Sandboxing for secure app development: Adobe Reader’s 'protected view'


3. Windows Integrity Levels and Desktop Isolation in sandbox environments

Windows integrity levels (Vista and above)

The Windows integrity mechanism extends the operating system’s security architecture by assigning integrity levels to application processes and objects. This represents how trustworthy a running process or object is, and provides resource managers with the ability to block higher integrity processes being modified by processes of lower integrity.

This mechanism prevents shatter attacks (sending of Windows messages to other processes without explicit permission). For Adobe Reader X, sandboxed processes run as low integrity processes. This feature is only available on Vista and later systems. Sandbox environments on these platforms are better than on Windows XP.

Desktop isolation

Desktop isolation is the next scale in the armor of sandboxing technology. In a sandboxed environment, placing applications on separate desktops can prevent shatter attacks, since each process thread assigned to a desktop is capable of sending Windows messages to other threads on the same client. Threads could also install hooks in other processes causing a user specified DLL to be loaded into other processes.

Adobe Reader X does not incorporate the desktop isolation paradigm, since this requires fundamental architectural changes to the existing product. Shatter attacks in Reader X are mitigated by enforcing UI Handles restriction on the job object.

>>Go back to the main article<<

View All Photo Stories