In https://forum.xanasoft.com/threads/targeted-process-protection-for-ppl-processes.2865/ we have discussed how to treat PPL processes other than Csrss, but we have not yet discussed the Csrss process.
Any session process needs Csrss to load critical memory structures into it, so write permission is indispensable. But there is a typical case - after calling EndTask (which is a function that any program can call, the program will send a local procedure call to Csrss, and then Csrss will call TerminateProcess to end the process. Even if the "Prevent Terminate" configuration is enabled in the enclave, it can still be terminated in this way, which is the drawback of always granting Csrss full control.
For this, the of my latest discussion with David is: only grant Csrss a handle with full control permission in the early stage of process creation, and then destroy the granted handle from the handle table after the program code starts to execute, and then treat Csrss as other PPL processes. In this way, the principle of least privilege is followed.
As with "Targetd-process-protection-for-ppl-processes", this feature needs to follow the following guidelines:
https://forum.xanasoft.com/threads/related-measures-to-prevent-the-abuse-of-major-privacy.2864/
Any session process needs Csrss to load critical memory structures into it, so write permission is indispensable. But there is a typical case - after calling EndTask (which is a function that any program can call, the program will send a local procedure call to Csrss, and then Csrss will call TerminateProcess to end the process. Even if the "Prevent Terminate" configuration is enabled in the enclave, it can still be terminated in this way, which is the drawback of always granting Csrss full control.
For this, the of my latest discussion with David is: only grant Csrss a handle with full control permission in the early stage of process creation, and then destroy the granted handle from the handle table after the program code starts to execute, and then treat Csrss as other PPL processes. In this way, the principle of least privilege is followed.
As with "Targetd-process-protection-for-ppl-processes", this feature needs to follow the following guidelines:
https://forum.xanasoft.com/threads/related-measures-to-prevent-the-abuse-of-major-privacy.2864/