Virtualization software and integrity levels-your expert opinions...

This thread has been inspired by my reading of opinions of several posters. he question is what effect on security has changing from low integrity levels to medium or high integrity levels (on Vista and Windows 7, but not on Windows XP?)?
And that some virtualization softwares like Sandboxie, Bufferzone have that issue?
I really don't understand what is the difference between low level and medium level security.
If SBIE can block start/run access of any malware as well as block any malware to access the Internet, than where is the problem?
I guess, user's mistake or impracticability?

Supposedly, Tzuk has handled this problem (that's what I heard, so that's "he said, she said" situation).

And why none has ever faced the possibility if any hacker wants to destroy/disable DefenseWall's, SBIE's, Bufferzone's protection (you name it), than they will do it and there is nothing you can do about it?
Is it true the only reason why DW, SBIE or Bufferzone have not been compromised is because they are not widely used by too many people (like Linux)? If they were, they would be vulnerable to attacks and malware like antiviruses are today?
Is this true?
Thanks to all.

And what about internet attacks? Like man-in-the-middle, buffer overflows, DNS spoofing and tocttou attacks and etc...?
Does an virtualization software (DefenseWall,Sandboxie, GesWall and etc...) protect against internet born attacks?
I guess you really need good software or hardware firewall for all these internet attacks?
Thanks to all.

 

Integrity levels are part of the windows ACL token system (MAIC.) Every file and folder on the computer is assigned different integrity levels and each integrity level has its own rights.

A low integrity file can only right to other low integrity files and it can read the entire system.
A medium integrity file can write to low and medium integrity files and it can read the entire system.
A high integrity file can write to low, medium, and high integrity files and it can read the entire system.

So keeping this in mind, what happens if I run, say, Word at high integrity and it gets exploited?
Now that exploit code can write to virtually my entire file system, because Word is at high integrity.

If Word is running at medium integrity the exploit will only be able to write to medium and low integrity areas.

If word is running at low integrity the exploit will be severely limited and stuck only being able to write to the low integrity areas.

Virtualization software creates its own file system. When it does this it might create a series of folders all at medium integrity. This isn't a big deal since if the entire system is virtualized none of that should matter, you can't write outside of that system.

When you start poking holes in sandboxes it can matter a bit more because your sandboxed program can access more areas.

Sandboxing a program that runs in "protected mode" ie: at low integrity can also interfere with that mode.

This is difficult to answer.

I'd just like to preface by saying that Linux has had its fair and large share of vulnerabilities. That doesn't make it insecure.

Any software of significant complexity, especially which undergoes consistent change, will have vulnerabilities.

The fact that we haven't seen many in DW, SBIE, BZ, is in my opinion purely because people aren't looking. Neither of those programs holds significant market share.

There's also the fact that even if every person used Sandboxie there are easier ways to work than exploits. You can trick the user into running the program outside of the sandbox, you can create malware that runs within the sandbox and still works, or if users suddenly stop making mistakes you can start using exploits.

Good question and again, not super easy to answer.

In a MITM attack someone might just be recording your information. In this case there's nothing any virtualization software can do - the attack is happening off of the host and into the network.

If a program is compromised via network and the program is sandboxed you may very well stop the attack in its tracks.

In any case it's always a good idea to have a firewall to stop attacks before they even enter your system.

 

A thing that annoys me that software companies are still not getting is process inheritance. How many software packages do you install that open a web browser when it finishes installing or uninstalling to present you with more information or a survey? Since almost all installers have to run at high integrity the browser opens at the same level as the installer that launched it. If their site is hacked, and I would have to assume them to be lacking security skills for them to be doing this in the first place... guess what you get. And even if there is a small chance their site is infected, there is a greater chance you will continue to browse to other sites with this elevated browser, especially if you are one of the majority of people that do not understand this all to begin with. Every time I install/uninstall software and I see a browser window open I close it immediately. Browsers should not be allowed to be launched by installers, or the installers need to be reworked so they open it at the lowest integrity level possible.

 

Well this is something I never knew of or thought about before I had to see it for myself, and sure enough after installing Adobe flash in the vm, it does launch the browser, IE9 in this case, at High integrity, including the broker process which is normally at Low integrity.

Thanks for pointing this out, Jack!

 

@CoolWebSearch

Integrity Levels are really nothing more than a set of permissions applied at a system level (termed SACL) rather than a discretionary level (termed DACL).

If you are unfamiliar with the permission system of windows, it would be helpful possibly to take a look at how that works. But in a nutshell, everything in an NT system (NT,2000,XP,Vista,7,8 ) has a permission granted to an individual (user) or group of individuals (group). Most permissions are set per file/folder via the DACL. Many are inherited, elsewise every single file would need to be individually stated how it is set per user/group. SACL permissions were normally used for auditing and other admin type uses. Integrity Levels are part of the SACL permissions now, and everything has one starting at Vista. Medium is the default.

