User Interface Privilege Isolation
Encyclopedia
User Interface Privilege Isolation (UIPI) is a technology introduced in Windows NT 6.0
to combat shatter attack
exploits. By making use of Mandatory Integrity Control
, it prevents processes with a lower "integrity level" (IL) from sending messages to higher IL processes (except for a very specific set of UI messages). Window messages are designed to communicate user action to processes; however they can be used to run arbitrary code in the receiving process' context. This can be used by a malicious low IL process to run arbitrary code in the context of a higher IL process, which constitutes an unauthorized privilege escalation
. By restricting access to some vectors for code execution and data injection, UIPI can mitigate these kinds of attacks.
UIPI, and Mandatory Integrity Control more generally, is not a security boundary. It does not aim to protect against all shatter attacks. UI Accessibility Applications can bypass UIPI by setting their "uiAccess" value to TRUE as part of their manifest file. This requires the application to be in the Program Files or Windows directory, as well as to be signed by a valid code signing
authority
, but these requirements will not necessarily stop malware from respecting them. Additionally, some messages are still allowed through, such as
Windows NT 6.0
Windows NT 6.0 can refer to these releases of Microsoft Windows:*Windows Vista*Windows Server 2008*Windows Small Business Server 2008...
to combat shatter attack
Shatter attack
In computing, a shatter attack is a programming technique employed by crackers on Microsoft Windows operating systems that can be used to bypass security restrictions between processes in a session...
exploits. By making use of Mandatory Integrity Control
Mandatory Integrity Control
In the context of the Microsoft Windows range of operating systems, Mandatory Integrity Control or Integrity Levels is a core security feature, introduced in Windows Vista and Windows Server 2008, that adds Integrity Levels to processes running in a...
, it prevents processes with a lower "integrity level" (IL) from sending messages to higher IL processes (except for a very specific set of UI messages). Window messages are designed to communicate user action to processes; however they can be used to run arbitrary code in the receiving process' context. This can be used by a malicious low IL process to run arbitrary code in the context of a higher IL process, which constitutes an unauthorized privilege escalation
Privilege escalation
Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user...
. By restricting access to some vectors for code execution and data injection, UIPI can mitigate these kinds of attacks.
UIPI, and Mandatory Integrity Control more generally, is not a security boundary. It does not aim to protect against all shatter attacks. UI Accessibility Applications can bypass UIPI by setting their "uiAccess" value to TRUE as part of their manifest file. This requires the application to be in the Program Files or Windows directory, as well as to be signed by a valid code signing
Code signing
Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed by use of a cryptographic hash....
authority
Certificate authority
In cryptography, a certificate authority, or certification authority, is an entity that issues digital certificates. The digital certificate certifies the ownership of a public key by the named subject of the certificate...
, but these requirements will not necessarily stop malware from respecting them. Additionally, some messages are still allowed through, such as
WM_KEYDOWN
, which allows a lower IL process to drive input to an elevated command prompt. Finally, the function ChangeWindowMessageFilter
allows a medium IL process to change the messages that a high IL process can receive from a lower IL process. This effectively allows bypassing UIPI from processes other than those run in low IL (e.g. Internet Explorer).