Difference between revisions of "Low Integrity Code Generation"
(→Mandatory Integrity Control (MIC)) |
(→Mandatory Integrity Control (MIC)) |
||
| Line 24: | Line 24: | ||
Windows defines four integrity levels: low, medium, high, and system. Standard users receive medium, elevated users receive high. Processes you start and objects you create receive your integrity level (medium or high) or low if the executable file's level is low; system services receive system integrity. Objects that lack an integrity label are treated as medium by the operating system; this prevents low-integrity code from modifying unlabeled objects. Additionally, Windows ensures that processes running with a low integrity level cannot obtain access to a process which is associated with an app container.<ref>Microsoft Windows, ''Mandatory Integrity Control'' https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control</ref> | Windows defines four integrity levels: low, medium, high, and system. Standard users receive medium, elevated users receive high. Processes you start and objects you create receive your integrity level (medium or high) or low if the executable file's level is low; system services receive system integrity. Objects that lack an integrity label are treated as medium by the operating system; this prevents low-integrity code from modifying unlabeled objects. Additionally, Windows ensures that processes running with a low integrity level cannot obtain access to a process which is associated with an app container.<ref>Microsoft Windows, ''Mandatory Integrity Control'' https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control</ref> | ||
| − | Low Integrity is also known as | + | Low Integrity is also known as Mark-of-the-Web" as it is only applied to files of unknown origin, mostly from the web.<ref>Outflank, ''Mark-of-the-Web from a red team’s perspective'' (2020-03-30) https://outflank.nl/blog/2020/03/30/mark-of-the-web-from-a-red-teams-perspective/</ref> |
==Problems== | ==Problems== | ||
Revision as of 14:05, 9 March 2023
Contents
Full Title or Meme
The effort to create fully functional Web Apps has led to changes in the functionality of the browser sandbox to allow functionality, like FILE API, that can easily be exploited to create high integrity applications with low integrity code files.
Author: Tom Jones (This is a personal opinion that should not be attributed to any of my employers.)
Last Update: 2023-03-03
Context
The W3C WICG (web incubation community Group) - from the charter[1]
- The Web Incubator Community Group (WICG) provides a lightweight venue for proposing and discussing new web platform features.
- W3C Community Contributor License Agreement (CLA) mostly deals with IP.
- The Community Group will accept and discuss any proposal for a web platform feature that would be implemented in a browser or similar user agent. Any suggestions, pull requests, issues, or comments made about a proposal fall under the CLA.
- The group will conduct all of its technical work on its GitHub repositories (and not in mailing list discussions). This is to ensure contributions can be tracked and to ensure that engagement will scale to a large number of proposals.
- WICG - File System Access AP
- https://github.com/whatwg/fs/
- https://github.com/WICG/file-system-access
- File System - living standard
This document defines fundamental infrastructure for file system APIs. In addition, it defines an API that makes it possible for websites to get access to a file system directory without having to first prompt the user for access. This enables use cases where a website wants to save data to disk before a user has picked a location to save to, without forcing the website to use a completely different storage mechanism with a different API for such files. The entry point for this is the navigator.storage.getDirectory() method.
Mandatory Integrity Control (MIC)
I was the initiating program manager for the project that shipped in Windows Vista as User Access Control (UAC). It consisted of both Mandatory Access Control as well as Mandatory Integrity Control (MIC) provides a mechanism for controlling access to securable objects. This mechanism is in addition to discretionary access control and evaluates access before access checks against an object's discretionary access control list (DACL) are evaluated.
MIC uses integrity levels and mandatory policy to evaluate access. Security principals and securable objects are assigned integrity levels that determine their levels of protection or access. For example, a principal with a low integrity level cannot write to an object with a medium integrity level, even if that object's DACL allows write access to the principal.
Windows defines four integrity levels: low, medium, high, and system. Standard users receive medium, elevated users receive high. Processes you start and objects you create receive your integrity level (medium or high) or low if the executable file's level is low; system services receive system integrity. Objects that lack an integrity label are treated as medium by the operating system; this prevents low-integrity code from modifying unlabeled objects. Additionally, Windows ensures that processes running with a low integrity level cannot obtain access to a process which is associated with an app container.[2]
Low Integrity is also known as Mark-of-the-Web" as it is only applied to files of unknown origin, mostly from the web.[3]
Problems
Any Web App that deals with low-integrity data should be allowed to impact high-integrity functionality. The example used here is VSCode, a Microsoft code generation application, but any Web App that transitions low-integrity input to high-integrity output would have the same issues.
VS Code
Migrating VS Code to Process Sandboxing describes the process of moving a (initially) 12 MB code generation platform to the use of ONLY low-integrity source code.
Solution
Stop trying to make Web Apps into high-integrity solutions providers.
References
- ↑ W3C Web Incubator Community Group Charter (2023-02-22) https://wicg.github.io/admin/charter.html
- ↑ Microsoft Windows, Mandatory Integrity Control https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control
- ↑ Outflank, Mark-of-the-Web from a red team’s perspective (2020-03-30) https://outflank.nl/blog/2020/03/30/mark-of-the-web-from-a-red-teams-perspective/
