I
`
`N
`
`S
`
`I
`
`D
`
`E
`
`NT
`
`N
`
`I HELEN BIISTEH
`
`HIBEWIIBII BY IIMIIII N.
`
`|}lITlElI
`
`Petitioner Microsoft Corporation, Ex. 1008, Cover
`
`Petitioner Microsoft Corporation, Ex. 1008, Cover
`
`

`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`-
`
`
`2. Windows NT.
`
`
`
`
`I. Title.
`
`
`
`'
`
`
`
`
`
`92-26231
`
`
`CIP
`
`PUBLISHED BY
`
`
`Microsoft Press
`
`
`
`
`
`
`A Division of Microsoft Corporation
`
`
`
`One Microsoft Way
`
`
`Redmond, Washington 98052-6399
`
`
`
`
`
`Copyright © 1993 by Microsoft Press
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`All rights reserved. No part of the contents of this book may be reproduced or
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`transmitted in any form or by any means without the written permission of the publisher.
`
`
`
`
`
`Library of Congress Cataloging—in-Publication Data
`Custer, Helen, 1961 —
`
`
`
`Inside windows NT / Helen Custer.
`
`
`
`
`
`'
`cm.
`p.
`
`
`
`
`Includes bibliographical references and index.
`ISBN 1-55615—481—X
`
`
`
`
`
`1. Operating systems (Computers)
`
`
`Q_A76.76.063C89
`1992
`005.4‘ 469 — — dc20
`
`Printed and bound in the United States of America.
`
`
`
`
`
`
`
`
`456789 AGAG-876543
`
`
`
`
`
`
`
`
`
`
`
`
`
`Distributed to the book trade in Canada by Macmillan of Canada, a division
`
`
`
`
`of Canada Publishing Corporation.
`Distributed to the book trade outside the United States and Canada by
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Penguin Books Ltd.
`Penguin Books Ltd., Harmondsworth, Middleseir, England
`
`
`
`
`
`
`
`
`
`
`
`
`
`Penguin Books Australia Ltd., Ringwood, Victoria, Australia
`
`
`
`
`
`
`
`
`
`
`Penguin Books N.Z. Ltd., 182-190 Wairau Road, Auckland 10, New Zealand
`
`
`
`
`British Cataloging-in-Publication Data available.
`
`
`
`
`
`
`
`
`
`
`
`3Com is a registered trademark of 3Com Corporation. Apple and Macintosh are
`
`
`
`
`
`
`
`
`
`
`
`registered trademarks of Apple Computer, Inc. Banyan and VINES are registered trade-
`
`
`
`
`
`
`
`
`
`
`
`
`
`marks of Banyan Systems, Inc. DEC, PDP—II, VAX, and VMS are registered trademarks
`
`
`
`
`
`
`
`
`
`
`
`
`and DECnet and MicroVAX are trademarks of Digital Equipment Corporation. Intel is
`
`
`
`
`
`
`
`
`
`
`
`
`a registered trademark and Intel386 and Intel486 are trademarks of Intel Corporation.
`
`
`
`
`
`
`
`
`
`
`Microsoft, MS—DOS, and XENIX are registered trademarks and Windows, and Windows
`
`
`
`
`
`
`
`
`
`
`
`NT are trademarks of Microsoft Corporation. OS/2 is a registered trademark licensed
`
`
`
`
`
`
`
`
`
`
`
`
`to Microsoft Corporation. NetWare and Novell are registered trademarks of Novell, Inc.
`
`
`
`
`
`
`
`
`
`
`
`Sun, Sun Microsystems, and Sun Workstation are registered trademarks of Sun Microsystems,
`
`
`
`
`
`
`
`
`
`Incorporated. UNIX is a registered trademark of UNIX Systems Laboratories.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Acquisitions Editor: Dean Holmes
`
`
`
`
`Manuscript Editor: Nancy Siadek
`
`
`
`
`
`
`Project Editors: Nancy Siadek and Deborah Long
`
`
`
`
`Technical Editor: Jeff Carey
`
`
`
`
`
`Petitioner Microsoft Corporation, Ex. 1008, Copyright
`
`Petitioner Microsoft Corporation, Ex. 1008, Copyright
`
`

