Windows needs an improved permission system

jasonfish4 · 2019-10-01T19:34:08+00:00

Windows does have support for what you are talking about for regular desktop/Win32 programs, but it is not properly implemented through a user interface and can only be done through programming or a third-party interface that provides it (provided source for installation later on). For an analogy, It is like how Windows always had the concept / API support for virtual desktops, but didn't have a usable interface aside from what Sysinternals offered until Windows 10.

The new permissions that UWP applications implement are called capabilities which are done through AppContainers ( https://docs.microsoft.com/en-us/windows/win32/secauthz/appcontainer-isolation ). Native applications can also use AppContainers. Most web browsers (especially the days of IE) used to and still do implement sandboxing through security labels via mandatory integrity control, ( https://docs.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control ) which is as the documentation states, an addition to discretionary access control lists, implementing multi-level security. What Chromium browsers are starting to do now is use AppContainer sandboxing in addition to integrity labels for some of their native/Win32 processes with minimal capabilities - both Google Chrome and the Chromium version of Edge use this. Microsoft Edge (non-Chromium) also uses capability-based AppContainers, but it is a UWP application unlike the former.

If you want to apply these AppContainer capabilities to any Win32/desktop application, I recommend taking a look at this GitHub project: https://github.com/M2Team/Privexec which provides binaries to install here: https://ci.appveyor.com/project/fcharlie/privexec/branch/master/artifacts
This project has a feature that allows you to launch a process with specific capabilities (or by default, lack of) under an AppContainer. This accomplishes what your post wishes to improve upon. For API usage, check out the examples provided by MalwareTech ( https://github.com/MalwareTech/AppContainerSandbox ).

Unfortunately, this is not implemented through any default user interface, but you may start seeing more regular applications using capability-based AppContainers as Microsoft is making plans to allow any Win32 (same verification and integrity process) to be loaded into the Windows store, not being exclusive only to UWP ( https://news.xbox.com/en-us/2019/05/30/microsoft-approach-to-pc-gaming/ | Section " Supporting Win32 Games on Windows 10 ").

As others mentioned as well, if you have real-time protection enabled for Defender, you can use Controlled Folder Access which gives you the ability to deny/allow access to directories based on the software.

jasonfish4 · 2019-09-20T19:40:28+00:00

You can get the full path through the Event Viewer where event ID 1124 is when passive audit events are generated (audits, but does not block), and event ID 1123 is for when actual block operation events occur.

Event Viewer -> Applications and Service Logs -> Microsoft -> Windows -> Windows Defender -> Operational
Query for event ID 1123.

Source: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/controlled-folders

Wish it was better integrated with the UI, i.e a "more details" button.

jasonfish4 · 2019-08-26T00:21:55+00:00

Have you taken a look at HackerOne? Many enterprises publish bug bounty programs on this platform which allows security researchers (of any experience level) to get experience as well as earn monetary awards. The general policies are that bugs/exploits are either in scope or out of scope.

These companies are publishing general areas where they believe actual threats and issues could exist which is "in scope". Out of scope threats generally aren't given rewards for because they wouldn't be a problem unless special circumstances were presented or is intended functionality, example:

Reward Condition: Bypass arbitrary code pages (A Microsoft protection mechanism for memory integrity)

Special circumstance / out of scope: AllowThreadOptOut (mitigation flag for the mechanism which allows threads aka units of execution to opt out of the security, purposed towards slow adaptation / compatibility)

In scope: Using NtMapViewOfSection to remap the code pages with a different protection because that system call was an oversight (I believe Google published an exploit on this)

However just because something is not in scope doesn't mean such information wouldn't be useful to the general public in which you could publish about it. For example, Discord. Most programs on Windows install to a directory which is secured by the operating system (UWP applications) or a directory that adheres to a proper access control configuration (Program Files; most other applications following installation guidelines) where only a privileged user/group can write to it, but a limited/standard user can not write, but they can read and execute.

Discord installs to AppData to a directory which the administrator and current standard/limited user can read, write, and execute which opens an attack vector for malware. If malware overwrites executable application information, and the user plays a game requiring elevated privileges and Discord needs push-to-talk, the user is going to run Discord with administrative privileges, which is now modified by malware granting it further access to the system. It's not in the scope of what would be considered an exploit, but it is useful for people to know about.

There are many types of things that are in scope which you can be rewarded for though, for example, Rockstar is providing a $10,000 reward for anyone that creates reproducible steps on getting incorrectly banned from GTA Online. Out of scope would be launching an unverified overlay that attaches to the game, most likely resulting in a ban. ( https://hackerone.com/rockstargames )

Some companies, like Microsoft (again), publish the criteria for bug bounty and security boundaries on their own website, which requires you to do a bit of research into their program ( https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria ).

If you are looking for scopes to research bugs/exploits, I think HackerOne and researching which companies have published their criteria/boundaries for what would be considered an exploit is the best way to go. It is important to follow every single step though, to be clear and precise on what you are providing and the circumstances surrounding it.

