Low Integrity Code Generation
Contents
Full Title or Meme
The effort to create fully functional Web Apps has led to changes in the functionality of the browser sandbox to allow functionality, like FILE API, that can easily be exploited to create high integrity applications with low integrity code files.
Author: Tom Jones (This is a personal opinion that should not be attributed to any of my employers.)
Last Update: 2023-03-03
Context
The W3C WICG (web incubation community Group) - from the charter[1]
- The Web Incubator Community Group (WICG) provides a lightweight venue for proposing and discussing new web platform features.
- W3C Community Contributor License Agreement (CLA) mostly deals with IP.
- The Community Group will accept and discuss any proposal for a web platform feature that would be implemented in a browser or similar user agent. Any suggestions, pull requests, issues, or comments made about a proposal fall under the CLA.
- The group will conduct all of its technical work on its GitHub repositories (and not in mailing list discussions). This is to ensure contributions can be tracked and to ensure that engagement will scale to a large number of proposals.
- WICG - File System Access AP
- https://github.com/whatwg/fs/
- https://github.com/WICG/file-system-access
- File System - living standard
This document defines fundamental infrastructure for file system APIs. In addition, it defines an API that makes it possible for websites to get access to a file system directory without having to first prompt the user for access. This enables use cases where a website wants to save data to disk before a user has picked a location to save to, without forcing the website to use a completely different storage mechanism with a different API for such files. The entry point for this is the navigator.storage.getDirectory() method.
Mandatory Integrity Control (MIC)
n.b. This is about the integrity level assigned to a file or other user object and not whether the file has been altered.
I was the initiating program manager for the project that shipped in Windows Vista as User Access Control (UAC). It consisted of both Mandatory Access Control (MAC) as well as Mandatory Integrity Control (MIC) provides a mechanism for controlling access to securable objects. This mechanism is in addition to discretionary access control and evaluates access before access checks against an object's discretionary access control list (DACL) are evaluated.
MIC uses integrity levels and mandatory policy to evaluate access. Security principals and securable objects are assigned integrity levels that determine their levels of protection or access. For example, a principal with a low integrity level cannot write to an object with a medium integrity level, even if that object's DACL allows write access to the principal.
Windows defines four integrity levels: low, medium, high, and system. Standard users receive medium, elevated users receive high. Processes you start and objects you create receive your integrity level (medium or high) or low if the executable file's level is low; system services receive system integrity. Objects that lack an integrity label are treated as medium by the operating system; this prevents low-integrity code from modifying unlabeled objects. Additionally, Windows ensures that processes running with a low integrity level cannot obtain access to a process which is associated with an app container.[2]
Every token is tied to a logon session. Any time a user logs in, a new token is generated and then applied to any process that user spawns during its logon lifecycle. When a local administrator logs in, two separate logon sessions are created: one for the unelevated token (medium integrity level) and one with the elevated token (high integrity level). These logon sessions are bound to one another and are referred to as a “split token".[3]
Low Integrity is similar to "Mark of the Web" as it is only applied to files of unknown origin, mostly from the web.[4] The "Mark of the Web" is added as an alternate data stream in NTFS. That means that the Mark of the Web is lost if the file is copied outside of NTFS.
The history of MIC is from the Biba Model, a formal state transition system of data security policies designed to express a set of access control rules in order to ensure data integrity. Data and subjects are ordered by their levels of integrity into groups or arrangements. Biba is designed so that a subject cannot corrupt data in a level ranked higher than the subject's and to restrict corruption of data at a lower level than the subject's. The Biba model was created to thwart a weakness in the Bell-LaPadula Model. The Bell-LaPadula model only addresses data confidentiality (Mandatory Access Control) and not integrity control.
| Windows SID | Level Name | Description |
| S-1-16-0 | Untrusted | Anonymous process, write access is mostly blocked - chromium Render |
| S-1-16-4096 | Low | App Containers, Browsers prevent most write access |
| S-1-16-8192 | Medium | authenticated user (Normal in UAC) |
| S-1-16-8448 | Medium Plus | Special purpose |
| S-1-16-12288 | High | Administrator process (Elevated in UAC) |
| S-1-16-16384 | System | |
| S-1-16-20480 | Protected Process | can only be set by a kernel-mode caller |
Problems
Microsoft Internet Explorer could run with low integrity in protected mode starting with Windows Vista.
Microsoft Edge is based upon Chromium. Eric Lawrence, MFST 2022-06-15 Chromium (and thus Edge) uses a multi-process model where each process has a particular job (processing HTML/JavaScript, drawing on the screen, the top-level-browser, etc). This improves both security and reliability. Beyond simply running code in a different processes, security is improved by sandboxing each process as much as we can; this will discard capabilities that a process should not need for its job, and help ensure that if an attacker were able to build an exploit against the sandboxed code, that exploit would be stuck inside a sandbox/jail it cannot escape. Setting restricted Windows Integrity Levels is only one mechanism the sandboxing code uses to protect the system-- various other lock-downs are applied as well. You can learn more about the design of the Chromium sandboxes here: https://chromium.googlesource.com/chromium/src/+/lkgr/docs/design/sandbox.md
Any Web App that deals with low-integrity data should not be allowed to impact high-integrity functionality. The example used here is VSCode, a Microsoft code generation application, but any Web App that transitions low-integrity input to high-integrity output would have the same issues.
VS Code
Migrating VS Code to Process Sandboxing describes the process of moving an (initially) 12 MB code generation platform to the use of ONLY low-integrity source code.
The VS Code "workbench" window is the main window users interact with to edit files, search, or debug.
Process:
- Open https://vscode.dev/
- Create or Select a folder and give permission (subtle - the permission dialog is not clear on what happens here - it is clear that the grant survives until all tabs closed.)
Solution
- High security browsers should not enable the File API which will disable apps like VSCode.
- Stop trying to make Web Apps into high-integrity solutions providers.
References
- ↑ W3C Web Incubator Community Group Charter (2023-02-22) https://wicg.github.io/admin/charter.html
- ↑ Microsoft Windows, Mandatory Integrity Control https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control
- ↑ Jonathan Johnson Better know a data source: Process integrity levels https://jsecurity101.medium.com/better-know-a-data-source-process-integrity-levels-8338f3b74990
- ↑ Outflank, Mark-of-the-Web from a red team’s perspective (2020-03-30) https://outflank.nl/blog/2020/03/30/mark-of-the-web-from-a-red-teams-perspective/
