[SOLVED] Long Term Feature Suggestion

Started by HJLBX, April 11, 2016, 03:08:51 AM

Previous topic - Next topic

HJLBX

This request is a long-term feature request.  Perhaps to be implemented over the next few years - IF - you think it is worthwhile.  It would be an item to add to ReHIPS road map.

I'm not sure if any of these can be implemented; they are merely offered as suggestions.

* * * * *

User Data Protections

The way it would work, user would add processes to list for data protection.  ReHIPS would protect these processes from screen shot, keylogging, clipboard capture, etc.  You could implement auto-add most commonly installed apps to data protected app list - such as browsers or text editors.

Also, Untrusted\Unknown processes would generate alerts when they attempt to access protected data - like stored passwords in Windows, Windows license key, etc.

Protect stored passwords.

Protect cookies and website data.

Prevent Man-in-the-Middle Attacks.

Protect clipboard data.

Protect against URL grabbing attacks.

Protect browser components from external attack.

Prevent Man-in-the-Browser Attacks.

Isolate Untrusted browser add-ons from data.

Block browser modification attempts.

Protect against screen-grabbing attacks.

Block suspicious access to browser and protected app windows.

Webroot follows this model.  I do not know how they implement it as they will not say.  The Webroot installation is only 852 KB and I think they do not use hooks.

One criticism of the ReHIPS Isolated Environment - that I know with certainty will be made - is that "Isolated Environment doesn't protect against data theft = user data is not protected during ReHIPS or real user sessions; ReHIPS only protects physical system against persistent infection."

My reply:  "Well, if the user doesn't execute data-stealing malwares in the first place during any session then this criticism is essentially false under safe use conditions."

User shouldn't have "Copy User Data" enabled - if possible.  User shouldn't save valuable personal data in ReHIPSUser.  Users should not grant access to real user file system\registry - but they will create exceptions when they should not.

However, you know users are going to try unknown\untrusted filles on their system - especially in isolated environment, so IF you can add additional user data protections, then that would be a great feature to add to ReHIPS.

You know users won't follow ReCrypt recommended practices.  They won't pay attention to ReHIPS isolate environment settings.

* * * * *

Memory Protection

Florian from Excubits adapted the Windows built-in memory protection of processes introduced in Vista.

It was introduced by Microsoft to protect security soft processes, but Florian has extended it to any process running on the system.

It is currently in beta, but I have not tested it.

Those that have tested it are extremely excited about it; they have shown it will block memory exploits easily on 64 bit systems.

It uses a tiny kernel mode driver.

The technical details are over my head.

I thought you might perhaps be interested because it uses Windows built-in security mechanism.

I have little infos available at the moment, but I am trying to get more details.

Same document, two different links in case one goes dead:

http://download.microsoft.com/download/a/f/7/af7777e5-7dcd-4800-8a0a-b18336565f5b/process_Vista.doc

https://www.hitpages.com/doc/5523247344910336/1#pageTop


















Umbra

Quote from: HJLBX on April 11, 2016, 03:08:51 AMOne criticism of the ReHIPS Isolated Environment - that I know with certainty will be made - is that "Isolated Environment doesn't protect against data theft = user data is not protected during ReHIPS or real user sessions; ReHIPS only protects physical system against persistent infection."

im not sure it is true; on expert mode i open VLC portable , and  in the isolated environment Rehips asked again for its execution. so i guess ReHips will ask for any malwares like keyloggers.

HJLBX

Quote from: umbrapolaris on April 11, 2016, 08:15:02 AM
Quote from: HJLBX on April 11, 2016, 03:08:51 AMOne criticism of the ReHIPS Isolated Environment - that I know with certainty will be made - is that "Isolated Environment doesn't protect against data theft = user data is not protected during ReHIPS or real user sessions; ReHIPS only protects physical system against persistent infection."

im not sure it is true; on expert mode i open VLC portable , and  in the isolated environment Rehips asked again for its execution. so i guess ReHips will ask for any malwares like keyloggers.

My reply:  "Well, if the user doesn't execute data-stealing malwares in the first place during any session then this criticism is essentially false under safe use conditions."

Meaning... user shouldn't execute unknown\untrusted files - and, if they do - ReHIPS will alert in Normal or Expert Modes.

