# Design sandbox avec broker ```c struct broker_worker_t { int id; int fd; // process_ipc ARRAY_DECL(int) acls; }; struct broker_state_t { ARRAY_DECL(const broker_worker_t *) workers; }; struct worker_state_t { int id; int fd; // process_ipc }; ``` Lorsqu'on crée le nouveau premier objet dans un nouveau processus, le broker enregistre l'id de l'objet. Lorsqu'on essaye de passer un objet non broker-boxé via un message en faisant un process_handler_t, le broker génère un nouvel id pour l'objet et le retourne à l'appelant, qui l'intègre au message. Les messages ont la forme suivante : ``` struct msg { // When sending from broker uint32_t from; // Common stuff uint32_t op; uint32_t target; uint32_t action; void* args; }; ``` Les réponses ont la forme suivante : ``` struct answer { uint32_t op; uint32_t from; void* payload; }; ``` Cas particulier de la création du processus : la `target` est ignoré, et `from` renvoie l'ID du nouveau module créé dans le nouvel étage. # Windows passage de descripteur de fichiers From https://msdn.microsoft.com/en-us/library/bb625962.aspx > Service applications using multiple processes are sometimes designed to > duplicate handles to objects, such as files, between server processes. If > all the processes are running under the same special service account, the > default security on service processes does not introduce restrictions. The > default DACL on service processes running under special service accounts > does not grant PROCESS_DUP_HANDLE access, which is required for > DuplicateHandle calls. Application service designers have to implement > functionality to grant PROCESS_DUP_HANDLE access on the service process > object to another user account used by a co-process in order to share > handles between application processes that run under different user accounts. > But if the service into which you want to duplicate the handle is a special > service account running at a system integrity level, a co-process running at > a high or medium integrity level will not be able to obtain > PROCESS_DUP_HANDLE because of the mandatory label policy. Even if the DACL > grants PROCESS_DUP_HANDLE access, the mandatory label policy does not allow > lower-integrity callers that access. If this situation affects the service > application design, the application service code will need to change so that > the process that initiates DuplicateHandle is at an integrity level higher > than the integrity level of the process that is the source of the handle. > That is, a higher-integrity service can duplicate a handle into its own > process as a target from a lower-integrity process as the handle source. https://bugs.chromium.org/p/chromium/issues/detail?id=338538 https://chromium.googlesource.com/chromium/src.git/+/dc84fcce71f37e6faeab9dce6ae2a65f1e12a5d2%5E%21/#F0 Windows ignores DACLs on certain unnamed objects (like shared sections). So, we generate a random name when we need to enforce read-only. # Windows isolation réseau https://msdn.microsoft.com/en-us/library/hh780593 https://msdn.microsoft.com/library/0a97956e-fda9-4791-b87b-9e03ae135382 Not possible without Hyper-V, which needs Windows 10 Pro. # Windows, Shatter attack, UIPI http://www.coseinc.com/en/index.php?rt=download&act=publication&file=Vista_UIPI.ppt.pdf https://en.wikipedia.org/wiki/Shatter_attack http://www.hpl.hp.com/techreports/2005/HPL-2005-87.pdf => Since windows vista, 4 integrity levels: low, medium, high, system # Exploiting a leaked thread handle project zero https://googleprojectzero.blogspot.com/2016/03/exploiting-leaked-thread-handle.html other attacks: + Detecting kernel memory disclosure with x86 emulation and taint tracking https://j00ru.vexillium.org/papers/2018/bochspwn_reloaded.pdf + Reading priviledged memory with a side-channel https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html + aPAColypse now: Exploiting Windows 10 in a Local Network with WPAD/PAC and JScript https://googleprojectzero.blogspot.com/search?updated-max=2018-01-03T14:27:00-08:00&max-results=7&start=4&by-date=false + Over The Air - Vol. 2, Pt. 3: Exploiting The Wi-Fi Stack on Apple Devices https://googleprojectzero.blogspot.com/search?updated-max=2017-12-18T09:47:00-08:00&max-results=7&start=5&by-date=false + Windows Exploitation Tricks: Arbitrary Directory Creation to Arbitrary File Read