, ZA, Sygate, or any of the other personal firewall devices but it works especia • Re:Not built-in to Windows (Score:3, Informative) HP developed a clever if hackish way to restrict the rights of a Windows application [hp.com]. They wrap the application's shortcut with a RunAs to a restricted account, then they grant the application access to its temp files and they copy into the jail all files the user has implicitly granted access to by using one of the standard file dialogs. I've got my doubts about how far you can go with that approach (for example, they admitted that network access control was a problem), but consider their approach along wit • Filesystem Filter Driver (Score:5, Informative) by Anonymous Coward on Saturday June 10, 2006 @09:30PM (#15511290) To properly restrict access to files, you'll need to write a filesystem filter driver. This is how most antivirus programs work. More information here: http://www.microsoft.com/whdc/driver/filterdrv/def ault.mspx [microsoft.com] Writing a FS filter requires the IFSKit, which is expensive and does not come with an MSDN license. To filter network access, you would use a TDI filter driver. I don't know of any way of filtering calls to DeviceIoControl other than by hooking CreateFile and doing filtering there, unless there is a facility in the ifskit to fiter those "fake" filesystems. • Re:Filesystem Filter Driver (Score:1) THIS IS THE RIGHT ANSWER. Of course, the moderators will never see it, but hopefully the original poster will. • Re:Filesystem Filter Driver (Score:3, Interesting) > THIS IS THE RIGHT ANSWER. No it isn't. Or at least it is the right answer for the wrong question. Filesystem controls are completely orthogonal to process permissions. He's not trying to just limit filesystem operations, he's looking at all operations. How is a filesystem driver going to affect whether you can open Port 12345 if your windowstation isn't on some trusted list? Or whether you can impersonate another user only if it's run app XYZ within the last X minutes (think sudo). He's trying to • Ballsy! (Score:2, Interesting) This guy sure has a lot of balls asking for (admittedly minor) thesis help on a site his faculty could be reading this very minute. ;) • Re:Ballsy! (Score:2) Well, he is asking a bunch of guys who might just know the answer to his question. That is what research is about in anycase - asking the right questions to the right people. Why should his professors mind? • good luck with it! (Score:1) I certainly wish you the best of luck with it. given the design of the windows core (kernel*) I am not sure this can be implemented without a significant redesign. :( Linux is pretty good at this, as is the NSA offering (called SELinux). OpenBSD is far superior in this aspect. there is one additional problems: M$ might decide to
"co-opt" your work on you if they like what it does. best
to be cautious with a shark like that.
• Re:good luck with it! (Score:2)

OpenBSD is nothing in this aspect.

Perhaps FreeBSD has the needed hooks. They have been showing interest in stuff like SE Linux. OpenBSD has shown no interest.

LSM is the set of hooks that supports SE Linux. In other words, he wants to write something which makes security decisions similar to the ones that SE Linux makes. He needs the hooks.
• You'd need to create a user for each process (Score:2)

To separate out like this, you'd need to have each program run as a different user, and not give that user any rights.

You can't run them as the normal user. Even if you remove all the privileges, it is still the same user SID (Windows's UID). By default, a process's ACL allows debug access for the same user. That is, if program A and program B run as the same SID, then by default process A can manipulate process B and vice versa. Thus, if you did this, the program could do NtWriteVirtualMemory on any ot
• Re:You'd need to create a user for each process (Score:1)

Yes it is a flaw. It prevents me from making a secure setuid program if I understand correctly, as the person running it can probe its memory at will. So now I need to use a server and client.
• Re:You'd need to create a user for each process (Score:2)

No, for a setuid program (Windows's "Run As"), the new application runs as a different user than the person using it. This works.

Melissa
• Filesystem filter driver (Score:2)

A AC posted this earlier and it deserves a repost since it's the best answer I've heard so far.

To properly restrict access to files, you'll need to write a filesystem filter driver. This is how most antivirus programs work. More information here:

http://www.microsoft.com/whdc/driver/filterdrv/def ault.mspx [microsoft.com]

Writing a FS filter requires the IFSKit, which is expensive and does not come with an MSDN license. To filter network access, you would use a TDI filter driver. I don't know of any way of filtering calls to
• Re:Filesystem filter driver (Score:2)

Writing a FS filter requires the IFSKit, which is expensive and does not come with an MSDN license.