`
`INSIDE WINDOWS NT
`
`The object named Floppy0 is a device object, a special object type de-
`fined and used by the I/O system. In the object manager namespace, the de-
`vice object represents a launching point into a file system’s object domain,
`one that the object manager knows nothing about.
`When the I/O system created the device object type, it registered a parse
`method for it. When the object manager looks up an object name, it suspends
`its search when it encounters an object in the path that has an associated
`parse method. The object manager calls the parse method, passing to it the
`remainder of the object name it is looking for.
`For example, when a process opens a handle to the object named
`\Device\Floppy0\docs\resume.doc, the object manager traverses its name
`tree until it reaches the device object named FloppyO. It sees that a parse
`method is associated with this object, and it calls the method, passing to it
`the rest of the object name it was searching for—in this case, the string
`\docs\resume.doc. The parse method for device objects is an I/O routine. The
`routine takes the name string and passes it to the appropriate file system,
`which finds the file on the disk and opens it.
`The symbolic link objects described in Section 3.2.1.3 are also translated
`by a parse method. The symbolic link object type has a parse method associ-
`ated with it. The method takes one name, substitutes another name for it, and
`
`then calls the object manager to restart itssearch for the object. (If the new
`name also contains a symbolic link object name, the parse method is called
`again.)
`The security method, which is used by the I/O system, is similar to the
`parse method. It is called whenever a thread tries to change the security infor-
`mation protecting a file. This information is different for files than for other
`objects because security information is stored in the file itself rather than in
`memory. The I/O system, therefore, must be called in order to find the
`security information and change it.
`
`3.3
`
`Protecting Objects
`
`Although naming, sharing, and accounting for system resources in a uniform
`way are all good reasons for the NT executive to use an object model, probably
`the most important reason is to ensure that Windows NT is a secure operating
`system.
`
`Operating system security is a battle fought on many fronts. A secure
`multiuser system must protect one user’s files, memory, and other resources
`from other users. It must protect the operating system’s data, files, and
`memory from user programs. It should monitor attempts to bypass its security
`features, and so on. The U.S. Department of Defense has identified features of
`
`74
`
`Petitioner Microsoft Corporation, Ex. 1008, p. 74
`
`Petitioner Microsoft Corporation, Ex. 1008, p. 74
`
`

`
`The Object Manager and Object Security
`
`an operating system that make it secure. These features are categorized into
`seven levels of security, each one more stringent than the last.7
`At the Class C2 level, the initial target for Windows NT, the following
`features must be present:
`'
`
`5 A secure logonfacility requires users to identify themselves by entering
`a unique logon identifier and a password before they are allowed ac-
`cess to the system.
`
`I Discretionary access control allows an owner of a resource to determine
`who can access the resource and what they can do to it. The owner
`does this by granting access rights to a user or a group of users.
`
`3 Auditing provides the ability to detect and record important security-
`related events or any attempt to create, access, or delete system
`resources. It uses logon identifiers to record the identity of the user
`who performed the action.
`
`5 Memory protection prevents anyone from reading information written
`by someone else after a data structure has been released back to the
`
`operating system. Memory is reinitialized before it is reused.
`
`Not all Windows NT installations will require all the security mechanisms that
`the system provides. The security system, therefore, allows a system adminis-
`trator to streamline the logon sequence, for example, or to adjust whether in-
`formation is collected in an audit log and, if so, how much.
`Facilities that are extremely security conscious, such as military installa-
`tions, require an even higher level of security than Windows NT initially pro-
`vides. Therefore, Windows NT is designed to evolve toward Class B2 security, a
`level known as Mandatory Access Control, in which each user is assigned a
`security clearance level and is prevented from giving lower—level users access
`to protected resources. For example, in secure U.S. government facilities, one
`user might have a “Secret” security clearance and another a “Top Secret”
`security clearance. Mandatory access control ensures that the user with the
`“Top Secret” clearance can never allow the former user access to any “Top
`Secret” information, even by using discretionary access control. Similarly,
`B2 security requires the recognition of “compartments,” the separating of
`groups of users from one another. This type of protection is useful in indus-
`tries such as financial security exchanges, in which inappropriate access to
`stock offerings or mergers might create conflicts of interest.
`
`
`
`'7. Department of Defense Trusted Computer System Evaluation Criteria, DOD 5200.28-STD
`(December 1985).
`
`Petitioner Microsoft Corporation, Ex. 10%, p. 75
`
`Petitioner Microsoft Corporation, Ex. 1008, p. 75
`
`