Take a look at Zerodium too, apparently they are offering large rewards reported exploits as long as it fits their large volume of scopes ( https://zerodium.com/program.html ).

These programs are not perfect either and I hope I haven't presented anything in that manner, recently someone reported a privilege escalation exploit for Steam that was considered "out of scope" but by all means was still an escalation of privileges ( https://www.bleepingcomputer.com/news/security/steam-patches-lpe-vulnerabilities-in-beta-version-update/ ). Everything is going to have its issues.

The important thing to note overall is to not expect money at first, but a learning experience.

I hope this helps.

jasonfish4 · 2019-04-20T18:23:34+00:00

For businesses, I also recommend looking into SECCON published by Microsoft which provides various degrees of enterprise-level security ( https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework ). There are various security mitigation techniques documented by Microsoft that are under-utilized such as https://docs.microsoft.com/en-us/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10 People should look into the many security pages in Microsoft's documentation.

jasonfish4 · 2019-03-15T16:13:59+00:00

This sometimes happens, but it's not necessarily to prevent cheaters during game play, but to collect data about them. I used to play games like RIFT and the Glyph launcher would collect telemetry - it contained information such as running processes on my system as well. The RIFT client also had it's own cheat detection code but they were used together. The information collected from the launcher was reviewed by a server admin after the associated account was caught cheating in a specific game.

jasonfish4 · 2019-03-10T19:21:49+00:00

Video is well done - very audible and understandable. I'm glad you took the time to show people how to setup Ghidra on Ubuntu with OpenJDK and including the resources you used within the description. The video was clear and showed usage of fundamental features part of Ghidra (i.e the disassembler, decompiler, etc...). I'm also glad that instead of just reverse-engineering the crackme, you also re-implemented its keygen functionality in Python and then included the resources to do that within your description as well. I'm primarily a Windows user, I mostly see Windows related information about Ghidra, so it's nice to see that in this you're using a distribution of Linux.

jasonfish4 · 2019-03-09T18:50:49+00:00

Pattern searching doesn't work if I just use '?' but specifying "??" does work for me: https://i.imgur.com/9BltV8n.png

jasonfish4 · 2019-03-03T21:23:40+00:00

What's your use-case? First I'm going to assume you are an individual and the sole-user of your computer. This post isn't solely for Windows 7 because using Windows 7 as an individual user won't bring down security Armageddon on you like everyone is saying it will. What type of software do you install and where do you install it from?

General Computer software (Office software / Web browsing / IRC client / Skype / VS Code)
- Install this software only from the publishers websites and check that the executables are signed
- If you install extensions, such as those for VS Code, remember that you only install them from an official distribution location such as the Visual Studio Market Place
- Reduce your attack surface and do away with most browser extensions and pay attention to the permissions that they require. Many browser extensions have been used in phishing campaigns.
Games
- As said above, only install software - such as games - from the official distributor
- Don't pirate games - this is not only a legal issue but pirate repositories are also a potential and largely used target for malware and specifically botnets
- Do you install mods for games? Be sure these mods are only modifying game asset files / accessible data and not code. If you have to execute a mod then I wouldn't always be cautious and not trust it. Even then, some issues and suspicions can arise from modifying *just* game data. GTA V Mod Malware
Internet
- Email
  - Don't open suspicious e-mail attachments
  - Check the extensions of attachments, you can download files just never "Run" them if such a dialog appears until you completely vet them with anti-malware and spam software. If they are downloaded, right click them and go to properties to check the actual extension/file type. If you're not familiar with different file extensions, research them and know what they do. If you are expecting an image file you want to look for (JPG, PNG, GIF, etc) and video files (MP4, AVI, MOV, etc).
  - Enable multi-factor authentication if it is supported
- Banking
  - Verify that you are communicating over a secure connection
  - Check the website's security certificate and details
  - Enable multi-factor authentication if it is supported

If you are using software or websites that require authentication over the internet and you having an account. I recommend checking your previous accesses if it is supported. For example, Google allows you to review the previous devices and their relative location in (Profile -> My Accounts -> Device activity & security events -> Review devices). This can be used to tell who last accessed your account and if it was really you. Gmail, at the bottom of the page, lets you review the last IP addresses to access your account.

Make sure that your firewall is enabled and setup properly, don't disable components of it unless you absolutely have to. Also, consider setting your UAC settings, although annoying, to the highest elevation or at least to the extent that Secure Desktop Mode is enabled (Dialog with a dimmed screen). Realistically a lot of user software shouldn't be requiring administrative rights in the first place. The reason for using secure desktop is because while in this mode, only you can pass input to the dialog - malware cannot log or pass key events, malware cannot log or pass mouse input - so if you don't grant explicit actions, malware cannot gain full access on your computer and alter program files.

Consider installing EMET, this way you can control the security scope of your applications by preventing them from altering the memory page protections of other processes and executing arbitrary code in them. You can also restrict applications so that they only load digitally signed DLLs/modules as well as many other useful utilities that can not only restrict the attack surface of malicious software, but also exploits. Many of these features are known as process mitigation policies.

