A Type System for Location Integrity in Windows Vista

The Microsoft Windows Vista operating system implements mandatory access control (MAC) for multi-level integrity. Vista's MAC implementation is designed to balance security with functionality—trusted processes may read untrusted values, and integrity labels may be changed dynamically. While such flexibility makes the system more usable, it also opens the door for information flow vulnerabilities. We propose location integrity as a practical security property in this context, and present a type system to enforce location integrity in Vista. As long as all trusted code is certified by the type system, we guarantee that locations whose contents are trusted never contain untrusted values, regardless of what untrusted code runs in the environment. Our type system relies on Vista's dynamic MAC checks for soundness, and illustrates the genuine interplay between static analysis and runtime checks that is needed to ensure such protection. Our study may be viewed as a formalization of the security design of Vista; in particular, our type system formalizes conjectured best practices for secure programming on Vista. Further, we show that while Vista's write access checks are necessary to enforce location integrity, the access control on execution of binaries can in fact be eliminated as a runtime optimization if trusted code is typed using our type system. 1 Introduction In most operating systems, protection between principals and objects is implemented through discretionary access control (DAC). While DAC mechanisms allow flexible programming of access control on specific objects, it is difficult to enforce global information flow properties with DAC. (For instance, access checks can be often bypassed by acquiring ownership of objects.) The most common example of this problem is privilege escalation, where a low-privileged user is able to write a malicious executable that is later executed with high privileges. Multi-level security (MLS) models, on the other hand, prevent such undesirable information flows by design. Typically, every principal or object is tagged with a fixed label that indicates the level of trust placed on that entity. Labels form a lattice, and the underlying system enforces mandatory access control (MAC) checks to control information flows across trust boundaries in this lattice. However strict MLS models are often too restrictive in practice. For instance in systems that enforce classical MAC for integrity, trusted principals cannot down-load content from the internet; nor can they endorse content obtained from less trusted sources by authentication. The Microsoft Windows Vista operating system implements a multi-level integrity model that …