User Interface Privilege Isolation (UIPI) is a technology introduced inWindows Vista andWindows Server 2008 to combatshatter attack exploits. By making use ofMandatory Integrity Control, it prevents processes with a lower "integrity level" (IL) from sending messages to higher IL processes (except for a very specific set of UI messages).[1]
Window messages are designed to communicate user action to processes. However, they can be used torun arbitrary code in the receiving process' context. This could be used by a malicious low-privilege processes to run arbitrary code in the context of a higher-privilege process, which constitutes an unauthorizedprivilege escalation. By restricting the ability of lower-privileged processes to send window messages to higher-privileged processes, UIPI can mitigate these kinds of attacks.[2]
UIPI, and Mandatory Integrity Control more generally, is a security feature but not a securityboundary.[3]
Microsoft Office 2010 uses UIPI for its Protected Viewsandbox to prohibit potentially unsafe documents from modifying components, files, and other resources on a system.[4]