Wednesday, March 23, 2011

Windows Integrity Levels explained

This post from the Internet Storm Center explains the  concept of the Integrity Levels, that is a tool available  on Windows Vista, 7 and 2008.

Integrity levels can restrict one process from interacting with another process even if both processes are running under the same user account and even if the user has administrative privileges. 

Basically,  a process running under a lower integrity level will be limited in the way it can interact with process that run in a higher integrity level, regardless the access rights. This can be really helpful to mitigate a possible exploitation.

This is why it's advantageous to run the processes that are likely to be targeted by exploits under the Low integrity level. For instance, if a browser running under the Low integrity level gets exploited, the attacker's payload will have a hard time injecting itself into the majority of other processes or modifying critical files.

It seems it is a key tool used to create sandboxes in  Internet Explorer,  Chrome and the new Adobe Acrobat.

The article links to the following blog post written by Didier Stevens and called Integrity Levels and DLL Injection. It describes how this feature blocks a DLL injection attempt from a Low Integrity process to another with Medium Integrity.

No comments:

Post a Comment