User Interface Privilege Isolation
User Interface Privilege Isolation(UIPI) is a technology introduced inWindows VistaandWindows Server 2008to combatshatter attackexploits. By making use ofMandatory Integrity Control,it prevents processes with a lower "integrity level" (IL) from sending messages to higher IL processes (except for a very specific set of UI messages).[1]
Window messages are designed to communicate user action to processes. However, they can be used torun arbitrary codein the receiving process' context. This could be used by a malicious low-privilege processes to run arbitrary code in the context of a higher-privilege process, which constitutes an unauthorizedprivilege escalation.By restricting the ability of lower-privileged processes to send window messages to higher-privileged processes, UIPI can mitigate these kinds of attacks.[2]
UIPI, and Mandatory Integrity Control more generally, is a security feature but not a securityboundary.[3]
Microsoft Office 2010uses UIPI for its Protected Viewsandboxto prohibit potentially unsafe documents from modifying components, files, and other resources on a system.[4]
References
[edit]- ^"The Windows Vista and Windows Server 2008 Developer Story: Windows Vista Application Development Requirements for User Account Control (UAC)".Microsoft.April 2007.Retrieved2007-12-07.
- ^Edgar Barbosa."Windows Vista UIPI"(PDF).COSEINC. Archived fromthe original(PDF)on 2012-04-18.Retrieved2012-04-18.
- ^"Microsoft Security Servicing Criteria for Windows".Microsoft.
- ^Malhotra, Mike (August 13, 2009)."Protected View in Office 2010".TechNet.Microsoft.RetrievedSeptember 22,2017.