Transcript Windows Vista and “Longhorn” Server: Under the Hood of the
Windows Vista and “Longhorn” Server: Under the Hood of the Operating System Internals and Your Application Richard B. Ward FUN417 Architect [email protected]
Karthik Thirumalai Program Manager [email protected]
1
Simplified Windows Core
kernel32 advapi32 . . .
User Mode NTDLL Kernel Mode Object Manager Power Management Memory Manager Registry Inter-process Communication Scheduler Security Plug and Play I/O Manager Hardware Abstraction Layer
2
Simplified Windows Core
kernel32 advapi32 . . .
User Mode NTDLL Kernel Mode Object Manager Power Management Memory Manager Registry Inter-process Communication Scheduler Security Plug and Play I/O Manager Hardware Abstraction Layer
3
Core Changes
New Boot environment Platform and Firmware independent and highly portable Supports 32 and 64 bit systems via PC/AT BIOS or EFI Fully localized, supporting many languages Hot Add/Replace of processor and memory Enhanced power management with Hybrid Sleep Combines Standby and Hibernate Suspend to RAM and disk at the same time
4
Core Changes
Memory manager Dynamic system address space System virtual address (VA) space kernel page tables allocated on-demand NUMA and large page support Paging video memory
5
Core Changes
User Mode Driver Framework Infrastructure to run a device driver in user-mode Implementation of the WDF Driver Model Supports core WDF objects User-Mode Drivers are isolated from other drivers Kernel is isolated from User-Mode drivers System can recover after a driver crash –
no blue screen
Enhanced multimedia support Multimedia Class Scheduler Service Support for soft real-time memory allocations Scheduled File I/O
6
Security Enhancements
Kernel mode malware on the rise Presents new categories of problems Malicious code running with the highest privileges Device drivers can monitor and affect almost anything on the system
7
Security Enhancements
Kernel mode code must be digitally signed Enforced at install and load time x64 only for Vista User mode code Critical system processes will require signed code
8
Windows Services
Architecture overview Changes to the services model Security Session 0 isolation, Service hardening Performance Delayed Start, State change notifications Reliability Failure action on non-crash failures
9
Services Model Overview
LRPC
SCM API clients
RPC/TCP (Vista+) RPC/NP (legacy)
Service Control Manager
HKLM\System\ CCS\Services
Service process communication channel Svchost.exe
OwnProc.exe
Hosts a configurable number of services Start, stop, controls
10
Service Start Types
Automatic Started during boot by SCM Auto-start services have a significant performance effect Lots of I/O requests and contention over global resources Can have a significant effect on boot time Manual Started on demand by a client Reduces impact on boot performance
11
Start Types – Delayed Start
Delayed Auto Start – new in Windows Vista Many services are auto start simply because they want “unattended” start, but do not need to be running immediately after boot Delayed start services are started in low priority CPU & IO threads shortly after boot SERVICE_DELAYED_AUTO_START_INFO sdaInfo; sdaInfo.fDelayedAutoStart = TRUE; ChangeServiceConfig2(hService, SERVICE_CONFIG_DELAYED_AUTO_START_INFO, &sdaInfo); Client code must tolerate service’s unavailability
12
Service Security Model
Built-in accounts for easy management No password management requirements
LocalSystem
Very powerful and has most privileges – use cautiously
LocalService
and
NetworkService
Greatly reduced privilege set NetworkService uses machine account for remote authentication Session-0 Isolation – new in Windows Vista Services are isolated from interactive sessions Helps mitigate UI attacks
13
Windows Service Hardening
Motivation Services are attractive targets for malware Running on a large number of systems Services typically are higher privileged than users Worms target services, e.g. Sasser, Code Red, etc.
Goals Run with least privilege necessary Use only resources needed by the service Reduce the damage potential and number of critical vulnerabilities in services.
Extend existing security model for more granular control
14
Running With Least Privilege
Privilege stripping Enables a service to run with least privilege Use only required privileges Express required privileges during service configuration SeBackupPrivilege, SeRestorePrivilege, etc.
