UAC without the Prompting
Home

UAC without the Prompting

Posted by Christopher on Fri, 2008-04-25 20:33 in

Search for "Vista UAC" and you'll find a number of sites which tell you how to disable UAC prompting in Vista - within the top ten results.  What if it was possible to get the advantages of UAC without the explicit (and in some cases, excessive) prompting?  In at least some cases, it may be.

The One Laptop Per Child project uses a novel security system called Bifrost.  One of the unique aspects of Bifrost is that applications run in a sandbox, which is essentially an improved chroot jail.  When an application running in a sandbox needs to read or write a file, it is required to call a system API to display a file open or save dialog box.  Once the user selects the file, it is copied to or from the sandbox.  This separation would prevent a malicious program from reading a user's files, destroying data, or having any affect outside of the sandbox.

In 2004, HP Labs wrote a security program called Polaris for Windows XP.  Polaris performed a similar function, watching a user's actions and allowing operations them to succeed if they were initiated by the user.  In other words, when a user goes to the File menu and selects Save As... a Polaris dialog Save As dialog box, outside of the applications control, would be displayed.  When the user chose a location and filename to save, the system considered that a designation from the user that the Save As operation should be allowed, no prompting necessary.  Unfortunately, I haven't found any information about further development or a public release of the Polaris application.

Another example of type of security can also be found in Windows Vista itself.  It’s not commonly discussed, but Vista includes a mandatory Integrity level system.  There are three user Integrity levels included - Low, Medium, and High - and a System level.  All objects (files, folders, processes, etc.) in Windows include in their Security ACL (SACL) a designation of their security level, and most objects default to Medium.  By default Windows enforces a no write up model that prevents a lower level object from modifying a higher level object.  Windows also includes protections against messages and other API calls through a feature called UIPI - User Interface Privilege Isolation.  For an example of this Integrity enforcement, consider Internet Explorer run in Protected mode.  When launching IE in Protected Mode, two additional processes are started - IEUser.exe, the User Broker, ad IEINstal.exe, the Admin Broker.  If Internet Explorer (running at the Low Integrity level) needs to write to a higher level object, such as saving a file in the user's profile which is by default at the Medium Integrity level, it sends a well-formed request to the IEUser User Broker, which displays the Save As dialog box, and moves the file from a temporary Low Integrity storage to the place specified by the user's interaction with the dialog.  On a side note, additional protections such as no read and no execute up can be implemented.

Perhaps this could be expanded to implement a system wide Polaris-like mechanism that allows intentional actions and prevents unintentional ones - especially those done without the user's knowledge or consent.