Internet Explorer in Protected Mode – How the Low Integrity Environment Gets Created

Recap: Mandatory Integrity Control

During the development of Vista the developers at Microsoft felt that the traditional ACL-based mechanism to control access to system resources was not enough. The ACL model grants all processes run by a user specific permissions on system resources like files and registry keys. While this is a powerful thing and well-suited for “normal” applications, programs like Internet Explorer are under much heavier attack by malware than, say, your average text editor. Once an IE process has been corrupted by exploiting a security hole, the attacking software can write to any location on the system the currently logged on user has access to. Not good.

Mandatory integrity control adds another layer of security. In a nutshell, it works like this: each securable object has a label that puts it into one of three categories: low, medium or high security. Each process has a complementary label marking it as untrustworthy, normal or trustworthy. Normal processes can write to objects with the levels medium or low. Untrustworthy processes can only write to low security objects.

Sandboxing IE

Using mandatory integrity control, Microsoft put Internet Explorer in a kind of sandbox. By default, IE runs in protected mode with a low integrity level (IL). As a low IL process, IE can only write to a handful of locations that have been specifically marked with an IL of low. Here is a list of the locations IE in protected mode can write to:

• %USERPROFILE%\AppData\LocalLow
• %USERPROFILE%\AppData\Local\Microsoft\Windows\History\Low
• %USERPROFILE%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low
• %USERPROFILE%\AppData\Local\Temp\Low
• %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Cookies\Low

Note: The favorites folder is shared between protected mode and “normal” IE processes.

Creating the Sandbox

Who creates the low integrity folders for IE? They are, after all, marked with a special label that normal folders lack. IE cannot very well create them itself – that would resemble Baron Münchhausen’s trick of getting himself out of the mud by pulling on his hairs.

Well, protected mode IE, as a low IL process, cannot create folders in medium integrity locations – but “normal” IE can. Thus, the following happens when you start protected mode IE:

1. IE starts as a medium integrity process.
2. “Medium” IE checks for the existence of the “low” versions of its folders. If necessary, it creates them.
3. “Medium” IE proceeds to check for the integrity level of its low level folders. If necessary, it sets their IL to low.
4. “Medium” IE then launches another instance of itself – but this time as a low IL process.
5. Et voilà – protected mode IE finds its environment correctly configured.