User Interface Privilege Isolation
User Interface Privilege Isolation (UIPI) is a technology introduced in Windows NT 6.0 to combat shatter attack exploits. By making use of Mandatory Integrity Control, it prevents processes with a lower "integrity level" (IL) from sending messages to higher IL processes (except for a very specific set of UI messages). Window messages are designed to communicate user action to processes; however they can be used to run arbitrary code in the receiving process' context. This can be used by a malicious low IL process to run arbitrary code in the context of a higher IL process, which constitutes an unauthorized privilege escalation. By restricting access to some vectors for code execution and data injection, UIPI can mitigate these kinds of attacks.
UIPI, and Mandatory Integrity Control more generally, is not a security boundary. It does not aim to protect against all shatter attacks. UI Accessibility Applications can bypass UIPI by setting their "uiAccess" value to TRUE as part of their manifest file. This requires the application to be in the Program Files or Windows directory, as well as to be signed by a valid code signing authority, but these requirements can still be met by malware. Additionally, some messages are still allowed through, such as
WM_KEYDOWN, which allows a lower IL process to drive input to an elevated command prompt. Finally, the function
ChangeWindowMessageFilter allows a medium IL process to change the messages that a high IL process can receive from a lower IL process. This effectively allows bypassing UIPI from processes other than those run in low IL (e.g. Internet Explorer).
- "The Windows Vista and Windows Server 2008 Developer Story: Windows Vista Application Development Requirements for User Account Control (UAC)". Microsoft. April 2007. Retrieved 2007-12-07.
- Edgar Barbosa. "Windows Vista UIPI". COSEINC. Retrieved 2011-10-22.
- "ChangeWindowMessageFilter Function". MSDN. Retrieved 2009-03-01.