User Interface Privilege Isolation

Security technology in Microsoft Windows

User Interface Privilege Isolation (UIPI) is a technology introduced in Windows Vista and Windows Server 2008 to combat shatter attack exploits. By making use of Mandatory Integrity Control, it prevents processes with a lower "integrity level" (IL) from sending messages to higher IL processes (except for a very specific set of UI messages).^[1]

Window messages are designed to communicate user action to processes. However, they can be used to run arbitrary code in the receiving process' context. This could be used by a malicious low-privilege processes to run arbitrary code in the context of a higher-privilege process, which constitutes an unauthorized privilege escalation. By restricting the ability of lower-privileged processes to send window messages to higher-privileged processes, UIPI can mitigate these kinds of attacks.^[2]

UIPI, and Mandatory Integrity Control more generally, is a security feature but not a security boundary.^[3]

Microsoft Office 2010 uses UIPI for its Protected View sandbox to prohibit potentially unsafe documents from modifying components, files, and other resources on a system.^[4]

References

[edit ]

^ "The Windows Vista and Windows Server 2008 Developer Story: Windows Vista Application Development Requirements for User Account Control (UAC)". Microsoft. April 2007. Retrieved 2007年12月07日.
^ Edgar Barbosa. "Windows Vista UIPI" (PDF). COSEINC. Archived from the original (PDF) on 2012年04月18日. Retrieved 2012年04月18日.
^ "Microsoft Security Servicing Criteria for Windows". Microsoft .
^ Malhotra, Mike (August 13, 2009). "Protected View in Office 2010". TechNet . Microsoft . Retrieved September 22, 2017.

v
t
e

Microsoft Windows components

APIs
Architecture
- 9x
- NT
Booting process
Games

Management
tools

CDFS
DFS
exFAT
FAT
IFS
NTFS
- EFS
- Hard link
- links
- Mount Point
- Reparse point
- TxF
ReFS
UDF

Server

Architecture

Security

Compatibility

API

Games

Solitaire Collection
Surf

Discontinued

Games	3D Pinball Chess Titans FreeCell Hearts Hold 'Em InkBall Purble Place Solitaire Spider Solitaire Tinker
Apps	ActiveMovie Address Book Anytime Upgrade Backup and Restore Cardfile CardSpace CD Player Chat Contacts Cortana Desktop Gadgets Diagnostics DriveSpace DVD Maker Easy Transfer Edge Legacy Fax Food & Drink Groove Music Health & Fitness Help and Support Center HyperTerminal Imaging Internet Explorer Journal Make Compatible Maps Media Center Meeting Space Messaging Messenger Mobile Device Center Movie Maker MSN Dial-Up NetMeeting NTBackup Outlook Express Paint 3D Pay Phone Companion Photo Gallery Photo Viewer Program Manager Skype Sports Start Steps Recorder Syskey Tips Travel WinHelp WordPad Write
Others	Desktop Cleanup Wizard File Protection Games for Windows HPFS Interix Media Control Interface MS-DOS 7 Next-Generation Secure Computing Base POSIX subsystem ScanDisk Video for Windows Virtual DOS machine Windows on Windows Windows Services for UNIX Windows SideShow Windows System Assessment Tool Windows To Go WinFS

Spun off to
Microsoft Store

Retrieved from "https://en.wikipedia.org/w/index.php?title=User_Interface_Privilege_Isolation&oldid=1146845733"