Windows NT Security Theory and Practice
Release Date: 2002-06-11
Abstract:
Windows NT Security Theory and Practice
Ruediger R. Asche
Microsoft Developer Network Technology Group
Summary
This article is the first one of the technical papers describing the C class layer of the packaged Windows NT security application interface.
Secondary implementation and programming. This series of papers include:
"Windows NT Security In Theory and Practice" (Introduction)
"THE GUTS OF Security" (implementation of the security class level)
"SECURITY BITS AND PIECES" (Structure of the sample program)
"A Homegrown RPC Mechanism" (Remote Communication for Description Sample Programs)
In this article, security encryption will be discussed at a considerable level.
Introduction
Security should be fairly easy to implement in the operating system, right? That is to say, specify a certain security for any object.
All the work you need to do is just a simple function call, such as GrantAccessto or DenyAccess
TO, right?
Unfortunately, the Windows NT Security Application Interface (API) looks not that simple. It contains too many
The function relating to security and is only very complicated to open an object for a user.
To properly use the security API, you need to understand as a few layers below:
The first level is to understand the data structure: Access Control Table (ACLS), Access Control Element (ACES), Security Descriptor (
SDS) and Safety IDS (SIDS).
The second level is to understand the semantics of ACLS (although it doesn't understand how they work). Established in accordance with ACLS
Different, access to the same user may be allowed, or may not be allowed.
The third level is to understand how the operating system itself uses security. Security API can be understood as a server application
The program provides a collection of services that use to protect objects that are not authorized by unauthorized users, with transaction log help device drivers
Preface and application recording errors, and the method of confirming events.
When these services are used only by third-party applications, it is fairly easy to understand how security is working. However, WIN
Dows NT is a secure operating system. In addition, Windows NT-based networks are also very dependent on security. because
Therefore, the method of security combining the system is very blurred.
Who needs safety?
Before entering any details, you must first make safety. If it is not in the case,
This doesn't have to worry about safety:
Write a server application, which is an application that several users can access, and this server should
The program is limited to providing a data structure for one subset of these users.
Note This is a quite wide definition. The following is several examples of examples that meet the conditions.
For stand-alone (without connected computers), write a service, Windows NT is running, and
There are multiple users to log in and exit on this computer. The information provided by the service is only visible to a few users. For example, think
Collect mode or login data, it may be limited to administrators to access the data.
Many privileges are limited to system levels. For example, the system registration is protected so that only users with special privileges can
Add a device driver to the system. This is due to safety. For example, a malicious user can utilize
The device driver monitoring the ability of the user to steal the work of other users. Security also helps the system's stability.
It is envisaged an unauthorized user installed a crude device driver. This time when other users work, this
The sample driver will cause the system to crash. This is possible to prevent this situation on the computer from Windows NT by limiting the rights of the registered new device driver to the trusted user.
Many work works on the network benefits the same good server programs on the stand-alone to give some hooks with the security system. example
For example, a database server may serve several user services, some users do not allow views in a given database.
Some data. Suppose everyone in the company can query the employee database. Managers need to visit all the employees
Information, while others should only see the work titles and office numbers. If you will contain wages and bonuses
Fields are limited to managers access, allowing all people in the company to use the same database without jeopardizing
Safety and confidentiality.
Microscopic view of safety
One problem with security is to use a security API without a new stimulus. Code written by others can rotate the teapot
, Display animation in the window, pop up a cool Windows 95 control, send data from Mapi to return data, and
Full-term programming is always a troublesome.
Windows NT security performance is very complicated, compared to the micro levels, it is relatively simple. Each Windo
The WS NT domain (or domain group) saves the database of the user known in this domain. Users want to domain in Windows NT
Work, you must first use one username and password to prove yourself. Once the security system proves the password, the user is
Will be associated with an access token to identify the internal data structure of the user.
The primary thing that must know if security under Windows NT is that it is user-centered; that is, try
Accessing each line of code of the protected object must be associated with a special user, the user must use the password to the client
Prove that your identity. Each safety check must rely on user authentication. For example, write code to block Microsoft
Excel accesses an object is impossible. Can protect a object to prevent Joe Blow from running Microsoft Excel
Access, but if Carla VIP is allowed to access the object, she can use Microsoft Excel or other likes.
