Modeling the trust boundaries created by securable objects Matt Miller USENIX W00T 08 July 28th, 2008 Problem statement Trust boundaries must be understood Required for accurate characterization of threats Required for auditing code exposed to untrusted data Provides insight to both attackers and defenders Techniques exist to model trust boundaries from a design perspective Threat modeling Techniques are needed to identify and analyze trust boundaries from an implementation perspective
Securable objects are the focus of this presentation Agenda A brief explanation of trust boundaries and securable objects Automatically capturing access rights granted to securable objects Analyzing captured data to derive permitted data flows, trust boundaries, threats, and potential elevation paths What are trust boundaries? Domains of trust are separated by trust boundaries Trust Bound ary Exposes Exposes
Exploi tation Vulner ability Enables Securable objects Used by Windows as an abstraction for various types of resources Files, registry keys, sections, events, processes, threads, etc Objects can be assigned a security descriptor to control access Security identifiers (SIDs) can be granted/denied
specific access rights Securable objects as trust boundaries Access rights granted to SIDs define the domain of permitted data flows User C:\foo.dat Write file Administrator Read file User is granted access to write data Administrator is granted access to read data Thus, data can flow from User to Administrator through the file C:\foo.dat Capturing securable object access rights Two strategies are required to get a complete picture Persistent object rights can be captured using the Windows API Defined prior
to boot, non-volatile Files, registry keys, services Dynamic object rights can be captured using dynamic instrumentation Defined after boot, volatile and non-volatile Sections, events, processes, and all other object types Provides context info & can detect subtle race conditions Dynamic instrumentation Securable objects are managed by the object manager in the Windows kernel A device driver can use dynamic instrumentation to capture granted access rights and execution context Process context, security tokens, call stack, and so on Three key points must be instrumented
Object definition Object use Object security descriptor update Dynamic instrumentation points Object definitions All objects must be allocated by ObCreateObject Object uses Programs must acquire a handle to an object to use it Object types have specific routines (e.g. NtOpenProcess) ObRegisterCallbacks enables generic instrumentation (Vista SP1+) Object security descriptor updates
The SecurityProcedure of each object type is called when an objects security descriptor is dynamically updated Data produced as a result Object trace logs are generated for each object type Adapter (3.4K) ALPC Port (2.3M) Callback (5.2K) Controller (1.7K) Desktop (71K) Device (163K) Directory (582K)
TmTx (14K) Token (94M) TpWorkerFactory (104K) WindowStation (98K) WmiGuid (44K) Roughly 900MB of raw data to analyze from a default installation of Vista SP1 Making sense out of the data Object trace log data can be used to generate a bipartite data flow graph (DFG) G = (D, U, E) such that du E Each vertex is a tuple d, u = a,m,v a
is a SID or a group of SIDs (domain of trust) m is an object instance (medium) v is an object-type specific operation through which data is transferred (verb) Each edge du E is a data flow DFG generation: vertices Access rights translate into operations (verbs) that can be performed on an object Write to a file (FILE_WRITE_DATA) Send a request to an ALPC port (CONNECT) Write to process memory (PROCESS_VM_WRITE) A vertex is created for each SID that is granted rights required to use a verb on a given object SIDs that define an object are assumed to have full rights
DFG generation: edges Edges are created between vertices to illustrate permitted data flows Both vertices must use related verbs One vertex defining data, one vertex using data Both vertices must operate on the same object instance (medium) Example object verb relationships Definition Object Type Use Name Rights Required
Name Rights required Write request CONNECT Read request Implicit def Write reply Implicit def Read reply CONNECT Write data
WRITE_DATA Read data READ_DATA Write data WRITE_DATA Execute EXECUTE Key Set value SET_VALUE Query value
QUERY_VALUE Service Change config CHANGE_CONFIG Start service Implicit use Process Write memory VM_WRITE Execute code Implicit use
ALPC Port File Example data flow graph Definition Use User,C:\foo.exe,Write data User is granted WRITE_DATA to c:\ foo.exe Administrator,C:\foo.exe,Execute User,\LpcPort,Write request
User opens \LpcPort with CONNECT rights Network Service,\LpcPort,Read request User,PID 123,Write memory PID 123 grants User VM_WRITE rights Administrator opens C:\foo.exe with EXECUTE rights Network Service defines \LpcPort Network Service,PID 123,Execute code
