The Full Wiki

More info on Mandatory Integrity Control

Mandatory Integrity Control: Wikis


Note: Many of our articles have direct quotes from sources you can cite, within the Wikipedia article! This article doesn't yet, but we're working on it! See more info or our list of citable articles.


From Wikipedia, the free encyclopedia

In the context of the Microsoft Windows range of operating systems, Mandatory Integrity Control (MIC, also called Integrity levels)[1] is a core security feature, introduced in Windows Vista and Windows Server 2008, which adds Integrity Levels (IL) to processes running in a login session. (See also Security features new to Windows Vista.) This mechanism is able to selectively restrict the access permissions of certain programs or software components which are considered to be potentially less trustworthy, compared with other software running under the same user account which is more trusted. Windows Vista defines four integrity levels: Low (SID: S-1-16-4096), Medium (SID: S-1-16-8192), High (SID: S-1-16-12288), and System (SID: S-1-16-16384).[1] By default, processes started by a regular user gain a Medium IL and elevated processes have High IL.[2] Processes must be configured explicitly to run with Low IL. Processes with Low IL are called low-integrity processes. While processes inherit the integrity level of the process that spawned it, the integrity level can be customized on a per-process basis as well. For example, executables originating from the Internet are marked for and executed with Low IL. Windows controls access to objects based on ILs, as well as for defining the boundary for window messages, via User Interface Privilege Isolation.

Named objects, including files, registry keys or even other processes and threads, have an entry in the ACL governing access to them, that defines the minimum integrity level of the process that can use the object. Windows makes sure that a process can write to or delete an object only when its integrity level is equal to or higher than the requested integrity level specified by the object.[2] Objects with higher IL are out-of-bounds for even read access.[3]

Consequently, a process cannot interact with another process that has a higher IL. So a process cannot perform functions such as inject a DLL into a higher IL process by using the CreateRemoteThread()[4] API function or send data to a different process by using the WriteProcessMemory()[5] function. However, the higher IL process can execute such functions against the lower IL process.[1] However, they can still communicate by using files, Named pipes, LPC or other shared objects. The shared object must have an integrity level as low as the low IL process and should be shared by both the Low-IL and High-IL process.[3]



Access control lists (ACLs) are limited to granting access rights (read, write, and execute permissions) and privileges to users or groups. MIC allows classes of applications to be isolated, enabling scenarios like sandboxing potentially-vulnerable applications (such as Internet-facing application). For example, Internet Explorer 7 with protected mode runs with a Low IL to limit its access to the system. Because IE7 runs as a Low-IL process, system level objects cannot be read or modified by it.

However, since it does not prevent a low IL process from sharing objects with a higher IL process, it can trigger flaws in the higher IL process and have it work on behalf of the low IL process, thereby causing a Squatting attack.[3] Shatter attacks, however, can be prevented by using another feature, User Interface Privilege Isolation, in conjunction with MIC.

Mandatory Integrity Control is defined using a new access control entry (ACE) type to represent the object's IL in its security descriptor. A subject IL is also assigned to the security access token when it is initialized. The integrity level in the access token is compared against the integrity level in the security descriptor when the security reference monitor performs authorization before granting access to objects. Windows restricts the allowed access rights depending on whether the subject's integrity level is higher or lower than the object, and depending on the integrity policy flags in the new access control ACE. The security subsystem implements the integrity level as a mandatory label to distinguish it from the discretionary access under user control that ACLs provide.

See also


External links

Got something to say? Make a comment.
Your name
Your email address