The Full Wiki

More info on User Interface Privilege Isolation

User Interface Privilege Isolation: Wikis


Note: Many of our articles have direct quotes from sources you can cite, within the Wikipedia article! This article doesn't yet, but we're working on it! See more info or our list of citable articles.


From Wikipedia, the free encyclopedia

User Interface Privilege Isolation (UIPI) is a technology introduced in Windows NT 6.0 to combat input injection exploits. By making use of Mandatory Integrity Control, it prevents processes with a lower "integrity level" (IL) from sending messages to higher IL processes (except for a very specific set of UI messages).[1] Window messages are designed to communicate user action to processes; however they can be used maliciously to trigger flaws in the receiving process to run arbitrary code in its context. If a low IL process can run code in the context of a higher IL process, it accomplishes an unauthorized privilege escalation resulting in a shatter attack. By restricting access to some vectors for code execution and data injection, UIPI can help to reduce these kinds of attacks.[2]

UIPI, and Mandatory Integrity Control more generally, is not a security boundary. It does not aim to protect against all shatter attacks. UI Accessibility Applications can bypass UIPI by setting their "uiAccess" value to TRUE as part of their manifest file. This requires the application to be in the Program Files or Windows directory, as well as to be signed by a valid code signing authority, but these requirements will not necessarily stop malware from respecting them. Additionally, some messages are still allowed through, such as WM_KEYDOWN, which allows a lower IL process to drive input to an elevated command prompt. Finally, the function ChangeWindowMessageFilter allows a medium IL process (all non-elevated processes except Internet Explorer Protected Mode) to change the messages that a high IL process can receive from a lower IL process.[3] This effectively allows bypassing UIPI, unless running from Internet Explorer or one of its child processes.




Got something to say? Make a comment.
Your name
Your email address