[FAQ] ReHIPS failsafe mechanisms and mitigations (part 2)

Started by fixer, February 13, 2019, 06:23:25 PM

Previous topic - Next topic

fixer

3. ReHIPS tries to use the latest possible mitigations. Starting with Windows 8 new mitigations are kept being introduced with each major update. They are mostly accessible via SetProcessMitigationPolicy API. Some of them are really useful and help protect processes, especially critical ones, from being exploited. As new mitigations are added, it's important to monitor them to take advantage of the latest possible protections. Besides Windows built-in mitigations ReHIPS has some of its own. For example from ReHIPS 2.4.0 elevation mitigation was added. I remember someone told me something like "what's the point of ReHIPS if isolated program can bruteforce simple user password and impersonate". Of course it's a good idea not to use simple passwords. But just in case we have this mitigation, so no non-isolated program can be started by isolated program.

4. Recovery in case of unexpected exits. Sometimes unexpected things happen. ReHIPS is ready for its processes to unexpectedly exit, doesn't matter this was a user initiated action or a violent process crash. If Service or some other engine process (like Agent) crashes, it's restarted. And each and every restarted process tries to recover its previous state. For example, Service populates the list of already running isolated programs, Agent recovers isolated desktops and isolated programs running on them and so on. Sometimes it's not possible to recover the state exactly as it was before the unexpected exit, but they do their best. So sometimes user may not even notice that some process crashed.