M$ Vista security, "integrity control"

Lately I’ve spent some time looking at Windows Vista security. Basically just trying to catch up with some of the changes introduced and mostly done through reading whatever I come across. I’ve spent only a little time actually playing with Vista though, and I’ve not gotten to the nitty-gritty since I haven’t written any code at all.

So, what is my impression so far?

Well, they’ve done a reasonable job given where they started. Already on a very high level it’s clear that Microsoft still prefers to offer convenience over security in their UI. I was shocked to see that the dialogue for creating a new user didn’t promote entering a password. No, to do that you have to press the mouse a few extra times. Since local escalation often is a walk in the park I had expected Microsoft to strongly encourage users of Vista to create accounts with passwords. Then on to details. First integrity levels, or MIC (mandatory integrity control). Steve Riley says they’ve based it on the Biba-model. I think “based” in this context really only entails using some of the terminology. A model of read-any, write-down already suggests a bastardisation of Biba and once you add the rules for process-execution integrity you really do take a huge step away from Biba. This is what I’ve found so far:

User lvl Exe lvl
Low Medium High
Medium Low Medium Medium
High High High High

(I haven’t found a way to create a user on the low level so that line is missing.)

Spot the strange things in the bottom line? Yes, they seem to have mixed up min and max :-) I do see the point though, usability and convenience. However, to still call this model “based on Biba” requires quite a lot of hallucinogens.

I also noticed that the integrity level of an executable doesn’t seem to be passed on to the files it’s creating. At least not at all times. I was running a high-level notepad and created medium-level files. I should note that a low-level notepad creates low-level files though. Not really insecure or anything, just a little unexpected.

So far my impression of MIC in Vista is that the people commenting on Steve Riley’s blog post are onto something. Microsoft has taken MIC and in the implementation somehow got it mixed up with MAC. I almost suspect they really wanted MAC but decided it was too intrusive and picked the closest thing, acronym-wise. The conspiratorist in me finds evidence of that in the API AddMandatoryAce where ACE stands for Access Control Entity.

Based on what I’ve found so far, and also inspired by Rutkowska’s recent rant on UAC I think Vista security is a classical case of CYA. Microsoft is blamed for all Windows problems and the security added in Vista makes it possible for Microsoft to deflect some of that blame and put it on applications, where it often belongs.

So, am I impressed? Only mildly impressed so. Five years and this is it? As so often I get the feeling Microsoft is controlled by people who just don’t get it. Recently I saw a presentation on ZeroConf and the presenter had a quote (I paraphrase):

You are done, not when you can’t think of anything more to add but when you can’t think of anything more to remove.

There are many companies in the software field who’d benefit from applying that. Microsoft more than most!

Leave a comment