ChangeServiceConfig2
API (
sc.exe
can be used as well) SCM computes union of all hosted service required privileges Permanently removes unnecessary privileges from process token when service
process
starts No privileges are added Target account must support required privileges, e.g. a service in LocalService account cannot get SeTCBPrivilege
15
Service Isolation
Service-specific SID 1:1 mapping between service name and SID Use to ACL objects the service needs to allow access
only
specific SID to service Use ChangeServiceConfig2, sc.exe to control service SID Set ServiceSidType to SERVICE_SID_TYPE_UNRESTRICTED Service-specific SID assigned at start time When service
process
starts SCM adds service SIDs to process token S-1-5-80-XXXXX-YYYYY SID enabled/disabled when
service
starts/stops Service SIDs are local to the machine
16
Reducing Damage Potential
Restricted Services Uses Service SIDs and
Restricted
tokens Write-restricted service process Allows service process write access
only
WRITE for service SIDs to objects allowing Reduces the scope of resources accessed on the system When service
process
starts SCM adds service SID to both normal and restricted SID list in process token SID enabled/disabled when
service
starts/stops All services in a process must be restricted
17
Service Management
Service State Changes Clients used QueryServiceStatus polling loop to discover state changes Many bugs found in such loops Performance hit due to lots of threads looping at boot New notification API
NotifyServiceStatusChange
Notification of service state changes & Create/Delete Works both locally and remotely Callback based Uses cross-process APC mechanism locally Uses async RPC remotely
18
Service Management
SCM supported automatic recovery on service crashes Enabled by specifying the
FailureAction
settings for a service.
Recovery usually invoked only on service process crash Support for recovery on non-crash –
new in Windows Vista
Service can fail in other ways than crashing Leaks, System load etc.
Enabled by specifying
FailureActionOnNonCrashFailures
flag in addition to the
FailureAction
settings Invoked on service stop with
dwWin32ExitCode != ERROR_SUCCESS
19
Windows Registry
Architecture overview Changes in Windows Vista Transactional registry Registry virtualization Enhanced registry filtering
20
Windows Registry
Most widely used configuration store One of the first OS sub-systems to be started Used by the kernel, drivers, apps and anything else that needs to store or share state information Simple programming model Hierarchical layout to provide structured access to data Abstracts the complex data management schemes Reg* APIs in user mode, Zw APIs in kernel mode Data is stored in Registry hives Implemented as files Logically, registry is a “FS in a file”
21
Architecture Overview
ADVAPI32.DLL
svchost.exe
Win32 Registry APIs NT APIs regsvc.dll
User KERNEL MM Memory Manager Volatile Storage PRIMARY file (CC PRIVATE_WRITE streams) CC Cache Manager CM (registry) .LOG file (NO_INTERMEDIATE_BUFFERING) NTFS Disk
22
Windows Vista - Transactional Registry
Needed for “all or none” semantics when changing a group of settings Adds ACID semantics to group of registry operations Integrates with TxF and any other Resource Manager which participates in KTM transactions A transaction can span across FS and Registry operations Provides easier way for apps to clean up on error path
More information on Transactional technologies in Vista – FUN320
23
Windows Vista – Registry Virtualization
Enable legacy applications to run as non- admin Applications that want to write to keys that require admin privileges Redirect globally impactful registry write to a per user virtual key Only keys under HKLM\Software are virtualized Redirection is transparent to callers Applications use the user’s virtual key while running Is not platform support for sandboxing Should be treated as an assistance technology
24
Virtualization – How It Works
Write
HKLM\Sofware\Key1 V1 V2 V3
> RegSetValueEx(…) ACCESS_DENIED =>
HKU\{SID}_Classes\VirtualStore\Machine\Software\K1 V3
Opening key for WRITE_ACCESS returns MAX_ALLOWED
25
What Is Not Virtualized?
Application is identified as an “admin application” Key is not changeable by admins Key is Windows Resource Protected Caller is Kernel mode Caller is using Impersonation Any 64 bit application Keys marked as ‘
Do Not Virtualize
’ HKLM\Software\Classes
26
Virtualization Configuration
Globally controlled by the caller’s token Can be turned on/off on individual keys in the Software hive New FLAGS option in reg.exe for key level virtualization control Allows recursive enable/disable of virtualization Allows control of “open access right policy” Changing ACLs on specific keys
27
Virtualization Gotchas’
Using the registry for IPC Service and user apps will have different views of the key Impersonating callers Will not be virtualized Audit for possible elevation paths Virtualization is at the value level Default for the Software hive is enable recursive virtualization
28
Registry Filtering
Certain class of applications have the need for filtering registry calls Anti Virus, Management apps, etc.
