|
In the context of the Microsoft Windows family of operating systems, Mandatory Integrity Control (MIC) is a core security feature introduced in Windows Vista and implemented in subsequent desktop line of Windows operating systems, that adds ''Integrity Levels'' (IL)-based isolation to running processes. The IL represents the level of trustworthiness of an object. This mechanism's goal is to use pre-existing integrity control policies and the involved objects' IL to selectively restrict the access permissions in contexts that are considered to be potentially less trustworthy, compared with other contexts running under the same user account that are more trusted. ==Implementation== Mandatory Integrity Control is defined using a new access control entry (ACE) type to represent the object's IL in its security descriptor. In Windows, Access Control Lists (ACLs) are used to grant access rights (read, write, and execute permissions) and privileges to users or groups. An IL is assigned to a subject's access token when initialized. When the subject tries to access an object (for example, a file), the Security Reference Monitor compares the integrity level in the subject's access token against the integrity level in the object's security descriptor. Windows restricts the allowed access rights depending on whether the subject's IL is higher or lower than the object, and depending on the integrity policy flags in the new access control entry (ACE). The security subsystem implements the integrity level as a mandatory label to distinguish it from the discretionary access under user control that ACLs provide. Windows Vista defines four integrity levels: ''Low'' (''SID:'' S-1-16-4096), ''Medium'' (''SID:'' S-1-16-8192), ''High'' (''SID:'' S-1-16-12288), and ''System'' (''SID:'' S-1-16-16384).〔 By default, processes started by a regular user gain a ''Medium'' IL and elevated processes have ''High'' IL.〔(【引用サイトリンク】 Mandatory Integrity Control in Windows Vista )〕 By introducing integrity levels, MIC allows classes of applications to be isolated, enabling scenarios like sandboxing potentially-vulnerable applications (such as Internet-facing applications). Processes with ''Low'' IL are called low-integrity processes, which have less access than processes with higher ILs where the Access control enforcement is in Windows. Objects with Access control lists, such as Named objects, including files, registry keys or even other processes and threads, have an entry in the System Access Control List governing access to them, that defines the minimum integrity level of the process that can use the object. Windows makes sure that a process can ''write to'' or ''delete'' an object only when its integrity level is equal to or higher than the requested integrity level specified by the object.〔 Additionally, process objects with higher IL are out-of-bounds for even ''read'' access.〔(【引用サイトリンク】 PsExec, User Account Control and Security Boundaries )〕 Consequently, a process cannot interact with another process that has a higher IL. So a process cannot perform functions such as inject a DLL into a higher IL process by using the CreateRemoteThread()〔(【引用サイトリンク】 CreateRemoteThread Function (Windows) )〕 API function or send data to a different process by using the WriteProcessMemory()〔(【引用サイトリンク】 WriteProcessMemory Function )〕 function.抄文引用元・出典: フリー百科事典『 ウィキペディア(Wikipedia)』 ■ウィキペディアで「Mandatory Integrity Control」の詳細全文を読む スポンサード リンク
|