`
`INSIDE WINDOWS N1‘
`
`The Windows NT security system is multifaceted, but protecting objects
`is the essence of discretionary access control and auditing (and later, of man-
`datoryaccess control). The ideabehind Windows N'I'securityis to create a
`gate throughwhidi everyuserofsystem resourcesmustpass. Becauseallsys-
`tem resources that can be compromised are implemented as objects. the NT
`object manager becomes the gate. One need not poke around in numerous
`dark corners of the operating system to validate the integrity of Windows
`N'I's security system; the critical security-related operations can be found in a
`central location.
`
`The following subsections examine object protection from two perspec-
`tives: first, verifying the identity of users and, second, controlling which users
`can access which objects.
`
`3.3.1
`
`@%T0kOfl8
`
`In order to control who can manipulate an object, the security system must
`first be sure of each user’: identity. Therefore, the first line of protection in
`Windows NT is the requirement that every user log onto the system.
`As Chapter 2, “System Overview." described, an integral protected sub-
`system, the ssruvitynaloystsni, is responsible for authentimliatg uscrs— that is, for
`verifying that the logon information a user supplies matches the information
`storedinasocuritydatahase.Af’terthe securitysubsystemdeterminesthata
`logon is authentic, it constructs an object that it permanently attaches to the
`user's process. This object is called an aazss taken, and it serves as the proocss's
`oflicial identity card whenever it trim to use a system resource. A sample ac-
`cess token is depicted in Figure 3-8.
`The first attribute shown in this example is the user’s personal security
`ID, an identifier that usually corresponds to the user's logon name. In large
`installations. a security ID might also incorporate the name of the user’s divi-
`
`
`
`Flgtn 3-0. sample AcosssTo|ten
`
`76
`
`Petitioner Microsoft Corporation, Ex. 1008, p. 76
`
`Petitioner Microsoft Corporation, Ex. 1008, p. 76
`
`

`
`Nmmhrlovuobhmaumy
`
`|ioootd¢pu'unau(fot¢n@l¢.£N0lNEflllM2..MARYH).Gm1Ipsacm-ity
`tlhucfwuwdfiunlilndlactlbsfluutmldunihamdiouninifiun
`3-8hu|cliIdgmq:uouhidI|IAlYHhe|av¢LWlndomN'IddineuevuIl
`nn&'dgmupideuti6cnIhuutcindudedinIlAl!Vli‘uoha:.
`Wlnetnagxooensuicstoopeualnndlelnanolijetnducobjectmuugcu»
`
`tokcnauodatndvithtbeptoounodmeohuecuritylbmdlhtofgrmpuo
`deoennincwhetlnenheptocencanacoeuutheotgject.
`A small number ofsecurlcy-sensitive Iyuem services (such as ante
`token} am: also protected from me. The privileges attribute lixu anyoftheoe
`special serviceothataulercm ca|l.MootuIenhavcno privileges.
`The user who creatcun objectgcnerally become: its ovmcrand can de-
`cide\vlIoelsecanuneit.'l‘hea:coeuto|n:n'Idcfnultaou.nwm':d£isl(ACI.) al-
`uibuteisaninitiallistofpmcectlomnppliedtodscobjccutheuserautea.
`Tlucprhnarygroupmrihulepmvldulhecapdallitytocofleaaecm-itylnn
`inwgmzpufmuganhdomlpnpanafummdmaalopaaingqnem
`emlronmcnu.lnduI|ingl'08DL
`Deuihahouuecurkylbundaculeexphluedlnthencxnnuim.
`!otuau.hotuF|gm¢3-9.uhkhuumuincuheattrlhnenndaerviccnp-
`pllcablcnoucuunlohznobjecu.
`lnnddhianmthcaen:,opcn.mdqueu7aerv|oes.tbuctu:lnnsavlce
`dnappunsatlnguuihitainmoljecthamuumalurvlcetlnthplo
`vidcdformanyNTuamtiveohjecu.11ietema|nlngdItecaervlee|anin-
`tendedfotuseprlmarllybynecurlnyadmlnlunuonuohwue.
`
`
`
`Petitioner Microsoft Corporation, Ex. 1008, p. 77
`
`Petitioner Microsoft Corporation, Ex. 1008, p. 77
`
`

