I've developed a windows application that uses shared memory---that is---memory mapped files for interprocess communication. I have a windows service that does some processing and periodically writes data to the memory mapped file. I have a separate windows application that reads from the memory mapped file and displays the information. The application works as expected on Windows XP, XP Pro and Server 2003, but NOT on Vista.
I can see that the data being written to the memory mapped file is happening correctly by the windows service because I can open the file with a text editor and see the stored messages, but the "consumer" application can't read from the file. One interesting thing to note here, is that if I close the consumer application and restart it, it consumes the messages that were previously written to the memory mapped file.
Also, another strange thing is that I get the same behavior when I connect to the windows host using Remote Desktop and invoke/use the consumer application through remote desktop. However, if I invoke the Remote Desktop and connect to the target host's console session with the following command: mstsc -v:servername /F -console, everything works perfectly.
So that's why I think the problem is related to permissions. Can anyone comment on this?
EDIT:
The ACL that I'm using to create the memory mapped file and the Mutex objects that sychronize access is as follows:
TCHAR * szSD = TEXT("D:")
TEXT("(A;;RPWPCCDCLCSWRCWDWOGAFA;;;S-1-1-0)")
TEXT("(A;;GA;;;BG)")
TEXT("(A;;GA;;;AN)")
TEXT("(A;;GA;;;AU)")
TEXT("(A;;GA;;;LS)")
TEXT("(A;;GA;;;RD)")
TEXT("(A;;GA;;;WD)")
TEXT("(A;;GA;;;BA)");
I think this may be part of the issue.
So I found the solution to my problem:
On Windows XP, all named kernel objects such as mutex, semaphore and memory mapped objects are stored in the same namespace. So when different processes in different user sessions reference a particular object using it's name, they obtain a handle to that object. However, as a security precaution, Windows terminal services creates a separate namespace for kernel objects referenced from processes started in it's session. Windows Vista has this behavior built into it as well, so that's why my app didn't work correctly on Vista. To elaborate, I have a Windows service that runs in the null session and an application that runs in a user session, so my named objects were being created in separate namespaces.
The quick fix for this issue was to use the Global namespace by prepending "Global\" to each kernel object name that I used and that did the trick.
The prefix "Global\" may not work on shared memory. See "Impact of Session 0 Isolation on Services and Drivers in Windows Vista" for solution.
What access are you opening the shared memory section with? Try with FILE_MAP_ALL_ACCESS and work your way down. Also make sure you don't have a race condition between the producer and consumers - which one is creating the shared memory? Make sure ths is created before the other one tries to open it. One method is to create the section in the parent before you start the child process - if you are using a parent/child architecture.
Your child may need to run elevated on Vista in order to be allowed access to the shared memory. It may also be related to the window session your are using. Services run in session 0 (I think) while other apps (especially if you log in via remote desktop) may run in another session.
Have you tried moving the file to a different location. Try putting it in the 'Shared Documents' folder, this seems to be the most freely accessible folder in Vista.
Related
I'm implementing API which allows to launch other apps (using NSTask) inside VFS (FUSE on macOS). After VFS is mounted a bunch of processes start accessing launched VFS in which my app works, and I'd like to implement some kind of filtering mechnism which will allow to detect whether process which is accessing the VFS is created by system (and potentially safe) or not, and if so it'll be granted an access to the file system where my app runs.
So far I'm able to get basic information of the process by it's pid. For example: process path, uid, ppid, code signature of the process etc (using Security framework, libproc etc)
I've done a couple of tests and see that there are process with uid != 0 and still critical for my app to run (if I deny access to them app which is started in VFS crashes) (e.g. /usr/libexec/secinitd, /System/Library/CoreServices/Dock.app/Contents/MacOS/Dock), so looks like approach with filtering processes by pids, uids, ppids might not work.
So the question is: is it possible to distinguish whether process which is accessing my app was created by system and is potentially safe? I also don't want to do too much work by denying accees to critical system processes which will allow the app to successfully start and run in VFS.
Judging from the comment thread, your threat model is data theft via malware etc.
In this case, you can trust almost nothing, so the best way is probably to maintain an explicit whitelist of processes which are allowed to access your mount point, and block access to everything else by default. Log any processes to which access is denied, and allow the user to reverse that decision and add them to the whitelist. In other words, let the user decide what applications they consider safe.
Your said that according to your inspection, there were several processes which were mandatory for the process to run, so why won't use try-and-error approach.
You deploy you FUSE drive on clean environment and record all processes that attempt to access your files - try to prevent each process and keep only those which crash your apps, and add them to a white-list.
Of course that this list is subject to change in different macOS versions, but it can give you the general idea.
Alternatively, you can break your app into couple of parts. for example, put the sensitive logic inside separated dylib file, and prevent access to this file only.. since dylib is not the main executable in your app, I believe fewer processes require mandatory access it.
Is there any way to grant access to network shares to Low Mandatory Level processes (UAC)?
Further explanation:
To migrate some third-party library security issues we are considering setting Integrity Mode to isolating process to Low, but we do need to have process read/write freely from specified single file system share (UNC path, possibly on separate computer).
Does anyone know is there a way to do this?
Thanks
Yes this is available by default. Integrity of a process only affects local security not remote security. This can be proven by creating a low integrity version of notepad -
Copy C:\windows\system32\notepad.exe to a location i.e.
C:\test\lownote.exe
Run icacls C:\test\lownote.exe /setintegritylevel Low
Run lownote
Confirm with Process Explorer (http://live.sysinternals.com/procexp.exe) it is running as low integrity. Note you can open files on HDD but can't save to them,
except in low integrity sections of user profile Browse to network,
path using UNC share - you can open/save files fine.
