Scribd
Upload
78 views

The Windows Sandbox Paradox

The document discusses building a secure sandbox environment on Windows. It outlines requirements such as making it easy to get into the sandbox but hard to get out, protecting the user's data, and working within OS limits. It then examines typical user-mode sandboxing approaches and their limitations. The document explores using restricted access tokens and job objects to sandbox processes, and challenges around device drivers and accessing resources from within a sandbox.

Uploaded by

mbozho
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
78 views

The Windows Sandbox Paradox

The document discusses building a secure sandbox environment on Windows. It outlines requirements such as making it easy to get into the sandbox but hard to get out, protecting the user's data, and working within OS limits. It then examines typical user-mode sandboxing approaches and their limitations. The document explores using restricted access tokens and job objects to sandbox processes, and challenges around device drivers and accessing resources from within a sandbox.

Uploaded by

mbozho
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 89

The Windows Sandbox

Paradox

Nullcon 2015
James Forshaw @tiraniddo
Obligatory Background Slide
● Researcher in Google’s Project Zero
● Specialize in Windows, especially local
privilege escalation
● Never met a logical vulnerability I didn’t
like
What I’m Going to Talk About

https://www.flickr.com/photos/23258385@N04/2237739552/
Let’s Write a Sandbox

https://openclipart.org/detail/101707/happy-pencil-by-jonata
Sandboxing Requirement #1
● Easy to get in, hard to get out

http://upload.wikimedia.org/wikipedia/commons/d/d9/GravityPotential.jpg
Sandboxing Requirement #2
● Protects the user’s data from disclosure

https://openclipart.org/detail/190821/cles-de-serrure---lock-keys-by-enolynn-190821
Sandboxing Requirement #3
● Work within the limits of the OS

http://upload.wikimedia.org/wikipedia/commons/8/8b/MUTCD_R2-1.svg
Sandboxing Requirement #4
● Sandboxed application is usable
○ Limited Performance Impact

http://pixabay.com/p-305189/
Typical User-Mode Approach

Resources
Broker Process Files, Registry,
IPC Services Network,
Processes etc.

Normal-Privilege

Low-Privilege

Sandboxed Process
Object Security Descriptor

Owner of
Secured Resource

Mandatory Integrity
Label

Discretionary
Access Control List
(DACL)
Access Tokens

User Security
Identifier

Groups

Mandatory
Label

Privileges
Resource Access Check
Desired Access: IL Check
e.g. Read and Write

Owner
Check

DACL Check

Grant Access Deny Access


Mandatory Integrity Level Check
Token IL Resource IL

Greater
or Equal Policy for:
Read Access
Write Access
Execute Access

Desired Access Resource IL Policy

Allowed
True By Policy

Continue to
Deny Access
Owner Check
Owner Check
User SID Owner

False
Is Equal

Grant Write DACL if


requested

All
True
Access
Granted

Continue to
Grant Access
DACL Check
Kernel DACL Check

Token User and Groups DACL

User SID Everyone RO

BUILTIN\Users BUILTIN\Administrators RW

Logon SID BUILTIN\Users RW


Kernel Access Check

Request Read/Write Access

Token User and Groups DACL

User SID Everyone RO

BUILTIN\Users BUILTIN\Administrators RW

Logon SID BUILTIN\Users RW


Kernel Access Check

Request Read/Write Access

Token User and Groups DACL

User SID Everyone RO

BUILTIN\Users BUILTIN\Administrators RW

Everyone BUILTIN\Users RW

Current Granted Access: Read Only


Kernel Access Check

Request Read/Write Access

Token User and Groups DACL

User SID Everyone RO

BUILTIN\Users BUILTIN\Administrators RW

Everyone BUILTIN\Users RW

Final Granted Access: Read/Write


Quick and Dirty Sandbox
● Reduce IL of Token from Medium to Low
● Used for IEProtected Mode
● Has many problems:
○ Can create as many processes as it likes
○ Can sniff on certain Windows events
○ Can read almost any common resource, files,
registry keys etc.
● Not a supported “Security Boundary”
Job Object Restrictions
● Allow us to prevent
process creation
● Limit access to
certain aspects of
the window system
● Still not a “Security
Boundary”
Restricted Access Tokens
Restricted Token Access Check
Desired Access: IL Check
e.g. Read and Write

