Security Is Simple: Only Use Perfect Software

UAC: Desert Topping, or Floor Wax?

Is UAC a convenience feature, or a security feature? Dessert topping or floor wax? How about both!

Security can be a confusing black art, for both consumers and professionals alike. One reason is in the name of this blog, that insecurity results from imperfection, and we all know how difficult perfection is to achieve. Another reason is because reasoning about the consequences of insecurity involves a great deal of reasoning about the unknown: what can happen to you as a result of a vulnerability? Well, that depends on who knows about it, when they know about it, when they know about it with respect to when some other people know about it, and so forth. Yet another reason is because some security professionals (naming no names) find it to be in their interest to keep security a black art J I don’t hold with that: I am a cynic who, following the definition of Ambrose Bierce, prefers to see things as they are rather than as they ought be, and being an ill-mannered brute, I insist on calling a thing what it is, instead of what people wish it was.

Today’s entry will be about security values, which is to say what value can you really expect from a given technology, especially the access control technology I work on in Windows. Just to be clear, this blog is my opinion on what a technology is likely to do, and does not represent any kind of warranty by Microsoft.

To start, we need to define some terms:

Security is the preservation of the three properties of confidentiality, integrity, and availability.

Confidentiality means that your stuff is not disclosed unless you want it disclosed.

Integrity means that your stuff is not changed unless you want it changed.

Availability means that you, your users, customers, etc. can still use your stuff.

Security Feature: some kind of feature, widget, or thingie J that makes it somewhat more likely that your security, as defined above, will be preserved.

Security Boundary: this is a special term to Microsoft. It means that if someone discloses a way to violate a Microsoft-defined security boundary, that Microsoft will release a security patch as soon as possible, so that the method to violate the boundary no longer works against patched systems.

Clearly, all security boundaries are security features, but not all security features are security boundaries. For an absurd example, hosting your web site on port 43392 instead of port 80 might be a security feature, because many attackers will not look there for a web server, but it is definitely not a security boundary, because an attacker can easily discover your web server running on port 43392 by just looking for it, and Microsoft is not going to issue any kind of patch to address this “problem”.

Now let’s look at UAC (User Account Control) in this context, and see what security values it delivers. UNIX and Linux users have long known that you don’t read mail, surf the web, or IM as root (the UNIX equivalent of Administrator). You don’t do it because if there is a vulnerability in any of the software you are using to surf the Internet, then any malicious content you encounter could 0wn your entire machine. The most important security “feature” that Vista brought to Windows users was the basic proposition that, perhaps, your default user login should not be an Administrator. Running as a non-administrator provides a lot of security value, but how secure it is, and whether it is a security boundary is a complicated question, depending on what kind of account you are using. Pre-Vista, there were three kinds of accounts you would likely use:

The Administrator: if you logged in with a user name of ‘administrator’ and then entered a password, you are the administrator.

An Administrator: if you logged in with just your own name, your account likely was an administrator. This means you have your own identity, but you have (pretty much) all of the authority of the Administrator. The good part was that you could do anything; install software, administer the firewall, add users, etc. The bad news was that anyone who hacked your web browser, your mail client, etc. could “drive by” hack your machine and install malware, including fully powered rootkits. It also meant that whenever you installed a program, perhaps something as harmless-seeming as some additional emoticons for your chat client, that it might also install some very difficult to remove spyware, again possibly including a rootkit.

A Standard User: so called because it was supposed to be the “standard” way to use Windows. A standard user may not install software, manipulate the firewall, or do other things that would compromise the security of Windows.

Of course, you could run as a Standard User under Windows XP, but few people actually did. This is because it was inconvenient: if you wanted to install software or otherwise administer you machine, you had to log out, exiting all your applications and losing all your state, log back in as An Administrator, do your configuration work, log out again, and finally log back in as a Standard User to finally get back to what you were doing.

Vista sought to address this situation by introducing UAC (User Account Control) to give you control over which account you are using. Vista added a new kind of account:

Administrator running in Admin Approval Mode (AAM): this is kind of a hybrid between An Administrator and a Standard User. You get a split token, which means you have the credentials of both a Standard User and an Administrator, and the right one is applied depending on what is going on.

