Integrity levels (IL) 完整性标签

 

一、原理介绍

Ｖｉｓｔａ　引进一个新的概念　Integrity levels (IL)　完整性标签

 ­

 Integritylevels (IL)　完整性标签 定义的级别如下：

Name

SID

RID

Low Mandatory Level

S-1-16-4096

0x1000

Medium Mandatory Level

S-1-16-8192

0x2000

High Mandatory Level

S-1-16-12288

0x3000

System Mandatory Level

S-1-16-16384

0x4000

 

完整性标签是为了保证不同标签的进程（TOKEN) 和对象（SACL)之间的访问安全　。

 

例如：

 

如果当前进程的TOKEN 是Low Mandatory Level， 它就不能修改具有
Medium Mandatory Level 的对象 。即使我们对象 的ＤＡＣＬ赋予完全读写的权限。

 

当然， 对于不同级别的标签完整性， 我们缺省有如下的策略， 这些策略可以通过

域 的组策略来修改

 

Integrity levelpolicies

No-Write-Up

A Lower IL process cannot modify a higher IL object

No-Read-Up

A lower IL process cannot read from a higher IL object

No-Execute-Up

A lower IL process cannot execute a higher IL object

 

 

 

完整性标签是以何种形式存在？　完整性标签通过　SACL 的ACE形式存在于每个对象中。

 

当每个进程打开对象， 我们会进行ＳＡＣＬ和　DACL检查，这个检查通过 核心态函数

SeAccessCheck . 只有当前进程ＴＯＫＥＮ的　完整性标签　高于或者等于　对象的完整性标，　我们才会进一步进行 DACL 检查。如果完整性标签验证通不过。 即使ＤＡＣＬ给予再高权限都无济于事。

 

二、操作实现

如何判断一个进程的Integrity levels (IL)　完整性标签？

步骤1：打开进程的Token；

步骤2：获取Token的Integrity levels

const SECURITY_MANDATORY_UNTRUSTED_RID = $00000000; SECURITY_MANDATORY_LOW_RID = $00001000; SECURITY_MANDATORY_MEDIUM_RID = $00002000; SECURITY_MANDATORY_HIGH_RID = $00003000; SECURITY_MANDATORY_SYSTEM_RID = $00004000; SECURITY_MANDATORY_PROTECTED_PROCESS_RID = $00005000;type PTokenMandatoryLabel = ^TTokenMandatoryLabel; TTokenMandatoryLabel = packed record Label_ : TSidAndAttributes; end;type //Extend existing enumeration in Windows.pas with new Vista constantsTTokenInformationClass = (TokenICPad, TokenUser, TokenGroups, TokenPrivileges, TokenOwner, TokenPrimaryGroup, TokenDefaultDacl, TokenSource, TokenType, TokenImpersonationLevel, TokenStatistics, TokenRestrictedSids, TokenSessionId, TokenGroupsAndPrivileges, TokenSessionReference, TokenSandBoxInert, TokenAuditPolicy, TokenOrigin, TokenElevationType, TokenLinkedToken, TokenElevation, TokenHasRestrictions, TokenAccessInformation, TokenVirtualizationAllowed, TokenVirtualizationEnabled, TokenIntegrityLevel, TokenUIAccess, TokenMandatoryPolicy, TokenLogonSid);function GetIntegrityLevel() : DWORD;var hProcess, hToken : THandle; pTIL : PTokenMandatoryLabel; dwReturnLength: DWORD; dwTokenUserLength: DWORD; psaCount : PUCHAR; SubAuthority : DWORD;begin Result := 0; dwReturnLength := 0; dwTokenUserLength := 0; pTIL := nil; hProcess := GetCurrentProcess(); OpenProcessToken(hProcess, TOKEN_QUERY or TOKEN_QUERY_SOURCE, hToken); if hToken = 0 then Exit; if not GetTokenInformation(hToken, Windows.TTokenInformationClass(TokenIntegrityLevel), pTIL, dwTokenUserLength, dwReturnLength) then begin if GetLastError = ERROR_INSUFFICIENT_BUFFER then Begin pTIL := Pointer(LocalAlloc(0, dwReturnLength)); if pTIL = nil then Exit; dwTokenUserLength := dwReturnLength; dwReturnLength := 0; if GetTokenInformation(hToken, Windows.TTokenInformationClass(TokenIntegrityLevel), pTIL, dwTokenUserLength, dwReturnLength) and IsValidSid( (pTIL.Label_).Sid ) then begin psaCount := GetSidSubAuthorityCount((pTIL.Label_).Sid ); SubAuthority := psaCount^; SubAuthority := SubAuthority - 1; Result := GetSidSubAuthority((pTIL.Label_).Sid, SubAuthority)^; end; LocalFree(Cardinal(pTIL)); End; end; CloseHandle(hToken);end; 

以下是返回值

  SECURITY_MANDATORY_UNTRUSTED_RID = $00000000;
  SECURITY_MANDATORY_LOW_RID = $00001000;
  SECURITY_MANDATORY_MEDIUM_RID = $00002000;
  SECURITY_MANDATORY_HIGH_RID = $00003000;
  SECURITY_MANDATORY_SYSTEM_RID = $00004000;