Kernel mode callback model to allow for filtering registry operations Allows monitoring and blocking of registry operations Multiple drivers can register callbacks Limitations No support to modify parameters or redirect calls No concept of
altitudes
29
Windows Vista Enhanced Registry Filtering
Introduces a layered model with altitudes for callback registration Consistent with the file system mini-filter model Altitudes have to be registered with Microsoft Ability to modify parameters and re-direct calls Supports three modes of operation – Monitor, Block and Modify Compatible with existing registry callbacks Legacy callbacks will be registered at a default altitude First come first serve registration semantics retained for these legacy callbacks
30
What Is WoW64?
32-bit Windows emulation layer on 64-bit Windows Binary compatibility with 32-bit Windows applications 32-bit code executes as if it is running on a native x86 processor
31
WoW64 Architecture NT Executive Kernel Mode User Mode 0x00000000`7FFEFFFF or 0x00000000`FFFEFFFF Reserved Address Space Win32k.sys
64-bit ntdll.dll
WoW64.dll
WoW64win.dll
WoW64cpu.dll
32-bit ntdll.dll
32-bit kernel32.dll 32-bit user32.dll
32-bit modules
32
WoW64 Architecture
Address space is limited to 2GB (or 4GB if the application is marked Large-Address-Aware in the header) WoW64 processes can NOT load 64-bit DLLs except for the core one!
Likewise, native 64-bit processes can NOT load 32-bit DLLs LoadLibrary() will fail No 16-bit support on 64-bit Windows 32 bit kernel drivers won’t run on 64-bit Windows Needs to be ported and support WoW64 Target 64-bit platform may not support specific features
GetNativeSystemInfo()
retrieves info about the native system
33
WoW64 Registry
Two views of the registry exist on 64-bit Windows Native and WoW64 Native 64-bit Windows application sees the native registry view WoW64 application sees the WoW64 view Why different WoW64 registry views?
Compatibility Separates 32-bit application state from 64-bit state Not supported features stored in the registry Provides a safe execution environment for both 32-bit and 64-bit applications A registry value hosting a DLL path
34
Registry Redirection
Certain parts of the system registry are separated HKEY_LOCAL_MACHINE\Software HKEY_CLASSES_ROOT When a WoW64 process opens/creates a key WoW64 redirects the path of the key if it is one of the above by inserting ‘WoW6432Node’ to the above path Transparent for Win32 applications
RegConnectRegistry
caller bitness selects server view based on the Only on new clients (Windows XP 64 and beyond)
35
Registry Reflection
Enables 64-bit and 32-bit application Inter-Op through COM Mirrors certain registry keys and values between the 32-bit and 64-bit registry views Ownership-based reflection Helps intelligent reflection of COM servers Rules for HKEY_CLASSES_ROOT\CLSID reflection InProcServer32 and InProcHandler32 are not reflected LocalServer32 is reflected Delete reflected keys only if written by WoW64 reflector
36
32/64 Inter-Op Issues
Pointer data type storage is 64-bit (8 bytes) on 64-bit Windows systems while it is 32-bits (4 bytes) on 32-bit Windows systems Alignment is different as well Client/Server applications communicating using shared memory Client is 32-bit running on 64-bit Windows and server is 64-bit or vice versa Shared structures are pointer-dependent Two solutions 32-bit Client writes compatible 64-bit structures 64 bit Server doesn’t need to be WoW64 aware 64-bit Server reads 32-bit and 64-bit structures 64-bit Server is WoW64 aware 32-bit Client may need to change if source request is not known to the 64-bit server
37
32/64 Inter-Op Issues
Don’t pass addresses above 2GB (or 4GB) to a WoW64 application How to convert data types?
32-bit Windows Compiled data type HANDLE 64-bit Windows compiled data type representing 32-bit Windows-Compiled data type LONG PVOID ULONG ULONG ULONG How to convert?
LongToHandle (handle_value32) Process and thread handle are signed-extended UlongToPtr (pvoid_value32) Addresses should never be sign-extended No conversion is needed HWND LONG (HWND)LongToHandle (hwnd32) Window handles are sign extended
38
Community Resources
At PDC For more information, go see FUN Track lounge Labs: FUNHOL19; FUNHOL13 Related sessions FUN320 – Transactional NTFS and Registry FUN210; FUN406 – Security and UAP PNL07 – Future Directions for Windows Internals
39
Community Resources
After PDC Kernel Changes in Windows Vista – http://go.microsoft.com/fwlink/?LinkId=52437 UMDF http://www.microsoft.com/whdc/driver/wdf/default.mspx
Registry filter driver registration http://whdc.microsoft.com/minifilter/default.aspx
WoW64 http://msdn.microsoft.com/library/en us/win64/win64/running_32_bit_applications.asp
40
Questions?
41
© 2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
42