When people think of “UAC”, they often are only thinking of the UAC elevation prompt per se. When you try to do something that requires Administrator privileges while running in AAM, then Vista presents you with a UAC prompting window that tells you what is being attempted, and asks you whether you would like to proceed.

Vista also provides a UAC feature for Standard Users called the OTS (“Over The Shoulder”) elevation prompt. If you attempt something that requires Administrator privileges while running as a Standard User, then it presents you with a very similar elevation prompt, only this time it also asks for an Administrator’s password. “Over the shoulder” alludes to the idea that the Standard User does not have the Administrator password, and so you have to get your friend the Administrator to come enter it for you. However, in practice it may well be the case that the person using the Standard User account also has the Administrator password.

Finally, Vista provides a Silent Mode. Silent Mode is not quite the same as completely disabling UAC. Instead, what it does is automatically approve all of the UAC prompts that would have been presented to you. However, Silent Mode still leaves in place some security features that completely disabling UAC would have removed, such as IE protected mode.

It has been said that UAC’s features are convenience features rather than security features. What could that mean? Especially since UAC prompts can be quite annoying J

It is correct to say that UAC’s features are convenience features, in that it is much more convenient to respond to a UAC prompt than it is to have to switch to a separate desktop, log in as an administrator to do the administrative tasks, log out and then return to your standard user session. Whether one views a UAC prompt as a convenience or a nuisance depends on whether you compare it against running as a Standard User, or against running as a full Administrator: vs. running as Standard User UAC is a convenience feature that compromises security, but vs. running as an Administrator as was the default in XP UAC is a security enhancement.

But does that mean that UAC is not a security feature? No. UAC, in all of its forms, including Silent Mode, provides some obstacles to attacks, and so so it is always a security feature. UAC in operation does nothing other than to say “no” to some access requests, and so it cannot be anything but a security feature.

But how much of a security feature is it? Does UAC provide a security boundary? That depends on which kind of user you are using, and how you use it.

Standard User Without OTS: this is a security boundary. There should not be any way for a non-privileged process to elevate to a privileged process, and if someone finds one, then Microsoft should issue a patch. Caveat: this is excluding mis-configurations such as 3rd party software running with privilege or weak security settings.

Standard User With OTS: this is questionable. There should not be any way to elevate, but in practice the OTS elevation presents  potential area of attack. The attacker could inject malicious code into the user’s context, and it may trigger once the OTS elevation completes and the Administrator token is available.

Administrator in AAM: this is definitely not a security boundary. With the Administrator token available in the user’s space, it is too easy for malware to attack something in this very broad attack surface and gain elevation without the user’s approval. Microsoft could not patch this barrier without substantially breaking application compatibility.

Administrator in Silent Mode: Not even close to a security boundary. In silent mode, any malware in the user’s processes, such as an infection in the mail client, or in the web browser running at medium integrity, can ask for and get automatic elevation to Administrator.

Security is the business of saying “no” on occasion, and so it cannot help but compromise convenience. Thus there is a precisely inverse relationship between the security and the convenience offered by these 4 modes of operation in Vista. Users get to make the choice of which trade off they would like to make between security and convenience.

Intelligent security design is intuiting what users really need to do, and adapting the system so that it always says “no” to malicious acts, but also says “no” as little as possible, because it knows what the user is going to need to do. Vista/UAC says “no” far too often precisely because the idea of running lots of software without Administrator privileges is new to the Windows community, and so a lot of applications are using excessive privilege that they don’t need. We’re making a concerted effort to reduce the number of unnecessary UAC prompts in the future by improving the middleware and applications software to avoid performing privileged operations as much as possible. Making it possible for everyone to run as Standard User is the real long term security value.