Program Access, as long as Carla uses only your own password to prove your identity to your identity.
Although the security API seems complicated, but only two things:
Audit: Generate a log entry every time you try to have a specific operation.
Limit object access: The function of the client call, may be successful, fail return error code 5 (access is rejected)
Or failure for other reasons, depending on how the server specifies privileges.
Users may not see the error message directly, but a dialog, which is written above: "You don't have privileges
Take it in the carton. "The program pops up this dialog may contain the following code line:
IF (! RemoveegsfromCarton () && getlasterror () == access_denied)
AfxMessagebox ("you do not have the privilege to remove the eggs from the
Carton ");
Security mechanism
Windows NT uses two mechanisms that cause access attempt failure to return error 5: Confirm permissions and confirm privileges. Authority
Behavior on objects, such as suspend thread permissions or read file permissions. Permissions are always phased with specific objects and known users
Relationship. For example, read file privileges must be with files (permission applications on this file) and or without privileges
Relationship. Similarly, suspended threads are not used unless otherwise it is associated with a particular thread.
Privilege is a pre-defined permission that belongs to the system. For example, privilege has a debugger, backup and recovery storage
Equipment and load driver. Privilege is centered on the user, not an object.
In order to distinguish between the two more clearly, you can see the data structure that implements permissions and privilege: permission is specified in the data structure called Access Control Table (ACL). ACLs are usually related to objects. The user is represented by the access token. Use
Have an access to the protected object, its access to the token and the object's ACL check. The access token contains only the only user
An identifier (security ID, or SID). Each permission in the ACL is related to a SID; this, security subsystem
I know the permissions related to each user.
On the other hand, privilege is encoded in the access token, so there is no associated object. To determine if the user is allowed to do
An operation related to privileges, security subsystem checks the token.
In addition, permission requires a description of behavior (what is permission? For example, read files or hang threads),
Need (users or privileges, or not). The operation with the privilege is implicit in the privileged itself.
The reason why the privilege is encoding in the access token is that most privileges do not consider security needs. For example, allowing backup storage settings
Users must be able to bypass file security. In order to allow users to access each individual file on the hard disk
Into a new ACE is not feasible. In this way, the code of the backup storage device first checks if the user attempts to backup
There is a backup privilege; if there is, the security of a single file is ignored.
The privilege set with the access token is securely encrypted and cannot be expanded by the application. Server program can be used
Special permissions and normal mapping achieve custom security rules.
There are two types of ACLs: freely determined (DACL) and systems (SACL). DACL Control Object Access, SACL Control
nuclear.
Control
In most cases, the error 5 is generated by the Windows NT unique to the Win32 function called AccessCheck.
. The input of this function has a user's access token, the required privileges and ACLs. ACL is mainly small data structure (called a visit
Question Control Elements, or ACEs, each data structure defines a user or a group of users, one permission collection
And information allowed or rejected. For example, there may be an ACE in the ACL to write "the permission to take eggs from the carton.
Refused to use users ELEPHANT and BOZO ", behind an ACE writes" With the permission to take eggs from the carton, clearly
Give all users in Betty Crocker and Chefs groups.
The ACL is related to the object and can be dynamically created in the server program. For example, if a file object is connected to an ACL
Off, no matter when there is an application attempt to open the file object, the ACL will be queried to determine if the application is allowed.
User user opens the file.
AccessCheck functions are called internal in many system functions, for example, createfile (user tries to partition in NTFS or
When you open a file on a naming pipeline) and OpenFileMapping. However, Win32 server programs can directly call ACC
Esscheck, protect any object you want to protect.
Note that the security API function is only called by the server; the customer does not need or use security directly. Customers have seen
Windows NT security is an error 5. This makes Windows NT security not to consider the software running.
. What needs to be confirmed in the domain security database and will be translated into services from customers
The capabilities of the server-side function call. This function or implicitly invoke AccessCheck, or based on server-side AccessChec
K's output is sent or does not send its results.
