Idea for HIPS backend using native capabilities of WinXP and later

Now that I think of it, SBIE needs the driver to provide the virtualization, which is also a form of security to me. But when it comes to sandboxing purely with "integrity levels", it can indeed be done with the help from the Windows OS itself. This is what Chrome, IE and "Metro Apps" (AppContainer) are doing. BTW, does ReHIPS use a driver?

 

Ah, so what you're saying is process restriction.
5 - 1 + 1 = 5

I don't say non-hook HIPS can do exactly same thing, but at least there're advantages as I explained.
Virtualization itself is not a security, it makes sense only when combined with other mechanism.
SBIE doesn't rely on solely integrity level, it also uses user separation.
In fact integrity level itself is not a security boundary and was easily bypassed.
If you need example, I'll give you but sorry I don't have time now.

Yes, ReHIPS use driver, but not for security.

 

I'm sorry, I don't understand what you mean with "non-hook HIPS", please explain. I would also like to know what you mean with "user separation". And finally, I would like to know why ReHIPS uses a driver, after all, it uses the same type of sandboxing methods as Chrome, I assume?

EDIT: Virtualization is security to me, depending on how it's implemented. Especially when it to comes to ransomware, a lot of HIPS fail to stop them with behavior monitoring. However, tools like SBIE do not have that problem, because they simply virtualize access to file system/registry and IPC.

 

Not sure if these links are helpful to you or not:

Developing a high-accuracy cross platform Host-Based Intrusion Detection System capable of reliably detecting zero-day attacks
The ADFA Intrusion Detection Datasets

 

Rasheed,

Your definitions are a bit confusing

Behavioral monitoring what do you mean? Hooking API and/or SSDT

Also does the visualization of attached picture qualify as security?

 

I mean HIPS like SpyShelter, SSM and NG, they can block lots of stuff, but even NG, who monitors for file modification, can not stop all damage done by ransomware. About the pic, I'm not sure what you mean by that, I think everyone agrees that the Chrome sandbox is quite secure. But this thread is more about how to develop a security tool (kernel mode vs user mode).

 

@142395

That is what I meant, yes.

 

Chrome running virtualized (advantage of 32 bits OS )

This is a nice read also https://media.blackhat.com/bh-eu-11/Tom_Keetch/BlackHat_EU_2011_Keetch_Sandboxes-WP.pdf

 

How is it done? And does it not work on 64-bit Windows?

 

Use RUNASINVOKER shim, chrome will launch with the rights of the process which started it (explorer runs as Medium IL), it only works for 32 bits processes (also on 64 bits OS). I was just kidding Rasheed because he said "Virtualization is security to me, depending on how it's implemented". It is a phrase you can apply on many things, f.i. "meat is just food for me, depending how it is cooked" or "cars are just transport to me, depending who manufactured them"

See pic

 

Awesome, I appreciate the detail. I didn't realize you were kidding with Rasheed at first there.

So I'm assuming that in that case, on 64-bit Windows, you would have to specifically use the 32-bit version of Chrome. Would there be any security-related benefit to this then? Would there be any performance degradation? Thanks again.

 

Nothing special, I mean HIPS which don't use hook. In Windows currently only ReHIPS is available AFAIK.
I feel it's somewhat similar to AppArmor in Debian (or SUSE) Linux, but to be honest AppArmor is more usable. It has a kind of 'learning mode' and it logs violation (you firstly have to install auditd).
Also another virtue of Linux is an idea of capability. With capability, you don't need to give admin rights for a process to perform priviledged task. It seems MS finally adopted capability for their mobile OS (maybe includes Win8 metro mode), but I think it's not available for other Windows, though access token would somewhat complement this lack.

Curt said sandboxed process is run by anonymous user logon and it's an implementation of user separation. Of course anonymous user is much more restricted, but even another LUA with the same priviledge as your everyday user can be said user separation as they can't access other user's data unless it gets admin rights.
ReHIPS developer claims desktop (in most case, you can translate 'desktop' into 'user' in this context) is security boundary because if a process is allowed to put a hook, then it can bypass other sandbox mechanism UNLESS user separation wasn't done.
Chrome also uses this separation.

As to ReHIPS' driver I haven't asked dev to it, only I know is it is not for hooking. But I suppose it is for making other user (called ReHIPS user, numbers are assinged for them and each process uses different ReHIPS user) and transparently switching among them, not sure though.

Well, maybe you're confusing virtualization with isolation as they're presented as a set (or combo? sorry I don't know proper expression) in SBIE implementation. Well, apart from what Windows_Security presented, Windows Vista+ have a virtualization. This is for compatibility as there's a many diffrence btwn Windows 5.x (Xp) and 6.x (Vista+).
If a program tries to write to no-more-exist folder or registry such as 'Application Data', OS will redirect it to e.g. %LOCALAPPDATA%\VirtualStore\.
Of course it's not a security and I suppose this is a reason why he said it's confusing.

Even when SBIE redirects all writing by a process to Sandbox folder, if w/out any other mechanism, that process can easily bypass it by just putting an another hook. Do you know SBIE is actually performing much more tasks behind the scene than what you can see? Converting global hook is just an example, but if SBIE allowed it it can be used to bypass sandbox. And you know SBIE blocks driver installation, but it also blocks e.g. changins system parameter, communication with a window outside sandbox, and it isolates protected storage. All of them along with IL and user separation are needed for safety and w/out them sandbox is no more isolated and malicious program can make damage even within Sandbox folder.
But to be honest I can't imagine virtualization w/out isolation in SBIE implementation, apart from whether it is possible.