https://googleprojectzero.blogspot.com/search?updated-max=2017-08-23T09:10:00-07:00&max-results=7&start=11&by-date=false # Documents à lire + privilege escalation on windows, about DACL, token etc https://conference.hitb.org/hitbsecconf2017ams/materials/D2T3%20-%20James%20Forshaw%20-%20Introduction%20to%20Logical%20Privilege%20Escalation%20on%20Windows.pdf # VLC-sandboxing orienté module # Windows security + Jobs are not aimed at providing security, they are like cgroups. + CreateRestrictedToken is the most powerful barrier all windows 10 has. + Better options are limited to Window 10 pro edition, and include virtualization or WSL. + Windows has unix socket in WSL too, but they don't support SCM and so file descriptor transfer between processes. ## CreateRestrictedToken When trying to access a resource, Windows will check the user SID and group SID, and then will check the restricted token. Thus, restricted token can be used as a way to limit one process's available resources, by attaching a restricted token to it. As the user and group is checked, this token can only be used to limit existing right and can't add new ones. It is worth noticing that it doesn't limit resources access from the outside to the restricted process. A restricted token can be a **primary** or **impersonation** _access token_. From the documentation, it allows three ways of restricting a token: https://docs.microsoft.com/en-us/windows/desktop/secauthz/restricted-tokens > + Remove privileges from the token. > + Apply the deny-only attribute to SIDs in the token so that they cannot be > used to access secured objects. For more information about the deny-only > attribute, see SID Attributes in an Access Token. > + Specify a list of restricting SIDs, which can limit access to securable > objects. To create a process with a restricted **primary** token, `CreateProcessAsUser` must be used, with the caller process having the `SE_ASSIGNPRIMARYTOKEN_NAME` privilege if it doesn't specify a restricted version of the caller's primary token. It is possible to activate a restricted token later by using the token with the `ImpersonateLoggedOnUser` function. Security note: > Applications that use restricted tokens should run the restricted application > on desktops other than the default desktop. This is necessary to prevent an > attack by a restricted application, using SendMessage or PostMessage, to > unrestricted applications on the default desktop. If necessary, switch > between desktops for your application purposes. It is possible to transfer a token from one process to another thanks to `DuplicateHandle`, as explained in the following forum posts: https://social.msdn.microsoft.com/Forums/windowsdesktop/en-US/9bd4bce0-033a-431b-abb8-2c10438e6283/how-can-i-pass-security-token-from-one-process-to-another-?forum=windowssecurity https://stackoverflow.com/questions/2331363/is-passing-a-windows-security-token-between-processes-permitted `ImpersonateNamedPipeClient`: https://stackoverflow.com/a/2339129 # Windows IPC ## Todolist [x] `vlc_ipc_SendIpc` must write the size of the message, then write each part of the message. [x] `vlc_ipc_RecvMsg` must read the size of the message, then read the whole message. [x] `vlc_msg_append_block` must put the name of the shared memory. [x] `vlc_msg_recv_block` must open the shared memory and map it. [ ] zygote calls `createprocess` with `--sandbox-worker=%file_descriptor_read` option. [ ] zygote sends write file descriptor to new worker and then close it. [ ] `vlc_sandbox_start` should start the worker eventloop if `--sandbox-worker` option is present in the command line. [ ] `vlc_sandbox_start` should start the zygote if `--sandbox-zygote=%fd` is present in the command line. [ ] `block_alloc` should create a file mapping using `createfilemapping` and map it in memory using `mapviewoffile`. [ ] `block_filemapping_init` should use `OpenFileMapping` and `MapViewOfFile`. [ ] IPC in the Windows sandbox must be named pipes instead of anonymous pipes because anonymous ones don't have support neither for duplex communication nor overlapped IO operations. It means that a proper planning of SID must be made to restrict other low integrity level sandboxed process. [ ] `msg_poller` should use io completion port => might work, try out => take care socket deletion [ ] `vlc_ipc_close` should close the handle, and might