Just so you know, Microsoft dropped the price for the IFS kit from over $1000 to less than$150 including shipping (\$25 for shipping a CD... wowza!) a few months ago. You can purchase it online at the IFS kit page [microsoft.com]. That's a much easier pill to swallow for a PhD investment.

• MS Windows Internals, 4th Ed. (Score:1)

This book is awesome, takes you down into the deep caverns of hell that are the MS WinNT based OS.

Chapter 8 deals with security, and offers the following juicy nugget:

Security reference monitor

A component in the Windows Executive(\windows\system32\ntoskrnl.exe) that is responsible for defining the access token data structure to represent a security context, performing the security access checks on objects, manipulating privelages[...], and generating any resulting security audit messages.

Among others. T

• Ask tzuk at sandboxie dot com (Score:3, Informative)

on Sunday June 11, 2006 @01:40AM (#15511877)
His working implementation is available at http://www.sandboxie.com/ [sandboxie.com]

Maybe he'd tell you in exchange for a redesign of his site.
• Simplest Windows security measure (Score:2)

You know how, when you download a file with IE and try to open it on XP SP2, it asks you if you are sure because it's an unsigned executable every time? If you could just enable that for every executable by default, it would be almost impossible for a virus to get in. If you made it impossible for non-admin users to allow unsigned code, you would instantly improve security massively.

But I don't think it's possible in Windows.
• Re:Simplest Windows security measure (Score:2)

Mandatory code signing has been built-in to Windows since 2001 [microsoft.com] (with the release of XP).

I use this for some of my locked-down client machines, and it works pretty much as advertised. However, maintaining the list of allowed executables is a pain. Most 3rd-party windows developers neglect to sign their code, so you have to do a lot of manual entry of hashes. There are 3rd party management tools and scripting which can be used to overcome these problems.

• Core Force (Score:1)

http://force.coresecurity.com/ [coresecurity.com] TCP/IP, File and Registery ACL's
• Not a direct answer but... (Score:3, Insightful)

on Sunday June 11, 2006 @09:59AM (#15512789)

Cisco Security Agent [cisco.com] is a close analog to the sort of comprehensive kernel security hooking that something like LIDS [lids.org] does on Linux. If you can do some research to determine how they're doing it, that'll be a start. They hook all sorts of things, from file and network opens to attempts to sniff keystrokes and executing dynamically modified memory.

• Cisco Security Agent is a pile of crap (Score:2)

They force us to use this at work. It frequently denies access without asking the user or notifying the user. If we don't disable CSA first, we can't use any Perl script that does system() because CSA will silently deny access. The network admins can't figure out how to get Perl special-cased.

Also, much of its hooking can be bypassed by someone who knows the NT API. Many of their hooks are patches to ntdll.dll in each process's memory that can easily be bypassed.

The main "security" of CSA comes from the
• Re:Cisco Security Agent is a pile of crap (Score:2)

I'm sorry your admins don't know how to administer it.

I might go even further and pontificate upon the idiocy of attempting to lock developer's systems down, but I'd hate to cause you to vent any more of your spleen.

• Make Windows more secure than Linux (Score:2)

Core Force [coresecurity.com] is just such an application. From the about page:

CORE FORCE provides inbound and outbound stateful packet filtering for TCP/IP protocols using a Windows port of OpenBSD's PF firewall, granular file system and registry access control and programs' integrity validation. These capabilities can be configured and enforced system-wide or on a per-application basis for specific programs such as email readers, Web browsers, media players, messaging software, etc.

Basically, the way it works by default is

• Quick Question (Score:2)

Do we all get a PHd as well if we help you? If so, can you please provide details of the institution issuing the doctorate - I want to make sure that I don't get a bad school added to my CV.
• Core Force (Score:1)

i just read about CORE FORCE [coresecurity.com] in some other discussion, and this might be what you are looking for.

From their site:

CORE FORCE provides inbound and outbound stateful packet filtering for TCP/IP protocols using a Windows port of OpenBSD's PF firewall, granular file system and registry access control and programs' integrity validation. These capabilities can be configured and enforced system-wide or on a per-application basis for specific programs such as email readers, Web browsers, media players, messagin

• VMS (Score:2)

Interesting. If I recall, VMS has a security model in which applications had rights along with users. Kind of like setuid, but granular. I believe that a process's rights were the combination of the rights of the user and of the application.

Windows NT was designed and implemented by the main VMS designer. A lot of the low-level kernel stuff is quite similar. But I don't think this feature made it across in any way.