HungryMan has described for you some definitions of High, Medium and Low Integrity. By understanding how the permissions work, you will have a much greater understanding of Integrity Levels and how they can benefit you. That is where I would start if I were you, if you really want to know.

@xxJackxx

That is precisely why I have not allowed the browser to execute files for years and years. I always download items, even .pdf files, to my downloads directory. In the past I used HIPS or AV to control what I executed, these days I use Sandboxie and permissions/IL. It sometimes creates a few extra steps, but I have always viewed the browser as my primary source of entry for issues, and thus never trusted it. I did not know it was doing what you mention, but then, I would not ever see it because of how I do things. Good info to have on hand.

@wat0114

What happens if you force your browser to Low IL? You should not be able to launch executable that wants to write into restricted areas (or rather they will fail). Problem solved? Maybe, if you don't mind launching executables manually.

Sul.

 

First, Internet Explorer fails to run with an explicit low integrity level.

Second, the issue is that whatever installer you run, that opens the default web browser once it finishes installing, will automatically elevate the web browser. Now, say one runs Google Chrome with an explicit low integrity level. Then, it would depend on whether or not the installer was coded to raise the browser's integrity levels.

An object running with a high integrity level can raise a lower integrity level object to its own integrity level. Unfortunately, that's how it works.

 

Oh, you are saying that an installer, which is coded to open a browser page, will open the browser at High (the installer integrity). I see what you mean. I guess I must not install much that does that, as it hasn't really been an issue for me.

Shows you how much I use IE I guess Never even tried to set it to Low IL I don't think.

Sul.

 

I assume they are calling a shell execute with a URL to open the default browser. A lot of them used to just call Internet Explorer directly but the end result is the same as far as integrity level. As someone that works for a software company I have been searching for a way to launch a process from an elevated process without inheriting the integrity level but have not had much luck. I know it can be done though, I believe Firefox does it with their installer.

What I really hate are the ones that do this when you uninstall software. If I recall correctly I think the last time I removed Secunia PSI to upgrade to a newer version it opened a survey in a high integrity level browser window. Shame on them, a company that should know better. I did mention it in the comments section on that survey hoping they would change it. Haven't checked to see if they have.

 

Have you seen this with other browsers?

 

You could try it out... Make Google Chrome the default browser, if it isn't already. Apply an explicit low integrity level to it.

Download an application and then uninstall it (Secunia PSI (according to user xxJackxx does that) or try it with SUPERAntiSpyware (it used to open the browser)). See what ILs Chrome's children processes have.

You'll then have the answer you seek.

 

Can't access Windows today unfortunately.

 

Thank you everyone for the feedback! m00nbl00d I think explains it right as to what happens. IE9 basically runs two processes: a broker at medium IL and a child at low IL, the latter of which handles all the browsing functionality. Unfortunately, as Jack pointed out, some installers will auto-launch the default browser imediately after the installation is completed, or even after an uninstall, and does so at the high IL it obviously runs at in order to install in a protected directory such as %ProgramFiles%.

In my test I downloaded the flash installer to my downloads directory, then manually launched it to proceed with the installation. As it always does at the end of the installation, it launched the default browser, IE in my case, and opens up the Adobe web page. Unfortunately, both the IE9 broker and child processes run at high IL This will not likely cause any problems, but could if the site is exploited, as Jack mentioned. A HIPS might be one easy way of preventing this stupid behaviour from happening, but unfortunately that's additional 3rd party overhead I'd rather not use.

EDIT

I tried in the vm installing Chrome, making it the default browser, then installing either Flash or Secunia PSI, but in both cases they still launch IE, so I removed IE from Windows Features, then tried Flash and got the pop-up in the screenshot. It appears it's looking for IE maybe?

 

Something interesting shown in the ss that might shed light on what's happening when a program launches the browser after it installs...

I was trying to remove IE9 completely - but proving extremely difficult - because I wanted to re-install it using the manually-obtained download from MS' site, then install it to a different directory than the default, then see if it would auto-launch after installing Flash. Unfortunately I kept getting: " unable to install Internet Explorer, a newer version is already installed". It's extremely difficult removing the permissions from the IE files so that I can delete everything. I made myself the owner and removed Trusted installer, and tried to force the permissions to all the renegade files that refuse to delete, but I had no success.

 

You may want to modify the ultimate ie killer for k-meleon http://kmeleon.sourceforge.net/forum/read.php?1,86145
to suit your testing needs.

 

Thanks soccerfan, I'll have a look at that.

 

I've seen it happen with Firefox where it was the default browser. Can't remember what it was I was installing on that machine.