Owner Restricted
Check SIDs Owner
Check

Restricted
DACL Check SIDs DACL
Check

Grant Access Deny Access


Limits of Restricted Tokens
● What we CAN do:
○ Disable all group SIDs (Deny only)
○ Remove all privileges
○ Add a unused restricted SID
○ Lower the integrity level
● What we CAN’T do:
○ Change the user’s identity
○ Remove any UAC linked tokens
Create Our Sandboxed Process
Crash!
Process Initialization

Uninitialized Process
External
Resources
Process Initialization

Uninitialized Process
External
Resources
Initial Thread
Process Initialization

Uninitialized Process
External
Resources
Initial Thread

LdrInitializeThunk
Attack Surface
Kernel Device
Win32k
Services Drivers
Kernel

System
SYSTEM Services
Level Resources:
● Files
● Registry
Hives
Broker ● WEVT
User Level Other User Applications
Process

Sandboxed
Process
Kernel Attack Surface

~300 Syscalls
Kernel Attack Surface

~300 Syscalls ~400 Syscalls


Kernel Attack Surface

~300 Syscalls ~400 Syscalls ~1000 Win32k


Other Platforms Have it Easy?
Device Drivers
Opening a Device Name

\Device\Harddisk1\SomeName
Native NT Path
Opening a Device Name

\Device\Harddisk1\SomeName
Native NT Path

\Device\Harddisk1 \SomeName
Device Path Device
Namespace Path
Opening a Device Name

\Device\Harddisk1\SomeName
Native NT Path

\Device\Harddisk1 \SomeName
Device Path Device
Namespace Path

Create File
Handler

Harddisk Driver
Securing the Device
● So what’s the problem?
○ By default security of device path enforced by kernel
○ Security of namespace IS NOT enforced by kernel
● If the driver doesn’t do its own checking or
sets appropriate flags there’s NO security
Example: Windows Sockets
● Would like to block network access, so let’
s do a quick test:
WORD wVersionRequested = MAKEWORD(2, 2);
WSADATA wsaData;

if (WSAStartup(wVersionRequested, &wsaData) != 0)
return 1;
}

/* Do socket stuff*/
WSACleanup();
Example: Windows Sockets
● Would like to block network access, so let’
s do a quick test:
WORD wVersionRequested = MAKEWORD(2, 2);
WSADATA wsaData;

if (WSAStartup(wVersionRequested, &wsaData) != 0)
return 1; Fails here!

/* Do socket stuff*/
WSACleanup();
Example: Windows Sockets
● On Linux/OSX sockets implemented as
system calls
● Implemented in the Ancillary Function
Driver
● You interact with it via \Device\Afd, open
the device namespace such as
\Device\Afd\Endpoint
● No security on the namespace :(
● Further interaction via DeviceIoControl
Native Sockets
BOOL ConnectSocket(HANDLE hSocket, u_short srcport,
const SOCKADDR_IN& inaddr)
{
ConnectData data = { 0 };
data.sin_family = AF_INET;
data.sin_port = htons(srcport);
data.inaddr = inaddr;

DWORD dwSize;

return DeviceIoControl(hSocket, 0x00012007,


&data, sizeof(data), nullptr,
0, &dwSize, nullptr);
}
Demo
Enumerating Unrestricted Device Drivers
Accessing Resources
● Two schools of thought
○ Ensure the sandboxed token can access the
resources you need
○ Heavily restrict and handle all access through the
broker
● Each has pros and cons:
○ Direct access is going to have a slightly better
performance
○ Broker access means you can meditate what is
accessed with a finer grain of control
Direct Resource Access
Normal Privilege

Set permission
Broker
of resource

Resources, Files,
Low Privilege Registry etc.

