implement rules and recommendations of SITRE on Windows process API related tasks

[matu3ba]

https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87151933

Recommendations

1. WIN00-C. Be specific when dynamically loading libraries LoadLibraryEx (without PATH and include paths)
2. WIN01-C. Do not forcibly terminate execution
3. WIN02-C. Restrict privileges when spawning child processes

• unfeasible in libstd => heavily platform based
• CreateProcessAsUserW (Unix equivalent), CreateProcessWithTokenW (no unix equivalent) + API to drop permissions
• setuid + capsdrop
• win32k mitigation (nonsensical ERROR_OUTOFMEMORY on 2nd faiure of LoadLibrary)
• seccomp filter

4. WIN03-C. Understand HANDLE inheritance

• can be disabled in CreateProcess (not generally useful for libstd)
• can be disabled on each handle (implemented here; sounds like a good addition to libst)
• can be attached to security handle at HANDLE creation for CreateProcess (not generally useful for libstd)
• can be explicitly set in list (requires to be enabled on each HANDLE and erach HANDLE in list must be valid and non-null) for CreateProcess

• is automatically inherited if enabled in CreateProcess and at HANDLE (without security handle and list approach)

6. WIN04-C. Consider encrypting function pointers

• encrypting longterm global pointers without shadow stack sounds useless
• not generealizable and only increases amount of followup bytes attacker must control

Rule

1. WIN30-C. Properly pair allocation and deallocation functions

[matu3ba]

Tasks for libstd done, upstreaming is pending a fix to #1.

Tomorrow: Upstreaming. Might require bootstrapping.

[matu3ba]

Use upstreaming issue #8 instead to reduce noise.