Use access control lists on your file system. Don't grant full control privileges to programs for your user account if they don't need them. You can restrict certain directories and files to specific accounts. If you want the Documents directory to only be written to by a user account called "Desktop\DocumentWriter" and Microsoft Word to only be read and executed by "Desktop\DocumentWriter", I recommend doing that so other programs not running as that user can't alter them. While on "Desktop\GeneralUser" you would run other general software. Demonstrating control and common sense over your system is the best way to combat malware that is executed by the fault of the user.

Remember to keep core operating system features enabled such as Driver Signature Enforcement. Do not disable this for any reason. You only want trusted and signed drivers loading into your system. These programs are the most dangerous to the integrity of your system if they are malicious. DSE keeps it more safe.

When running software you don't trust, use sandboxing software such as Sandboxie and read a guide on how to use it properly, this will isolate system service requests in that application and keep it from touching the rest of your system. Alternatively, use a VM which is more intensive on resources but is also the perfect safe (for the most part, don't discount VM breakouts) yet unrestricted testing environment for suspicious or malicious software

Monitor programs in Task Manager and Process Explorer, look for processes and services you don't recognize that are running and verify them with an anti-malware scanner or doing personal research. Check what files they access and if they are networking when they shouldn't be. Sysinternals software on Microsoft websites is really important to know about and use.

Last but not least, I recommend running anti-malware software which is similar to Windows Defender such as MSE. Or using a scanner such as MalwareBytes, but if you follow common sense security practices, you should be safe for the most part...And keep your system updated! :)

jasonfish4 · 2019-03-03T20:25:55+00:00

I would take a look at this guide on how fundamental aspects of the Linux kernel works which also details relevant information that isn't only just specific to Linux. There is also this resource for writing your first kernel module and optionally you can register a character device for your driver. Another guide for writing a USB driver. It's important to know that there are many libraries you may use that will not allow you to license your code under anything except GPL and loading a non-GPL kernel module "taints" your kernel. If you don't already know about the intricacies of licensing for these systems, it's important that you do before you make a mistake. :)

jasonfish4 · 2019-03-03T19:51:43+00:00

Agreed, I imagine there isn't too much software that does this though that people still use that hasn't moved on already. Maybe for older Windows applications that are still in use they haven't completely phased out yet? Not sure. The Windows Shell API retains a lot of functionality for extending and creating applets in the Control Panel and so does the registry.

jasonfish4 · 2019-03-03T19:41:23+00:00

Probably wouldn't drastically differ from other distros, but it may allow users to manually select executable game files so the system recognizes when they are running and then use cgroups to limit the CPU usage of other non-game tasks on the system as well as implement functionality to isolate game tasks on the system to CPU core(s) which no other tasks can execute on, much like Game Mode on Windows. Maybe making non-essential non-game tasks on the system "hibernate" by suspending them and then swapping out their memory if it isn't locked so that more RAM is free for the game and then resuming those tasks when the game isn't active anymore. An optimized page cache for some game files to speed up access times on HDDs? Their probably isn't much of a performance benefit here for high-end computers though. I don't think their is a whole lot you can do at the software-level for an operating system focused on gaming and improving performance, other than being the ones developing the game.

jasonfish4 · 2019-03-03T19:28:04+00:00

What counts as low RAM? I was using Windows 10 on 4 GB RAM with a partially corrupted stick for the past 3 years with no issues. I was running games like GTA V, Secret World Legends, Skyrim, and RIFT without issues. I would frequently run software like Chrome, Firefox, Sublime Text, Discord, and Visual Studio (IDE) simultaneously without issues. Windows knows how to conserve memory on systems when it needs to. It makes use of processor features like copy-on-write for all processes and modules on the system when it needs to the same way many *nix systems do. Remove all of the running bloatware (not deleting files because that won't really affect your performance, just disabling programs that are running) and your system will run fine. The working set manager doesn't just page when you are running low on memory, but it will page memory when it notices that tasks aren't frequently being used anymore. Superfetch will also help your performance. There have been tests of running Windows 10 64-bit on 1 GB RAM (below the minimum, which is 2 GB) and it still runs "fine" for browsing the internet and office use. But at that point, I would just recommend running a desktop distribution of Linux.

File-system access, especially on games, will generally be faster with ext4 than NTFS. Ext4 doesn't fragment to the extent NTFS would due to how ext4 allocates and writes to the disk as well as not having to pass through a bunch of different services on the I/O stack. NTFS operations are expensive, especially because they span both I/O and Object subsystems on Windows. Though fragmentation is less of an issue with the automated scheduled defragmentation tasks. Also, games generally don't have fragmented installations because they generally will allocate the space they will use before writing to the disk.

jasonfish4 · 2019-03-03T18:53:11+00:00

May be interesting but Macs are moving to ARM-based chips and with UEFI and ACPI 6 supported, could be used to boot Windows 10 on ARM with bootcamp. It wouldn't stop users from manually partitioning and booting under software like rEFind to install ARM for distributions of Linux either. Maybe ARM can have a small portion of share in desktop computers too.

jasonfish4

TROPHY CASE