Implementation
Mandatory Integrity Control is defined using a new access control entry (ACE) type to represent the object's IL in its security descriptor. In Windows, Access control lists (ACLs) are limited to granting access rights (read, write, and execute permissions) and privileges to users or groups. A subject IL can also be assigned to the security access token when an object is initialized. The integrity level in the access token is compared against the integrity level in the security descriptor when the security reference monitor performs authorization before granting access to objects. Windows restricts the allowed access rights depending on whether the subject's integrity level is higher or lower than the object, and depending on the integrity policy flags in the new access control entry (ACE). The security subsystem implements the integrity level as a mandatory label to distinguish it from the discretionary access under user control that ACLs provide.
Windows Vista defines four integrity levels: Low (SID: S-1-16-4096), Medium (SID: S-1-16-8192), High (SID: S-1-16-12288), and System (SID: S-1-16-16384). By default, processes started by a regular user gain a Medium IL and elevated processes have High IL. By introducing integrity levels, MIC allows classes of applications to be isolated, enabling scenarios like sandboxing potentially-vulnerable applications (such as Internet-facing applications). Processes with Low IL are called low-integrity processes, which have less access than processes with higher ILs where the Access control enforcement is in Windows.
Objects with Access control lists, such as Named objects, including files, registry keys or even other processes and threads, have an entry in the ACL governing access to them, that defines the minimum integrity level of the process that can use the object. Windows makes sure that a process can write to or delete an object only when its integrity level is equal to or higher than the requested integrity level specified by the object. Additionally, process objects with higher IL are out-of-bounds for even read access.
Consequently, a process cannot interact with another process that has a higher IL. So a process cannot perform functions such as inject a DLL into a higher IL process by using the CreateRemoteThread API function or send data to a different process by using the WriteProcessMemory function.
Read more about this topic: Mandatory Integrity Control