 

@142395, a nitpick: Linux "capabilities" are not secure at all. Most of them are functionally equivalent to root.

You could implement RBAC with SELinux, and split root into a bunch of different roles, but that's a whole different kettle of fish.

(Likewise GrSecurity, but that's not in mainline...)

 

No performance degration, no security benefits, because process can still elevate. Only when using Chromium (unsigned) and setting UAC to deny elevation of unsigned it might have arguable benefits.

 

Thanks for the input!
I always appreciate such a pointing out or even criticism as long as it's based on genuine knowledge or real experience.
I'll look into capability more, as I still don't fully understand it and also things might have changed since I removed Ubuntu12.04LTS from both dual-boot and VM.

I have only used Ubuntu or its variant (andLinux and PortableUbuntu) so don't know about SELinux, though I enjoyed summary of 'SELinux vs AppArmor ' debate which persisted untill Linus said 'You security guys are insane!'.
And anyway SELinux seems to be too complex, and while such splitting to root is more secure, it won't suit for average Windows user (I suppose many Ubuntu user only have almost same level of IT skills as Windows user), so those casual OS will never implement such a strong security.

I also don't know much about GrSecurity except it can be used to mitigate kernel exploitation...it also seems to be complex but I'll look if it's understandable for me.

 

Hmmm...first example...if you will burn a piece of meat finaly it stop to be meal
I can understand Rasheed and I give you example for considering...one thing and one situation only: you have lunch to eat and new colourful magazine so what will be your choice depends of what you need
you can just read this magazine or...
you can roll the magazin nad try to kill disturbing mosquito or...
use the magazine as the pad under plate or...
put the magazine under one leg of table to keep its balance

 

Yes that's why I said: "depending on how it's implemented". On the other hand, if you compare SBIE with Shadow Defender, they are both able to protect file system and registry with virtualization, the difference is that SD does not watch for other malicious behavior like code-injection and installation of drivers.

So after reboot your system is probably clean, unless you ran a rootkit, that modified the kernel. Keep in mind, you can also poke holes in SBIE when you choose to allow certain things, making protection and isolation weaker, but virtualization might still save you from a ransomware attack, at least, if it does not try to break out of the sandbox.

 

Actually, I'm a bit confused, because if I'm correct you can not hook the kernel anymore on Windows 64 bit. So in fact none of the HIPS are doing this. However, you still have to interact with the kernel in a fast and secure way, so that's why kernel drivers are needed, I think. You can not protect the system as a whole against advanced attacks when you're using only user mode hooks, if I'm correct.

 

@Rasheed187: no with user mode hooks. Yes, at least theoretically, with built-in kernel functions. Depends on the definition of "advanced" though.

But at this point I feel like this project idea is just not worth pursuing, at least in its original incarnation.

a) ITW malware has gotten good enough to bypass a lot of HIPS
b) Maintaining WinXP compatibility is not a viable path
c) The strategy is still not really amenable to user-friendly security

And on top of all that Windows 7 seems to hate me! Incredible how sluggish it is, I don't recall it being that way last time I used it...

Edit: guess it wouldn't hurt to ask if anyone knows of Windows API functionality that would allow for trusted path execution?

 

@ Gullible Jones

HIPS will always be by-passable once you run malicious code, just like all other security tools. I've read about advanced malware attacks, and once you allow them to perform certain actions, it's almost game over for HIPS. But if you block certain stuff like code-injection and installing of drivers, it's game-over for most malware, no matter how advanced.

 

"Malicious code" starts running immediately upon an exploit triggering; that's what shellcode is. We have discussed that rather extensively on Wilders, not sure if you were here at the time... Anyway, the issue is that there's no such thing as an EXE or DLL once you're in main memory.

Depends (again) on how you define "advanced." If it escalates privilege within the first process compromised, nothing can stop it. On a fully patched system this is difficult; on a system with known vulnerabilities, it's trivial.

 

Then you're almost saying "Virtualization with SBIE's security feature is a kind of security for me", it's just a tautology.
There's a so-called virtualization w/out isolation, so I distinguish them.

 

Sorry, one apology that, I somehow believed that ReHIPS don't use ANY hooks.
But now I looked document, and it only says it doesn't use kernel hook.
So I don't know if ReHIPS use user-mode hooks for protection.
Well, however, as you said still developer can hook kernel via mini-filter, and this is still a big source of issues and conflicts.
As to system wide protection, as already GJ answered, you can achieve this via bulit-in OS security mechanism.
Windows itself meets the C2-level security, though it's actually not so high compared some other OSes.

 

RE: userland hooks
User mode hooks are pretty useless when facing side by side attacks of another medium IL process. XPEOFF had a PoC which made ThreatFire a blind and deaf behavioral blocker, because it unhooked/bypassed the many userland hooks of ThreatFire.

When combined with with low/untrusted processes it is a different story: http://www.malwaretech.com/2014/10/usermode-sandboxing.html

 

Is Chrome using this mechanism? If I check Process Explorer all instances of Chrome (broker and LI process) are run under my username.
I would like to restrict Chrome from accessing my personal data using only windows built-in options. Other programs should have access to that data.