Published Monday, April 28, 2008 10:32 AM by crispincowan

Comments

 

Tim Anderson’s ITWriting - Tech writing blog » Why UAC is mostly not a security boundary said:

PingBack from http://www.itwriting.com/blog/?p=600

April 29, 2008 4:56 AM
 

conradoplg said:

"Of course, you could run as a Standard User under Windows XP, but few people actually did. This is because it was inconvenient: if you wanted to install software or otherwise administer you machine, you had to log out, exiting all your applications and losing all your state, log back in as An Administrator, do your configuration work, log out again, and finally log back in as a Standard User to finally get back to what you were doing."

What? What about runas, makemeadmin, etc?

April 29, 2008 11:04 PM
 

crispincowan said:

Makemeadmin is UAC's grandpa. Runas and makemeadmin are essentially OTS for XP.

However, because they were built without operating system support, they have security and convenience limitations.

Without UIPI, elevated processes on your desktop are vulnerable to shatter attacks, thread injection, etc. Basically, lie-in-wait malware on your desktop could attack your elevated process and get Admin control.

Another major issue is that to do this in XP, you must manually maintain 2 accounts, one of which is administrator and one is not. Technical people should not have a problem with this, but it might confuse end-users to have to have 2 accounts for their *personal* computer.

There is a lot of programs in XP that require administrator, so if you run as a standard user, you would get a lot more issues than you would get UAC prompts on Vista, where some effort was expended to reduce the use of privilege. Vista SP1 further reduced the use of privilege, for even fewer prompts.

And of course, makemeadmin was not bundled with XP, so you had to install it.

So yes, makemeadmin is the same concept, but a lot has been done to make the user experience better.

April 30, 2008 2:04 PM
 

crispincowan said:

P.S. If you are still on XP, and you would like to try makemeadmin, then go get it from Aaron Margosis' blog http://blogs.msdn.com/aaron_margosis/ which is a superb resource for how to run your life as a non-administrator. HIGHLY recommended.

April 30, 2008 2:07 PM
 

Nick42 said:

This blog post was linked from this article: http://neosmart.net/blog/2008/ireboot-and-working-around-uac-limitations/

I was wondering if you had any comments on the issue/workaround expressed in the article. Specifically, the fact the security changes with UAC require ISV's to write custom LPC/RPC surfaces for services running as LocalSystem to perform admin actions from Shell inputs (eg: triggered from tray icons). Doesn't the lack of a standard, secure, supported, native-code accessible, recommended RPC interface, coupled with the Shell changes, almost guarantee a worse problem going forward as various ISV's are forced to deploy custom surfaces bypassing the UAC security barrier? Any thoughts?

April 30, 2008 9:14 PM
 

crispincowan said:

I stand by the *broad* criticism that this "attack" has received. The claim that they have bypassed UAC is completely bogus:

http://neosmart.net/blog/2008/ireboot-and-working-around-uac-limitations/#comment-148146

http://neosmart.net/blog/2008/ireboot-and-working-around-uac-limitations/#comment-148148

http://neosmart.net/blog/2008/ireboot-and-working-around-uac-limitations/#comment-148152

http://developers.slashdot.org/comments.pl?sid=536078&cid=23217234

The architecture that i-Reboot implemented appears to be precisely the recommended approach when your application needs privilege: separate the priviliged part away from the rest of the application. This enhances security, because it reduce the attack surface that is running with Administrator privilige.

The authors seem to be very confused, and taking things just a tad personally. They assume that UAC has a design goal of preventing a program from being priviliged and auto-running on startup, frustrating their work. This is not the case; rather, UAC does not provide a mechanism to grant Administrator privilege to a program file because to do so represents a security risk that we don't want to expose. It does let you install a privilged service because that is less exposed, and that is precisely what they did. They didn't bypass anything, they just used it correctly.

At least I hope they did. Their privileged service is now part of the operating system's TCB (Trusted Computing Base). If there are any vulnerabilities in the i-Reboot service, then malware can exploit it to gain Administrator privilege. Be careful implementing privileged services, as they have to measure up to that "perfect software" thing.

