todo

臭氧层主动防御系统驱动源代码!臭氧层主动防御系统驱动源代码!

TODO:

append only files can be achieved by making sure that offsets passed to writefile are not less than the total size of the file

disable all non-TCP/IP / netbios protocols by default (with an additional option to enable)
(connect to \Device\AFD disable non tcp/ip stuff) (\device\netbios)

svchost.exe needs to be jailed by DLLs... each DLL will have its own policy

policy_include: additional.policy

add ability to deny logons to certain users

add a "signature" rule.. LocalSystem execution of different processes (especially cmd.exe) should be logged and possibly denied?

allow occasional rules to go through w/o logging? especially file & registry?

investigate SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\IEXPLORE.EXE


disable execution of certain applications based on their version (i.e. vulnerable IE) (from okena)
add sniffer & non-ip protocol detection (from okena)
COM/ActiveX interception
support for application clauses (chapter 6)

when creating an "exception" rule, MC can/should ask for whether the exception rule should be created on
the selected agent only, all agents of a certain type or all agents of all types


block debuggers

non-GUI/system apps cannot use GUI calls?


in server paranoid mode, allow only c:\program files\*.exe and c:\windows\*.exe to execute?
trusted path execution (execution of binaries from non-trusted directories (i.e world-writable))
(A trusted path is one that is inside is a root owned directory that is not group or world writable.)

explorer option.. "Run process in a sandbox.." brings up a gui that asks whether to allow file, reg, network access?

port to Itanium/AMD64

see if we can take over the job of a buffer overflow security exception handler
on win2k3 install custom BO exception handler that terminates a process

need to be able to control access to all device drivers (is this already handled by intercepting createfile?) is there another way to obtain a handle to a kernel driver?
disable modem access, etc

raw devices of all (mounted?) filesystems should be read-only

copy in all unicode strings, check them and then pass the kernel copies to the kernel to avoid race conditions?

disable our driver if loading using LastKnownGood configuration (notify MC?)

restrict reboot capability and certain programs only to interactive sessions?!

add ability to load what programs are allowed to run? (sha1 hashes, signed binaries)

investigate kernel32!CreateHardLink

dll_all: log will also log all section rules since RULE_DLL will be converted to RULE_SECTION

protect crypto keys

use ZwQueryProcessInfo ProcessVmCounters to keep track of amount of allocated process memory (execution time can be limited using job objects?! memory limit too?)
(or simply hijack malloc & free)

device naming on terminal servers

have a webpage which lists new vulnerabilities and whether our system would automatically protect against it

deallocate allocated virtual memory that was used by AS randomization once the process is loaded and initialized (what about dynamically loaded DLLs)?

create a policy check tool.. one of the things to lookout for is using "eq" and then specifying regex chars like * or ? in the filename

interactive learning mode

policy_ask user app should not run as an interative service but rather as a separate app running as a particular user

IIS install should scan the registry for any known virtual roots and automatically add them to the policy.. same for other apps

make sure that file-system protection cannot be subverted by accessing files by other means (\\127.0.0.1\share\file)

per-group policy, per-user global policy


network connect should be able to specify ports and not just ip addresses
address eq "127.0.0.1:443" then permit
address eq "0:443" then deny
address eq "\\UNCpath\blah" then log
address eq "www.porn.com:80" then deny


new product idea: Solaris BSM-like auditing (http://www.securityfocus.com/infocus/1362) for Windows
(compare to what audit logs native Windows Group/Security Policies can already generate)
posix 1003e


layers:

desktop
web server (iis, apache, netscape)
database server (oracle, MS SQL / access, Sybase, DB2, Informix, Interbase, MySQL)
terminal server
mail server
VPN server / remote access server

dns server
dhcp server
wins server
streaming media server
domain controller
file and print server
(application server