User Interface Privilege Isolation (UIPI) is a technology introduced in Windows Vista and Windows Server 2008 to combat shatter attack exploits. By making use of Mandatory Integrity Control, it prevents processes with a lower "integrity level" (IL) from sending messages to higher IL processes (except for a very specific set of UI messages).[1] Window messages are designed to communicate user action to processes. However, they can be used to run arbitrary code in the receiving process' context. This could be used by a malicious low-privilege processes to run arbitrary code in the context of a higher-privilege process, which constitutes an unauthorized privilege escalation. By restricting the ability of lower-privileged processes to send window messages to higher-privileged processes, UIPI can mitigate these kinds of attacks.[2]

UIPI, and Mandatory Integrity Control more generally, is a security feature but not a security boundary.[3]

Microsoft Office 2010 uses UIPI for its Protected View sandbox to prohibit potentially unsafe documents from modifying components, files, and other resources on a system.[4]

References

  1. ^ "The Windows Vista and Windows Server 2008 Developer Story: Windows Vista Application Development Requirements for User Account Control (UAC)". Microsoft. April 2007. Retrieved 2007-12-07.
  2. ^ Edgar Barbosa. "Windows Vista UIPI" (PDF). COSEINC. Archived from the original (PDF) on 2012-04-18. Retrieved 2012-04-18.
  3. ^ "Microsoft Security Servicing Criteria for Windows".
  4. ^ Malhotra, Mike (August 13, 2009). "Protected View in Office 2010". TechNet. Microsoft. Retrieved September 22, 2017.