May 1, 2008 1:17 AM
 

Morten Mertner said:

Couldn't TPM be used to ensure that the OS knows when the user clicks on something, and this information in turn be used to silently authorize UAC prompts for those cases?

Call it a Windows UAC Popup Blocker, since it's very similar to the technique successfully applied by browsers.

I'd also like to criticize UAC (for AAM) as being a pointless nuisance. At the very least it gives a false impression of security to people running as an administrator, which generally should be a much harder choice to make in the first place.

May 1, 2008 7:24 AM
 

Nick42 said:

I don't think the authors are confused, at least those posting who understand the security mechanisms. I think everybody is on the same page: they split the functionality, and implemented a custom RPC to a TCB service. I think the only consternation among the informed participants is the security considerations implied by the addition of many new custom RPC's into the TCB, rather than an alternative (theoretical) supported RPC for communicating between the part of you application which now resides in the TCB, and the part which must run in normal-user space.

By forcing the creating on custom RPC's into the TCB, MS has effectively expanded the TCB to include any ISV's who deploy any application which wants to perform admin-required actions without annoying prompts, and also interact with the user. Moreover, running applications as a normal user now offers less protection than in pre-Vista Windows versions, due to the substantially expanded and less tested TCB RPC surface. I'm not sure everyone would consider that an increase in overall security.

May 1, 2008 2:28 PM
 

crispincowan said:

Morten; yes you could use TPM, and a whole chain of software up through the stack to the graphics card and the mouse, to prove that a user really did click "that". The problem then becomes "what did you mean by 'that'?"

Fundamentally, everything you do on your computer is a consequence of some kind of user action, which causesd a chain of software events to occur. It really is a very long chain of events; the only thing you directly cause to happen by clicking the mouse button is a circuit closes, some sensors go off, and an interrupt is raised to the CPU. Then some interrupt handling software goes off, queues an event that a mouse has been clicked, that goes into the .... you get the idea.

My point being, even with a very direct click of a mouse on an install button, your "action" is quite indirect. In the case of malware, the path is only slightly more indirect. In fact, it may not be any more indirect than an actual deliberate user action, it is just unexpected.

While it is theoretically possible to crypto sign the entire chain of software from the TPM through the boot device, the mouse the window system, the graphics card, everything between your finger and the silicon, the management of maintaining certificates for all of that is awful, and I'm not convinced that when you are done, it really means what you want it to mean.

Instead, what UAC does is pop the the secure desktop (that grey-out look) which shuts out all other software, and asks you if you really meant to do this action that requires privilege. I really don't think there is any other way to do it.

What we can improve on is to do it a lot less often. We do that by cleverly adapting to what users really do, automating some privileged stuff by putting more software inside the TCB, and changing other software so that it no longer has to trust the TCB.

Meanwhile, if you really don't want to see the prompts, and you don't mind the implicit compromise in security, go ahead and use Administrator in Silent Mode.

May 1, 2008 2:45 PM
 

crispincowan said:

Nick; setting aside interpreting whatever the authors of i-Reboot meant, I'm not sure I understand your point.

Any ISV that needs to deploy privileged software necessarily expands the TCB to include their privileged software. This is always the case, on Windows, Mac OSX, Linux, etc.: software that has administrative privilege must be considered part of the TCB. So we are not getting out of ISVs expanding the TCB.

Perhaps your issue is with respect to the RPC protocols used to communicate with Administrator services in Windows? What is the issue here?

With respect to the TCB attack surface exposed to users: it is true that AAM on Vista offers a larger attack surface than Standard User on XP. However, (I suspect) that the attack surface for a true Standard User in Vista is considerably smaller than for a Standard User in XP, just because a lot of attack surface analysis was done in Vista to minimize this.

It is true that installing 3rd party trusted software in Vista does expand the TCB attack surface by providing exposed Administrator services, but I don't see this as a degredation vs. XP. For XP to do precisely the same thing, they would have to also install an Administrator Service. More likely, XP code would just assume that you are running the desktop application as Administrator and not do any privilege separation at all.

Sorry if I've missed your point.