 

Yes and I hate that. When I update Flash Player in Firefox it opens up IE to tell me it was successfully installed.

 

This bothers me also. Maybe PowerBroker Desktops can be used to force the browser to low integrity, if your default browser can run as low integrity.

 

http://blogs.msdn.com/b/aaron_margo...as-the-desktop-user-from-an-elevated-app.aspx

 

Hi MrBrian,

I took a look but it's way over my head

A sort of "hack" solution I've come up with was to export my current Win firewall profile, then delete all the program rules except the ones for IE x86 & x64, change them to "Block", and create a rule that allows all programs TCP outbound to remote ports 80 & 443, then export it as name: Win7fw_IE9_block." This gives me two firewall profiles. So the way this works is after I've manually downloaded the program that offensively auto-launches the browser at High IL, I import the IE9 block profile, then proceed to install, let's say Flash, then when it launches IE9, even at High IL, it's at least blocked from Internet access, and Flash is able to d/load whatever it needs during the installation. After closing the browser, I then import my normal, working profile.

It's a bit of a nuisanse doing this, but it works, although it would be better to find a solution that forces the browser to a lower IL when it's launched by the installer program.

 

Than what does all this mean for computer security?
Do those default browsers represent the jeopardy of compromisiong computer security or not?
If yes, how am I suppose to use them in combination with SBIE-if SBIE changes low integrity levels to medium or high integrity levels?
Please, don't get mad on me, because I'm not really sure what you were trying to say in all of your posts.

 

It means this:

As a member of the USERS group, you are a USER, and as such have only certain rights. You might already know this.

As a member of the ADMINS group, you are both a USER and an ADMIN (typically), and you have regular user rights, plus those of an admin.

Integrity Levels mimic these rights. A browser with a medium IL will operate as a USER only, thus you will be locked out of modifying many system areas. A browser with a High IL operates basically as an admin, thus you are allowed to modify system areas (install apps/drivers, etc). A low IL has even less rights than a user, so not much really can be modified.

The talk you see is in relation to how these Integrity Levels operate, and many discussions thereof.

Your question, how does it effect security, is not an easy one to answer because you first must understand what rights are in order to understand what an Integrity Level is. The issue is not do browsers pose a threat, but in this context, do browsers with a certain IL pose a threat. And the answer is yes, they do, if they are running at High IL. You want your browser to run at Medium or preferably Low IL for the best security.

You ask about Sandboxie and Integrity Levels. While there is plenty to talk about on that topic, I think it is best at this point to just say that if you are worried about what happens INSIDE the sandbox, the procede to learn about Integrity Levels. If you don't really care what happens INSIDE the sandbox, but only want to make sure what happens in the sandbox does not effect your real system, then don't worry about Integrity Levels yet.

Sul.

 

Than I guess Hungry man was right. "Virtualization software creates its own file system. When it does this it might create a series of folders all at medium integrity. This isn't a big deal since if the entire system is virtualized, none of that should matter, you can't write outside of that virtualized system."
Thanks for your input.

 

If one should worry about Sandboxie in conjunction with integrity levels, that will depend on how you look at it. As anyone probably figured out by now, Sandboxie does break the integrity levels.

I'll show a real example, and anyone is free to verify it on their own, and come to conclusion I'm not spreading FUD.

I'm running Chromium with an explicit low integrity level. My downloads folder is set with an explicit low integrity level, and inheritance applied to all objects and sub-containers.

A few weeks ago, I extracted a zipped file, that had an explicit low integrity level, inherited from the downloads folder, I had downloaded, that contained an executable (an installer). I was going to test the application in an isolated system.

I was checking some stuff, and I happened to click the installer and all of a sudden I get a warning that execution had been forbidden. The alert resulted from AppLocker forbidding the installer from executing.

WTH?

That installer shouldn't be able to execute (regardless of AppLocker) due to the low integrity level that was supposed to inherit from my downloads folder.

It turns out that the installer had a medium integrity level. What if I was running as an administrator? It would have a high integrity level.

This happened because I was running 7-zip sandboxed and it broke the low integrity level.

So, whether or not one should be worried, it will depend on what may happen at a given moment.

I always believed that any file I extracted to my downloads folder, from the sandboxed 7-zip, were inheriting the low integrity level. I couldn't had been more wrong.

AppLocker blocked execution, so no biggie.

 

Thanks for the link, looks interesting. I will have to look at it in greater detail when I have more time.

Something else I was just remembering, is that there is some piece of software that on install restarts explorer.exe as part of the setup and then explorer.exe is elevated. I believe it was a piece of Stardock software, Fences or DeskScapes or something. This causes EVERYTHING launched after that to be elevated. I would rather reboot, because at that point it is required anyway. Outlook refuses to work correctly in that state, which is how I discovered it in the first place.