Create, Read
Sandbox Process and Write
Sharing Resource Access
● Adding appropriate entries to security
descriptor is easy to allow shared access
● Has advantage that everything can be
done in the sandboxed process
● No overhead
● Trouble is any “supported” operation can
be performed
Bad Registry
● The registry supports symbolic links
● This isn’t very well documented
● No permissions required to create these
links other than being able to create a
registry
● Surely not an issue?
○ It is if a higher privileged process also accesses
those keys
IE EPM Escape / Audio Server
System Privilege

Audio Service

User’s Registry
Low Privilege

IE Sandbox Process

https://code.google.com/p/google-security-research/issues/detail?id=99
IE EPM Escape / Audio Server
System Privilege

Audio Service

User’s Registry
Low Privilege

Write symbolic link pointing to a sensitive


IE Sandbox Process part of the registry

https://code.google.com/p/google-security-research/issues/detail?id=99
IE EPM Escape / Audio Server
System Privilege

Audio Service

User’s Registry
Low Privilege

Audio Service creates key which instead


IE Sandbox Process follows symbolic link

https://code.google.com/p/google-security-research/issues/detail?id=99
Lack of Documentation
● No documentation on how to defend
yourself against this attack
Lack of Documentation
● No documentation on how to defend
yourself against this attack
Lack of Documentation
● No documentation on how to defend
yourself against this attack
Broker Resource Access
Normal Privilege

Create, Read
and Write
Broker Resources, Files,
Registry etc.

Low Privilege
Create, Read
and Write

Sandbox Process
Filesystem Fun
● Instead of changing security of resources
instead we’ll do everything through the
broker
● Let’s us hook calls to CreateFile and pass
them to the broker
Win32 Path Support
Path Description
some\path Relative path to current
directory
c:\some\path Absolute directory
\\.\c:\some\path Device path, canonicalized
\\?\c:\some\path Device path, non-
canonicalized
\\server\share\path UNC path to share on server
Legacy Filesystem Behaviour
● MS-DOS has a lot to answer for, these
files names don’t do what you expect:
○ “COM1” -> Opens the first serial port!
○ “LPT1” -> Opens the parallel port?!
○ And others
Legacy Filesystem Behaviour
● MS-DOS has a lot to answer for, these
files names don’t do what you expect:
○ “COM1” -> Opens the first serial port!
○ “LPT1” -> Opens the parallel port?!
○ And others
● Surely an absolute path will work?
○ c:\path\LPT1 -> Opens the parallel port!
○ \\.\c:\path\LPT1 -> Creates the file you expect
● Now got a file the user can’t delete!
More edge cases
● Trailing spaces are removed from paths:
○ "c:\some\path " -> "c:\some\path"
○ "\\.\some\path " -> "c:\some\path"
○ "\\?\some\path " -> "c:\some\path "
● Congratulations you’ve again made a file
a user can’t delete
Canonicalization
● Type of Win32 path affects
canonicalization behaviour

Path Result of Canonicalization


c:\path\..\badgers c:\badgers
c:\..\d:\badgers c:\d:\badgers
\\.\c:\path\..\badgers c:\badgers
\\.\c:\..\d:\badgers d:\badgers (WTF!)
\\?\c:\path\..\badgers c:\path\..\badgers
Device Escape Syntax
● Paths \\.\ and \\?\ really escape CreateFile
into the NT object namespace, can do fun
like:
Path Result
\\.\GLOBALROOT\??\c:\badgers c:\badgers
\\.\c:\..\GLOBALROOT\??\c:\badgers c:\badgers
\\.\c:\..\UNC\server\share\path \\server\share\path
Invalid Character Checks
● NTFS has a number of invalid characters:
○ <>:“/\|?*
● Tempting to use this to prevent things like
command injection
● Use canonicalization:
○ c:\windows\system32\calc.exe”\..\..\..\some\path
● Use alternate data streams
○ c:\some\path\my.exe:” something
Hybrid Resource Access
Normal Privilege

Create
Broker Resources, Files,
Registry etc.