Network Service created PID 123 DFG analysis: trust boundaries Trust boundary definition A medium that allows data to flow between domains of trust Identifying trust boundaries in a DFG The set of mediums used in data flows where definition and use actors are not equal These data flows compose a trust boundary data flow graph (TBDFG) Summary of a TBDFG for ALPC ports Each edge provides a count of the number of
data flows involving d and u Each vertex is a SID string (SY=System, WD=Everyone, etc) DFG analysis: threats Data flows can threaten domains of trust Denial of service Elevation of privilege due to a buffer overflow Defense horizon (attack surface) Data flows that are a threat to a domain of trust Attack horizon Data flows that are a threat from a domain of trust ALPC Port defense horizon for SYSTEM SID
Write request \WindowsErrorReportingServicePort Write request \LsaAuthenticationPort Write request \BaseNamedObjects\msctf.serverWinlogon1 DFG analysis: actualized flows Data flows permitted by a security descriptor are potential Broadly defines the domain of what a SID can do An administrator is granted EXECUTE rights to a file but may never actually execute it Data flows permitted by dynamically granted access rights are actualized
A subset of a SIDs potential data flows Captures a SIDs intent to participate in certain data flows An administrator opens a file with EXECUTE rights suggesting intent to execute it DFG analysis: risk metrics Threatening data flows can be analyzed to assign risk attributes to code Call stacks captured during dynamic instrumentation Code responsible for exposing a trust boundary may increase the risk to a program & domain of trust May benefit program analysis and manual audits by helping to define an analysis scope Call stack that defined
\RPC Control\plugplay ntoskrnl!AlpcpCreateConnectionPort+0xd0 ntoskrnl!NtAlpcCreatePort+0x29 ntoskrnl!KiSystemServiceCopyEnd+0x13 ntdll!ZwAlpcCreatePort+0xa rpcrt4!RpcServerUseProtseqEpW+0x35 umpnpmgr!ServiceMain+0x189 svchost!ServiceStarter+0x1ea advapi32!ScSvcctrlThreadA+0x25 kernel32!BaseThreadInitThunk+0xd ntdll!LdrpInitializeThread+0x9 Offensive applications Identify potential privilege elevation paths Quickly identify code that should be audited Includes privilege inversions (administrator using a user-defined object) Identify weak ACLs & race conditions
NULL DACLs Insecure use of WRITE_DAC Defensive applications Same as offensive applications Harden object ACLs Minimize defense horizon for TCB Defense in depth Support the verification of threat model conformance Reflexion models & other specifications Limitations & future work Limitations Dynamic
instrumentation limits visibility Driver currently only compatible with Vista/Srv08 x64 Model only describes how data can flow, not does flow Future work Pursue a larger case study to evaluate the effectiveness of this model Investigate automated techniques for other trust boundaries (networking, system calls, etc) Conclusion Trust boundaries must be identified to understand a programs risks Trust boundaries expose vulnerabilities Access rights granted to securable objects allow data to flow between domains of trust
Dynamic instrumentation & a data flow model can help to understand the trust boundaries, threats, and potential elevation paths Thanks for attending Questions?
Motorcoach Safety Action Plan. FMCSA has been active with implementing the Motorcoach Safety Action Plan since the plan was released in November 2009. The action plan took a fresh look at motorcoach safety issues and identified actions to address outstanding...
The force exerted can be calculated from the same equation: So, a greater force is exerted by the brakes than the driver exerted on the pedal. Pressure = Force exerted Area slave piston Force exerted = Pressure x Area slave...
Spineless Wonders: A Survey of the Invertebrates Phylum: Protista Amoebas, Foraminifera, Radiolaria, etc. Phylum Porifera (Sponges) Single layer of tissue (collared cells) Phylum Cnidaria / Coelenterata 2 layers of tissue: ectoderm, endoderm Phylum Cnidaria / Coelenterata hard corals Hydra sea...
The process guide is a resource for teachers on implementing the core instructional materials to students with disabilities. The guide contains strategies and tools that are research-based. In order for teachers to access the IEP modules, teachers need their 8...
West Campus Vision- Municipal Benefits Should deliver tangible benefits to the Town, such as increased tax revenue, provision of affordable housing for seniors, job creation, and passive recreation opportunities To the extent practical, the project should generate revenue to offset...
Mktg QualLds Needed. 364. Template Explanation: To communicate at an executive level the state of the launch. This is a high-level overview with critical milestones and call outs to risks that our leadership team should know about.
The Preamble:Words We Live By. Discussions & Activity with the Preamble and Article I of the Constitution. Importance of the Preamble. What is a Preamble? How many goals are in the Preamble? Define: Domestic tranquility. Posterity. General welfare. Do activity...
Ready to download the document? Go ahead and hit continue!