Breaking Polaris
Members
Erik Staab (
staab)
Proposal
Description
The Polaris window overlay system is an answer to one of the biggest
problems in Windows: applications have too many permissions, and taking them
away usually results in crippled programs. Polaris attempts to give authorization
only when the user explicitly grants access.
Plan and Expectations
The idea is interesting, and early implementations have shown promise. However,
I expect that just like other security systems, implementation flaws will
hinder its success. Assuming I can get a copy of the program, I plan to attack the user
intervention and window title bar protection aspects of the system. I expect that
window forgery and unrestricted file access will both be possible.
Schedule
The midterm report is due on the 18th of November. At this point I will write
about my findings and suggest design or implementation changes.
Midterm Report
Progress
I have completely set up the Polaris environment on two Windows XP systems. I have successfully "Polarized" a
few applications, and have created a C# template application to be used for attacking.
Attack Plans
- Polaris' most notable feature is its ability to grant file access rights based on user input. I will attempt
two attacks on this system. The first approach is to inject user interface messages to simulate user clicking, and
the other will be to extend the file selection dialog class to choose files without user interaction.
- I will attempt to change the titlebar behavior of Polaris, either from within the boxed account or
outside of it. Changing it from within the boxed account would be much more damaging, but doing so as a
privileged user is a start.
- Polaris uses a "RunAs" utility which allows a user to run an application as another user. I will attempt
to use this same utility to run code with more privileges.
- I will attempt to add startup registry entries from the boxed account. This would allow
executing code with all the privileges of the startup account, which is often the administrator account.
Schedule
I am aiming to finish all of the attacks by 12/4. This includes any variations and additions to the attacks
that may come up along the way.