That being said you may come across access denied messages when using a low integrity process to write to network shares. This cause can be found by using procmon on the computer running your app http://live.sysinternals.com/ProcMon.exe and filtering to include Result is "ACCESS DENIED" and Process Name is - the name of your process.
What will not available is drive mappings...you will see an "access denied" thrown when trying to read HKCU[location of drive letter]
As per MSDN documentation:
However, you can use other types of communication between a low-integrity process and a higher-integrity process. The types of communication that you can use include:
Clipboard (copy and paste)
Remote procedure call (RPC)
Sockets
Window messages that the higher-integrity process has been explicitly
allowed to receive from lower-integrity processes by calling
ChangeWindowMessageFilter
Shared memory, where the higher-integrity
process explicitly lowers the mandatory label on the shared memory
section ( Important This is particularly dangerous, and the
higher-integrity process must be careful to validate all data that is
written to the shared section.)
COM interfaces, where the launch
activation rights are set programmatically by the higher-integrity
process to allow binding from low integrity clients
Named pipes,
where the creator explicitly sets the mandatory label on the pipe to allow access to lower-integrity processes
ref http://msdn.microsoft.com/en-us/library/bb625960.aspx
I am new to writing Windows Services so this is really strange to me. I have debugged an external library using a WinForm. The external library does some drive mapping, copying a directory structure, deleting the original directory, renaming the copied directory, and then removes mappings.
So, when I write up the service to initialize the external class and start the process, the service doesn't seem to be doing what I think it should be doing. It appears to be doing nothing and completely ignoring what is going on.
Is there anything I am missing? Does the external library need to have any Security attributes?
Update
Found out how to attach a debugger, per #Will's comment: System.Diagnostics.Debugger.Break()
Edit
It also helps when you copy your app.config file to the correct directory!!!
Not a lot to go on here. First, you can debug your service, which is what you should be doing rather than using a winform frontend to test your code.
The issue is either that your service is not created properly, or that you've got a security issue.
Your service will receive a start message, after which it must run its own code, often on a different thread (a Timer is a common way to do this).
If the service is touching a drive, the user account under which it executes must have rights to perform the operations it attempts. Try changing the user account under which it executes to your own and see if it starts working.
I have a C++ application which used Mutex, Events,Semaphores for synchronization. While hosted in windows 2008 server/Windows 7, this application is not starting from a remote client.
I used telnet client to connect remotely to this application and saw that telnet server is running under session 0 and therefore it is trying to start my application under session 0. My application is trying call OpenMutex to open a mutex which was created by another application running locally (in session 1).
I can make my application work by perpending "Global\" to mutex name. What I am looking for is a way run application without making this code change. Is it even possible? Is it possible to launch telnet service under session 1.
CreateMutex(&sa,FALSE,Buffer, "MyMutexName"));
I can modify this to CreateMutex(&sa,FALSE,SYS_ID2(szSysIdBuffer, "Global\MyMutexName")); but is there any other way other that making this change.
Thanks
You probably know the document http://www.microsoft.com/whdc/system/sysinternals/session0changes.mspx which describes problems with the Session 0 isolation. The old way to make a service interactive which are described in http://msdn.microsoft.com/en-us/library/ms683502.aspx not works on Widows 7 because Terminal Services are active per default.
So it seems to me that in your case the way with the "Global\" prefix, which you currently use, is really the best one. To understand the complexity of an other possible way you can read following Process with administrative privileges run on user logon.
My service needs to store a few bits of information (at minimum, at least 20 bits or so, but I can easily make use of more) such that
it persists across service restarts, even if the service crashed or was otherwise terminated abnormally
it does not persist across a reboot
can be read and updated with very little overhead
If I store this information in the registry or in a file, it will not get automatically emptied when the system reboots.
Now, if I were on a modern POSIX system, I would use shm_open, which would create a shared memory segment which persists across process restarts but not system reboots, and I could use shm_unlink to clean it up if the persistent data somehow got corrupted.
I found MSDN : Creating Named Shared Memory and started reimplementing pieces of it within my service; this basically uses CreateFileMapping(INVALID_HANDLE_NAME, ..., PAGE_READWRITE, ..., "Global\\my_service") instead of shm_open("/my_service", O_RDWR, O_CREAT).
However, I have a few concerns, especially centered around the lifetime of this pagefile-backed mapping. I haven't found answers to these questions in the MSDN documentation:
Does the mapping persist across reboots?
If not, does the mapping disappear when all open handles to it are closed?
If not, is there a way to remove or clear the mapping? Doesn't need to be while it's in use.
If it does persist across reboots, or does disappear when unreferenced, or is not able to be reset manually, this method is useless to me.
Can you verify or find faults in these points, and/or recommend a different approach?
If there were a directory that were guaranteed to be cleaned out upon reboot, I could save data in a temporary file there, but it still wouldn't be ideal: under certain system loads, we are encountering file open/write failures (rare, under 0.01% of the time, but still happening), and this functionality is to be used in the logging path. I would like not to introduce any more file operations here.
The shared memory mapping would not persist across reboots and it will disappear when all of its handles are closed. A memory mapping object is a kernel object - they always get deleted when the last reference to them goes away, either explicitly via a CloseHandle or when the process containing the reference exits.
Try creating a registry key with RegCreateKeyEx with REG_OPTION_VOLATILE - the data will not preserved when the corresponding hive is unloaded. This will be at system shutdown for HKLM or user logoff for HKCU.
sounds like maybe you want serialization instead of shared memory? If that is indeed appropriate for your application, the way you serialize will depend on your language. If you're using c++, check out boost::serialize. C# undoubtedly has lots of serializations options (like java), if that's what you're using.