Making it Clear Just Why Protected Processes are a Bad Idea

The Disparity Bit


Quicksearch

Google the Site

Syndicate This Blog

CC License

Creative Commons License - Some Rights Reserved
Original content in this work is licensed under a Creative Commons License

supersized.org

Owner login

supersized s9y blog hosting
Free s9y blog!

Disclaimer

Sunday, April 8. 2007

Making it Clear Just Why Protected Processes are a Bad Idea


Alex Ionescu has released (working binary, no code, to prevent it being used by malware authors) a program that circumvents the Vista Protected Processes by letting the user mark any process as protected or unprotected.

I'm not a Windows internals expert by any stretch of the imagination, and I don't even have the code in question. But while Alex gets the title of his post right - Why Protected Processes are a Bad Idea - he doesn't explicitly answer that question. A naive reading of his post would simply tell you that Protected Processes are a bad idea because the implementation's broken. So I wanted to add this commentary:

If you can't implement the desired separation of privileges with the permissions system you've already got, much more important things are broken than DRM.


What Protected Processes (PP for short) do is simple: noone, not even the user running them or the admin, has permissions to do certain things to them. Such as read their memory, inject threads, and debug them. That's right, legitimate AV programs are supposed to skip PPs. Because PPs have to be signed by Microsoft, so they're, like, infallible. No way a program signed by Microsoft could have an arbitrary-code-execution vulnerability in it.

Here's what one Microsoft technical document on PPs says (evil .doc file downloadable here - can be opened by free readers):




Best Practices
Historically, a privileged service (running as administrator or local system) has been able to obtain all access to a process or thread, regardless of its DACL, by using SeDebugPrivilege.
Starting with Windows Vista, the privileges that are marked with "No" in the tables earlier in this paper cannot be obtained for a protected process or thread. This can be a problem if memory scanning is critical to the operation of the application.

Do not attempt to circumvent this restriction by installing a kernel-mode component to access the memory of a protected process because the system and third-party applications may rely on the fact that protected processes are signed code that is run in a contained environment.





That's right, it can be something of a problem if your application likes to read the memory of other processes. Like an antivirus. Or a debugger or another development tool. Or some other legitimate and established applications I can think of. But do not attempt to circumvent this restriction! Everyone's relying on you not to!

Excuse me if this sounds a little like sarcastic ranting. I don't make a habit of reading technical documents so forthrightly stupid.

A little exercise for the reader: why PPs? Why wouldn't the ordinary Windows permissions system work? Add a builtin user for running apps that receive Most-favoured-DRM status. Only let programs signed by Microsoft run as this user. Enforce this by the same means PPs are enforced. You get the same result, but without having to invent new classes of processes and permissions even the local admin cannot have with respect to them.

Of course, then Microsoft would have to admit that the user called 'Local Administrator' is not, in fact, local admin, or root or what have you. Not if there were ordinary permissions he didn't have. Maybe that's why they feel a need to build these orthogonal interfaces for DRM and disfigure the rest of the system in the process.

How depressing that many people are still forced to pay for this.

Posted by Dan Armak in DRM, Microsoft, Oppression, Security at 14:48 | Comments (4) | Trackback (1)
Defined tags for this entry: , , , , , ,
Related entries by tags:
How are Microsoft backdoors news?
Microsoft is Dead. Braaains! They'll buy out all your competing braaains!
The dangerous myth that customers don't want DRM
QT4 QSettings fail silently if ~/.config can't be created
The threat of OO.o OpenXML support, take two

Trackbacks
Trackback specific URI for this entry


Weblog: Anonymous
Tracked: Nov 05, 04:55

Comments
Display comments as (Linear | Threaded)


I assume the reason why MS didn't attempt to implement this as a standard, but specially privileged, built-in user, is that there already exists a large body of documentation describing how to write authentication modules, e.g. for smartcards--obviously, anyone having read this could write a module to allow authentication as the protected process user and thereby exercise its permissions.

Nevertheless, I completely agree that the whole approach is a nonsense in terms of its lack of self-consistency and overcomplication of what should be an easy problem within the existing security model. Even outside the security model such as it is, the administrator's power doesn't come only from their having certain privileges under the Administrator account: it comes from having physical access to the machine, which can be used to gain access to any function or property of it (no matter how awkward it might be to do so).

#1 Ben on 2007-04-09 00:26 (Reply)

I don't actually know this, but I'd expect LSA modules to be protected the same way as kernel-mode code (i.e. have to be signed by Microsft for 64-bit). So that using an LSA module here would be the same as using a driver, as Alex did.

And it's notable that even before the Vista DRM push, Microsoft used security through obscurity wherever they could and didn't give the admin account access to everything.

For instance, how do I as an admin extract the private key created on my machine with CryptoAPI and marked non-extractable? For that matter, how do I extract the symmetric key used by by computer's domain machine account for Kerberos login?

#1.1 Dan Armak (Homepage) on 2007-04-09 13:28 (Reply)

Problem is Microsoft has never had a clue how to do true security through obscurity.

True security through obscurity person has be guessing. Single line of security is not obscurity. Not providing the paper does not make obscurity.

Linux systems can have true obscurity if configured right. Attacker is not sure what software or security on the other end. Since the attacker is guessing and cannot be exactly sure what is on the other end its true obscurity.

True obscurity causes fear in attackers and reduces attacks.

#1.1.1 oiaohm on 2007-04-16 23:21 (Reply)

I think Microsoft's goal for PPs being off-limits, is that their DRM requirements must not allow any "Premium Content" data to be accessible to any unauthorized processes.
If even a legitimate A/V process was allowed to read memory space containing "Premium Content", then who's to say other malicious processes couldn't sneak in too.
Microsoft is all wrong with this, as what they are really trying to do is turn a PC running Vista into a half-baked computer electronic (CE) device.

#2 DMCA SUCKS on 2007-05-19 01:13 (Reply)

Add Comment


To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

Wiki format allowed
 
 

Tagged entries

Archives

July 2009
June 2009
May 2009
Recent...
Older...

This Entry's Links

Referring links
Just a counter