* * * * *

Then what happens if user allows a data-stealer despite a ReHIPS alert ?  In other words, the user allows the data-stealer (whatever type it might be) to run in the ReHIPS Isolated Environment ?  If it can execute and function properly, then it has access to whatever the user placed into or saved to the isolated file system - whether by intent or just plain lack of knowledge of what they are doing.

Of course, a user should never keep any valuable data in the isolated environment - like saving passwords in browsers and all that sort of poor security behavior.

* * * * *

Any how, I know data protections in ReHIPS isolated environment will be questioned.  I have already gotten PMs about it.

Umbra

in the first prompt , Rehips has a box (unticked by default) saying "Copy user data" ; i guess the apps won't access the apps data then. not sure if it block the access to all  datas.

HJLBX

Quote from: umbrapolaris on April 11, 2016, 09:25:39 AM
in the first prompt , Rehips has a box (unticked by default) saying "Copy user data" ; i guess the apps won't access the apps data then. not sure if it block the access to all  datas.

Enabling that setting copies and loads user data from PA account to ReHIPSUser, but I have been advised to enable it only when needed - for example when configuring browser to run in isolated environment.  After a short while, disable it for maximum protection.

If any data stealing occurs, then it will very likely be because of user mistake(s) or negligence.

I'm just pointing out that ReCrypt might want to add some data protections - if possible - beyond what is already there to cover such user mistakes.

* * * * *

You know how brutal it can get - like on Wilders.  The PMs have started already.

fixer

Protection from screenshots and keylogging is already implemented through isolated desktops. Clipboard capture protection is also possible by resetting the appropriate privilege in WinStation, but by default this protection is off as users are usually used to using clipboard and this flag being reset will cut them off from it.
I've read about Vista+ protected processes in general and memory protection in particular. We'll think about it, but right now I don't think we need it. As isolated processes being run from other restricted users already don't have any access rights to real user processes, they can't read or write, can't inject to them or create threads.
Most of other security software don't really provide confidentiality allowing to read from real user's profile folder or registry hive. But ReHIPS was designed to provide not just integrity (so no isolated program can infect the system or real users) but also confidentiality. Isolated programs don't have any access (neither read, nor write) to the real user registry HKCU hive or to the real user's profile folder unless Copy User Data flag is set which is discouraged and should only be used (if should be used at all) at first for compatibility purposes only. Different isolated environments are also isolated from each other. So if any data stealer is executed in a new separate environment, it'll have nothing to steal, as it doesn't have any access to critical system resources like Windows users passwords, it doesn't have access to the real users resources like website data, cookies or passwords (as it's stored in real user's profile folder or registry hive) and it has nothing to steal from the new (and thus empty) isolated environment itself. So even if the user intentionally starts a data stealer in a new isolated environment and some basic rules are followed (he doesn't set Copy User Data flag and doesn't have his private data scattered throughout the whole disk but keeps it his user profile folder) nothing bad will happen. I understand that the user and his ReHIPS configuration may be the biggest problem and we'll try to minimize the risk by setting default values as tight as possible at the same time without the impact on compatibility.

HJLBX

Quote from: fixer on April 11, 2016, 02:29:40 PMI've read about Vista+ protected processes in general and memory protection in particular. We'll think about it, but right now I don't think we need it. As isolated processes being run from other restricted users already don't have any access rights to real user processes, they can't read or write, can't inject to them or create threads.

I meant as additional protection while using PA account (nonisolated) and when users don't follow recommended program isolation best practices.

HJLBX

Quote from: fixer on April 11, 2016, 02:29:40 PMsome basic rules are followed (he doesn't set Copy User Data flag and doesn't have his private data scattered throughout the whole disk but keeps it his user profile folder) nothing bad will happen. I understand that the user and his ReHIPS configuration may be the biggest problem and we'll try to minimize the risk by setting default values as tight as possible at the same time without the impact on compatibility.

You understand.

* * * * *

There are too many other things going on at the moment.

I just want to focus on current beta.

Now is not the time to discuss this; I shouldn't have brought it up.

fixer

It's OK to bring up any topic related to ReHIPS. We really appreciate your thoughts and suggestions and make notes in our TODO lists so nothing will be forgotten :)