logo   Downloads About Contact

Create a secure desktop surface for your Windows application

You might have heard of secure desktops in Sandboxes like Google Chrome's or as part of secure password dialogs in applications like password managers, disk encryption tools etc. I googled around and found a nice implementation by MalwareTech. This tool just creates another Windows Desktop and fires up Explorer. You can then switch between your Default Desktop on Winsta0 and this newly created Desktop by a hot key. You might ask, what is it good for and is it really secure?

Well, first at all you have just another Desktop in parallel to open and arrange your applications on. This could help to streamline your workflows if you are using many applications. On the other side such a Desktop also provides some kind of "secure" surface for your current session. Microsoft states:

Each desktop object is a securable object ...

There is only one input desktop which has access to the screen and keystrokes. Applications from within other Desktops cannot obtain information, nor send messages to the currently active and visible Desktop. So a Desktop can bee seen as some kind of "security barrier". For example, winlogon.exe also creates its own secure desktop which is protected:

... the Winlogon desktop's security descriptor allows access to a very restricted set of accounts, including the LocalSystem account. Applications generally do not carry any of these accounts' SIDs in their tokens and therefore cannot access the Winlogon desktop or switch to a different desktop while the Winlogon desktop is active.

This is exactly what applications like Google Chrome or some password managers try to achieve with their desktops: having some kind of secure surface where in Chrome's Sandbox case, an attacker in the sandbox cannot access the user's Desktop to steal information like the screen or user input (usernames, passwords), and in the case of password managers to ensure that sensitive data like the master password cannot be espionaged by malign/exploited applications running within the same Desktop. Of course such a Desktop will not provide a full protection as highly sophisticated keyloggers could just install a kernel driver and then track any pressed key regardless of the Desktop being used. But for ordinary information stealers another Desktop could be a barrier. So you could take this concept into consideration and think about it for your own application, if there is need for some kind of secure surface to get or show sensitive information.

Please note, that there is more to do than just call do an API call to CreateDesktop(). Due to the nature of how memory is managed in Microsoft Windows, processes are free to access and edit the memory of other processes if they have permission, regardless of what (secure) Desktops they are running on. In addition a Desktop itself cannot mitigate hardware keyloggers or Remote Administration Tools running above ring-3, i. e. running in the Windows Kernel. You shall also set an appropriate security descriptor for that new (secure) Desktop and also have to ensure that your application's process is secure, too. The latter is very important because if an attacker is able to inject code into your application creating the secure Desktop, an attacker could set his evil thread into this new desktop and gather information like on the default desktop.

For example the KeePass password manager just creates a new Desktop but fails to set a proper security descriptor for this Desktop. Hence an attacker could switch into it and obtain the typed master password from there. Just creating a Desktop is not enough, you need to protect it and also need to adjust your application accordingly.

Further Reading: