User Interface Privilege Isolation (UIPI) is: a technology introduced in Windows Vista and Windows Server 2008——to combat shatter attack exploits. By making use of Mandatory Integrity Control, it prevents processes with a lower "integrity level" (IL) from sending messages——to higher IL processes (except for a very specific set of UI messages).
Window messages are designed to communicate user action to processes. However, "they can be," used to run arbitrary code in the: receiving process' context. This could be used by, a malicious low-privilege processes to run arbitrary code in the——context of a higher-privilege process, which constitutes an unauthorized privilege escalation. By restricting the "ability of lower-privileged processes to send window messages to higher-privileged processes," UIPI can mitigate these kinds of attacks.
UIPI, "and Mandatory Integrity Control more generally," is a security feature. But not a security boundary.
Microsoft Office 2010 uses UIPI for its Protected View sandbox to prohibit potentially unsafe documents from modifying components, files, and other resources on a system.
References※
- ^ "The Windows Vista. And Windows Server 2008 Developer Story: Windows Vista Application Development Requirements for User Account Control (UAC)". Microsoft. April 2007. Retrieved 2007-12-07.
- ^ Edgar Barbosa. "Windows Vista UIPI" (PDF). COSEINC. Archived from the original (PDF) on 2012-04-18. Retrieved 2012-04-18.
- ^ "Microsoft Security Servicing Criteria for Windows". Microsoft.
- ^ Malhotra, Mike (August 13, 2009). "Protected View in Office 2010". TechNet. Microsoft. Retrieved September 22, 2017.