Low Privilege
Create,
DuplicateHandle
Read/Write

Sandbox Process
Hybrid Resource Access
● Windows uses handles to reference open
resources
● We can use the DuplicateHandle method
from the broker to copy that handle back
● Only pay penalty on resource open/create
not read and write
● Any risks in doing this?
Reparse Points
● NTFS supports directory symlinks
○ Supports file symlinks as well but you need
additional privileges
● Linux/OSX have a specific system call
‘symlink’ to create file system symbolic
links
● In Windows you just a file handle to a
directory
Reparse Points
● Need to open a handle to a directory
○ Pass FILE_DIRECTORY_FILE to NtCreateFile
● What if the broker doesn’t allow you to
specify that?
● Use the NTFS alternate data stream
name instead
○ dir::$INDEX_ALLOCATION or
○ dir::$I30:$INDEX_ALLOCATION
● Just because
Mixed Semantics
● ActiveX install broker has a function to
load a signed DLL
BOOL IsSignedFile(string path) {
CreateFile(path, ...);
...
}

BOOL RunInstaller(string path) {


path = CanonicalizePath(path);

if (IsSignedFile(path)) {
LoadLibrary(path);
}
}
Mixed Semantics
Mixed Semantics
Mixed Semantics
lpFileName Parameter Path loaded
c:\my\path\test.dll c:\my\path\test.dll
Mixed Semantics
lpFileName Parameter Path loaded
c:\my\path\test.dll c:\my\path\test.dll
c:\my\path\test c:\my\path\test.dll
Mixed Semantics
lpFileName Parameter Path loaded
c:\my\path\test.dll c:\my\path\test.dll
c:\my\path\test c:\my\path\test.dll
c:\my\path\test. c:\my\path\test
Sharing Sections
Unnamed Resources
● Certain classes of Windows resources opt
out of security when they have no names
● Section objects are just one such type
● Leads to problems.
IPC Technologies
● Three main ways of doing IPC on
Windows
○ Named Pipes
○ Local RPC (ALPC)
○ Sockets
● Already seen sockets aren’t securabled
resources
● What problems would these come with?
Named Pipes
● Named pipe servers are created using
CreateNamedPipe method (really
NtCreateNamedPipeFile)
● Named pipe clients are created using the
normal NtCreateFile API
Supporting Creating Pipes
Chrome CreateNamedPipe IPC
HANDLE CreateNamedPipeAction(string name, ...) {
// Name is lowercase already
if (name.beginswith("\\\\.\\pipe\\chrome.") {
return CreateNamedPipe(name, ...);
} else {
return NULL;
}
}
Chrome CreateNamedPipe IPC
● Intention was to only allow named pipes
with a prefix
● Even though the function should only ever
open named pipes it’s using the \\.\
syntax.
● Canonicalize!
○ \\.\pipe\chrome.xxx\..\mypipe
Is Windows Getting Better?
Reducing Kernel Attack Surface
Kernel Attack Surface

~300 Syscalls ~400 Syscalls ~1000 Win32k


Bring Forth the LowBox Token
NTSTATUS NtCreateLowBoxToken(
PHANDLE LowBoxTokenHandle,
HANDLE TokenHandle,
ACCESS_MASK DesiredAccess,
OBJECT_ATTRIBUTES * ObjectAttributes,
PSID PackageSid,
ULONG CapabilityCount,
PSID_AND_ATTRIBUTES Capabilities,
ULONG HandleCount,
PHANDLE Handles
);
The Good Parts
● LowBox tokens work much like restricted
tokens
○ Replace restricted SIDs with capability SIDs
● Built in firewall rules to restrict sockets
based on capabilities
● Makes it easy to restrict access to user
files without having to worry as much
about configuration
LowBox Token Access Check
Desired Access: IL Check
e.g. Read and Write

Owner Capability
Check SIDs Owner
Check

Capability
DACL Check SIDs DACL
Check

Grant Access Deny Access


Integrity Level Check
● LowBox tokens are always marked as
having Low Integrity
● So it works as before?
● NO!
Mandatory Integrity Level Check
Hardcoded

Medium IL Resource IL

Greater
or Equal Policy for:
Read Access
Write Access
Execute Access

Desired Access Resource IL Policy

Allowed
True By Policy

Continue to
Deny Access
Owner Check
Drawbridge / PicoProcess
● Isolation/sandbox technologies developed
by Microsoft
● Uses process isolation to secure an
application
● Can be completely isolated from the
kernel, including system call filtering
● Currently not available in consumer
versions of Windows :(
Questions?

You might also like