An easy confusion in Windows NT Security is that the call to AccessCheck may be very blurred. example
For example, the Function of the Windows NT monitoring device driver is a very vague concept. When trying to add a device
Which "object" is the user wants to access when the driver? Where is the system call AccessCheck and where to display the error message to the user when necessary?
In the example of the device driver, the answer is not too difficult: because the device driver and the system pass the registry (W
IndOws NT interprets each entry by browsing the registry subtree, trying to execute the driver specified in a separate registry key
Program binary files to load device drivers) Interaction, Windows NT protected objects are registration items, it is in W
IndOws NT is an object that can be obtained. In the Win32 API layer, the attempt to operate the registry will be translated into note
A function of the album work, such as Regopenkey internal calls accesscheck.
In addition to registry protection, driver binaries also have security issues. An accessed registry is rejected
Empty hackers can still be replaced with the original driver execution files with a driver copy added additional function.
This process does not need to access the registry, so how Windows NT prevents such problems? Quite simple, through
Ask the driver binary file to store in the NTFS partition and restrict access to it. In this way, replacing the driver binary text
Attempt to be attempted (freely termination when calling Deletefile or Createfile on the Win32 API layer) will be
CESSCHECK caught, the malicious hacker didn't walk.
Other security objects provided by the system may be difficult to explain. For example, how to prevent users from accessing protected network sharing
? How to prevent service control managers on remote computers? How does the system layer make Windows NT impeccable?
How to make some security functions return an error 5, access is rejected? Imagine if the application is free to exercise
What happens to make your own access token or call security functions change the subject? In this situation,
Only the projects in the ACL and token can be easily bypassing security. . In this way, there must be some kind of "yuan security
", A mechanism for protecting security features that you are not used by wrong. How to implement?
A result of security-based security implementation is that security is seriously dependent on only a well-known entrance.
Click to access the architecture of the security object. For example, file systems in Windows 3.1 family operating systems include many
Different entry points: Interrupt 21h (interact with file system), interrupt 13h (interact with disk device), and
Types provide C runns and Windows API functions accessible to file systems (such as OpenFile and _fopen).
From the perspective of security, the function of calling AccessCheck in the OpenFile internal implementation is useless.
The program can simply call _fopen to bypass file security. Only all different calls that open file operations are translated
It's a "security" call; if there is an execution security check and the other is not executed, there will be security
Sexual problem.
16 "Open File System" structures in the 16-bit Windows system are the main companies with companies that provide software, software, hardware
trouble.
When writing a security server program, it is absolutely necessary to design the impecite of programming; that is, it must be prevented.
Those customers can access all methods of critical data. One of the challenges of the security system is to make the key data impeccable.
This may be a quite complex work, just in the previous example, separately protect the registry entry to protect the entire
The computer's device driver is not enough.
Access permission type
Using security APIs can help control access to almost any kind of objects. But "Access" meaning is
? Is it talking about the type of access to the database field, or is complete with the message loop with access to other windows
Different types of type?
That's why "Access" is a fairly general term in the security API. Not like "open, close, read
Take the permissions of the write object "This firmly encrypted access type, the access in Windows NT is defined as a mask
A collection of bits. The security subsystem matches the bits in the user access mask to the bits in the object access mask. E.g
This makes it possible to design an employee database, and the administrator can read and write the information of wages and bonuses.
Read but can't write, others cannot read and write access.
In the same way, applications can define their own access types. For example, if the program wants to protect one can
Enjoy (from several users to call the OPENGL objects of the object on the object on the function), you can be Openg
L All operations (such as rotation, stretching, rebounding, and moving) define unique access rights, and
Each user who needs to operate on an image specifies the unique subset of these permissions.
Security API can work with three sets of permissions:
Standard permissions (permission to provide the same operations for each object type).
Special authority (permission to each object type. Two different types of objects may have the same permissions
The mask bit, but there is a different translation of the permissions significance).
Normal permissions, rough placeholders (like generic_read and generic_write, almost applicable
There is an object type, but there is a difference in different object types). Normal permissions are mapped to standard permissions and special rights
limit. This mechanism allows the server to build the concept of "Read" and "Write" without actual definition operations. server
The program can work with normal authority, regardless of whether reading is the file or database object, the object itself can determine
How to translate into special permissions.