need to manage the allocated memory (for overlapped structure for example) [ ] replace `close(ipc.fd)` by `vlc_ipc_close(ipc)` [ ] try removing the zygote process from the windows model, only inherit the handle for IPC when creating a new process. ## IOCP https://www.codeproject.com/Articles/10330/A-simple-IOCP-Server-Client-Class http://www.drdobbs.com/cpp/multithreaded-asynchronous-io-io-comple/201202921?pgno=3 completion vs readiness https://softwareengineering.stackexchange.com/questions/293908/readiness-vs-completion-async-io-memory-usage https://stackoverflow.com/questions/2794535/linux-and-i-o-completion-ports The readiness model notify that a file descriptor is ready for action, whether it is reading or writing to it. The user then can perform the kernel-to-user action without waiting. In particular, it means that you can use one buffer for the whole set of file descriptor when reading. The completion model notify that the operation planned on a file descriptor has been satisfied. The user has to start the operation and let the operating system do it on its own, whether or not the file descriptor was ready. In particular, it means that you need one buffer for each file descriptor as you can't know in which order the operation will be satisfied. The workflow for IOCP on Windows to emulate the msg_poller is to create an IoCompletionPort with the following call. ``` HANDLE iocp = CreateIoCompletionPort( INVALID_HANDLE_VALUE, NULL, 0, nThreads ); ``` Then associate a `HANDLE handle` to the port, with `key` being a registration key used as identifier or pointer, given back in the notification of this handle. ``` CreateIoCompletionPort( handle, iocp, key, 0 ); ``` The port is ready so start read requests, giving an `OVERLAPPED` object and a new buffer to each read request when no request is pending. ``` FOREACH( struct iocp_buffer*, iohandle, iohandles ) { if( !iohandle->pending ) ReadFile( iohandle->handle, iohandle->buffer, length, NULL, iohandle->overlapped ); } ENDFOR() ``` And finally wait for on the request to be satisfied by the operating system. The argument `overlapped` is required to be passed as a `LPOVERLAPPED` struct, but the example in the documentation uses a `OVERLAPPED**` instead. ``` DWORD length = 0; ULONG_PTR key = 0; OVERLAPPED *overlapped = NULL; GetQueuedCompletionStatus( iopc, &length, &key, &overlapped, INFINITE ); ``` Finally, `overlapped` contains the information about the handle and the buffer, while `key` contains an additional information to recognize the operation. We can proceed to the next operations on the data and release the `overlapped` structure. TODO: removing HANDLE from the IO port. `ReadFileEx` provide another kind of writing asynchronous IO, but still built upon this concept of completion. One can register an user-defined callback which will be casted at the end of the IO operation. This callback will get the ownership of the `OVERLAPPED` object and will be responsible for processing and releasing it. a lire https://opensource.googleblog.com/2010/01/libevent-20x-like-libevent-14x-only.html => easier to write a notify-to-completion than completion-to-notify wrapper. design issues when using IOCP in a winsock server https://support.microsoft.com/en-us/help/192800/info-design-issues-when-using-iocp-in-a-winsock-server fast portable non blocking network programming with libevent http://www.wangafu.net/~nickm/libevent-book/ closing a file handle with IO completion https://stackoverflow.com/questions/6573218/removing-a-handle-from-a-i-o-completion-port-and-other-questions-about-iocp # Sandbox todolist [ ] Create process by zones, all video decoders in the same process, all audio in the same other process and vout/aout in the same process as their respective counterpart [ ] Process creation policy should be in the broker process and configured at vlc_sandbox_Init by the application caller. [ ] Special process creation order should be possible, for example when having multiple video outputs. [ ] Release object correctly, proxy objects should have a special released handler associated to them and be released as soon as the other endpoint is released. [ ] Handle cross-process errors and report them to the other process correctly [ ] Handle other process life cycle, health and failure [ ] Play with SID on Windows to understand how it works.