May 1, 2008 2:53 PM
 

Nick42 said:

A specific example, to show what I mean.

Say you have a simple app that does some admin task (eg: periodic virus scan). You have implemented it as a service, and expose a tray icon to allow the active user to pause the scan for some period of time. You have installed the service running as LocalSystem, with Interact with Desktop. Your TCB surface, in this case, is the Windows messages sent to your tray icon (assuming the user is not already in the TCB).

In Vista, this needs to be changed. I need to have a user-mode app to interact with the Shell, and my TCB service. The TCB service needs a custom RPC which is not allowed to be Windows messages, or any other easily understood and well-tested RPC; I must make my own, using something like sockets, named pipes, shared memory, or the RPC support. Moreover, this RPC may be exposed to all users, not just the desktop user, and may be remotable if I'm not careful. There may also be timing issues, or other things I have not considered.

Yes, my concern is primarily with the RPC protocols. It always seemed silly to me for MS to go through all the work reducing the RPC surface on built-in services, and then force ISV's to expand it with custom RPC's. Hope that helps clarify what I meant.

May 1, 2008 3:26 PM
 

crispincowan said:

So your concern is about the attack surface security of the RPC protocol to trusted services. Lets consider the XP alternative: your trusted service was displaying an icon in the tray. This icon shares the desktop with the user, which means that any user process can send messages to your privileged service. This is what makes the attack surface for a privileged service with a desktop display icon rather large, and why Vista is an improvement.

Note that if you wnat user interaction with a privileged service, then you inevitably are going to have *some* attack surface. The fussing is over what that surface looks like, and how to minimize and harden it.

May 6, 2008 8:56 PM
 

alias33 said:

Did I just read UAC being referred to as a convenience feature?! You've used Vista for longer than 10 minutes at a time, right?

August 16, 2008 2:24 AM
 

VistaLover said:

Alias33, why don't you read the whole article before jumping into kneejerk-attack-MS mode...

August 20, 2008 10:21 PM
 

Alun Jones said:

Describing Vista's UAC as a "convenience feature" underlies why it's loved by some, reviled by others.

If your aim is to run as a restricted user as much as possible, and switch into administration mode only when you have to do an admin task, after which you remain restricted, then UAC is a convenience. It allows you to quickly switch from restricted to admin and back, far quicker and easier than a "Switch User" or logout/logon sequence that is your alternative.

If your aim is to do administrative tasks along with other uses of your computer, UAC is an inconvenience.

If all your software insists that you be an admin in order to run it, UAC is an inconvenience.

Quite frankly, we should have been at a point a decade ago such that most users never/rarely have to be admin - games should not require you be an admin; office productivity tools shouldn't require it; it's embarrassing to me as a software developer to see that there are many popular programs out there that assume that we're still living in a Windows 98 world, where all users are the same user, and that user is an administrator.

October 13, 2008 4:25 PM
Anonymous comments are disabled

About crispincowan

"Reliable software does what it is supposed to. Secure software does what it is supposed to, and nothing else." -- Ivan Arce Thus software security is very simple: only use perfect software :-) There being a supply shortage of perfect software, to secure systems we must do something else to ensure that software does not mis-behave when fed "interesting" input by attackers. At extreme detail, we can specify exactly everything the program may do. This is called "the code" and we already know we can't get that right.. So we must abstract what is allowed and what is not into useful classifications. But if we get these classifications wrong, say "no" to access too often, or at the wrong times, security becomes painful. If we fix that by making security complicated, it is still painful. Which is why most users choose no security and hope for the best. Designing secure solutions that are effective AND easy to live with is what I do. I invented the StackGuard method of compiled buffer overflow protection, now used in both GCC and Microsoft Visual Studio. I designed the Immunix/Novell AppArmor application security system: standard access control security, with revolutionary ease of use. I now work for Microsoft, applying these same principles to the problem of enhancing Windows security.

This Blog

Syndication

© 2009 Microsoft Corporation. All rights reserved. Terms of Use  |  Trademarks  |  Privacy Statement
Microsoft
Page view tracker