Thread I/O privileges

Some services and drivers have threads that require I/O privileges, which require some special security.

A thread obtains I/O privileges by passing the _NTO_TCTL_IO flag to the ThreadCtl() function. In order to do this, the thread must have the PROCMGR_AID_IO ability enabled. For more information, see procmgr_ability().

On ARM, these I/O privileges equate to running with System mode privileges, which is a privileged mode that allows access to kernel memory, etc. System mode can be used to compromise the entire system, including the kernel. A process containing threads with I/O privileges will represent an extremely likely target of exploitation, and as such must be developed with care.

We recommend that you use a privilege separation model when working with I/O privileged threads, where design constraints allow it.

In cases where privilege separation isn't possible and multiple threads must be spawned within one process, only those threads that explicitly require I/O privileges should obtain them.

A thread that has obtained I/O privileges passes those privileges to any thread it spawns.

This inheritance can be problematic in a scenario where you require only one thread to have I/O privileges, and that thread is spawned later on during execution; if you obtain I/O privileges in the main thread, all the threads it spawns will have I/O privileges. Obtaining I/O privileges only in the thread explicitly requiring them can make exploitation more difficult by providing an additional obstacle to an attacker who obtains code execution in a non-privileged thread.

Some complications may exist that prevent a process from holding off obtaining I/O privileges; however, these types of issues should be considered and ideally solved during the design phase of the application.