Windows Vista: Security Model Analysis
Following closely on the heels of the release of our first publicly available research paper, I am very pleased to present our second paper: Windows Vista Security Model Analysis. In this paper, we have taken a detailed look at the new user account protection (UAP) and user interface privilege isolation (UIPI) capabilities that form the basis of Vista’s new security model.
From our research paper's abstract:
This paper provides an in-depth technical assessment of the security improvements implemented in Windows Vista, focusing primarily on User Account Protection and User Interface Privilege Isolation. This paper discusses these features and touches on several of their shortcomings. It then demonstrates how it is possible to combine methods of attack to gain full control over the machine from low integrity, low privilege process.
Much like our analysis of the Windows Vista network stack, we have performed a formal analysis of these two new Windows Vista security technologies. It will be apparent to the reader that some of the issues that we had identified in early builds have been fixed in more recent builds. Because some of the documented attacks have been fixed, we have debated on the relevancy of releasing our research. In the end, we have decided to publish our research in an effort to contribute to the overall repository of knowledge on Windows Vista. We fully understand and respect the fact that Windows Vista is not an operating system that is ready to be shipped to customers; it continues to undergo radical change. It isn’t our intent to conclude that Vista, in its final form, will pose the same level of exposure that its beta versions do today.
We do, however, think that our results are worth reading and serve as a good insight into Windows Vista for a number of reasons. First, we don’t proclaim our research to be exhaustive, and it is quite possible that other, more esoteric forms of privilege escalation techniques will continue to exist in Windows Vista, only to be discovered in the future. Second, our paper provides an “under the cover” look at these new security technologies, and contributes technical research on how UAP and UIPI work that has otherwise not been made publicly available. We felt that this would largely benefit others in the security community. Third, our paper provides a view into the development cycle of a new operating system and in particular, the development of new security technologies used in that operating system is examined. This perspective is rarely available elsewhere, and we feel that our paper will provide some much needed visibility into the challenges of developing a secure operating system, and the progression from its early builds to its ultimate release.