`
`INSIDE WINDOWS NT
`
`3.3.2 Aoooescomtolusts
`
`All objects, including files, threads. events. and even access tokens. are as-
`signed security descriptors when they are created.‘ The main feature of a
`security descriptor is a list of protections that apply to the object. called an
`access control list (AOL). The owner of an object, usually the userwbo create:
`it. has discretionary access control over the object and can change the object’;
`ACLtoa.llowothers to access the objector to disallow themfrom acceseingit.
`Figure 3-10 is a simplified picture of a file object and its AC1.
`
`Header
`
`Aecoeecunuoltlat
`
`
`
`llgure 3-10. Moses Control List (AOL)
`
`Eacl:tentryinanAC.Lisknownasan awa$:conhI7lmhy{AI3E).AnACE
`contains a security ID and a set of access rights. A user with a matching
`security ID might be allowed the listed access rights, denied them, or allowed
`them with auditing. The accumulation of access rights granted by individual
`ACEsforms the aetofaccess rightsgranted tvyanA£L.
`Suppose you attempt to list a file, for example. If the file object‘: AC1.
`contains an ACE with your security ID or one of your group [D5 in it. and if
`thatACE contains the access right called read data. you are allowed to list the
`file. In addition. if the operation you are attempting isa privileged operation,
`suchascreatetokemyoumusthave theprivilege tocreateanacoesstoken.
`Otherwise. accessed is denied.
`As shot-m in Figtm: 3-10, an ACE can also be created for a group security
`-
`ID. DAVEC has read access to the file object, the members of group TEAM1
`have read andwrite access. and all other users have execute accus.
`
`B.Thereare e:wepu'onL0nlyobjecuthatca.nhetharedbynorednnoneproousatetequlredlo
`havea1ecurityducriptor.ThisgI'otpincJudes allllaunedobjenaplusall muudandunmtmdprv
`cu:,th:ead,and tnltenobjecta.
`
`Petitioner Microsoft Corporation, Ex. 1008, p. 78
`
`Petitioner Microsoft Corporation, Ex. 1008, p. 78
`
`

`
`TN00hIalUI$'arInObhcI8auriIy
`
`Totktuninewhidifllmufinmamwoljeculheuankyqggn
`appliualeofthtetmulnallyeachidvrruleaiathcfoliouilgoltlut
`
`I. lfacalicrcxpIiddypwvideaanACLvluncnati|gIlIcol'ycz.:|u¢
`accurityayaemapplieatImACLaotiIec|y'ect.
`
`2. lfacallcrdoeanotnppiyanACl.andtbeobjecthaaauune.dnc
`aecuricyayntuulookaanhchllondueobjectditecauryinwhich
`thenevvohjectnameiaaIoI’ed.Souned'dueo|:jectdistcnury’aACEa
`mightbemari:ed'°|nhct-it." meaning tiuuhcyahouidbeapplicdto
`newobjecta created in lheobject directory. lfanyoftheae inherita-
`hleAcl!.sare preaenl, theaecurity system forms them into anABL.
`which it anacheno the new object.
`
`3. Ifnadthcrdthcfinttwnauaoccumthencurkysyuaunuievu
`thede£anitACLfroInthccaIicr’aacocaunkenand:ppliesitood1¢
`neavoljeci.
`
`lnaddiIioonanACl..anolgiv¢t'au.~:urilydacripInI'oonIainaaBdd
`thlIqIlatcaanditingo(IlneobjattAu&gufctamIliectur'ityayueu|'a
`alniityIo“qn"oundctudobjacuundiheIrnaaaanduog:na-atcamuagu
`oralarnsul:nauueweauunptaaI'ut.I'ktedoperuhnonanoluj:cLPa¢a-
`aup|e.theu=uri:yayucnIcanuIditaneuI[xa'tonadormodifyaaywe:n-
`owued6le.lfauneo¢|cu-icacodnIigethcfilc.d|caecurityayneunuriaua
`maaageeotheandltlog.identifyingtheuactbyaccuritylD.Theaynem
`muugerangencmeaeuarityreporudiatrezrievcinfionnationfmmthe
`|og.Forh|ghlysecureayatema.d:eaecnmy|ynunia¢vcndeaignedmgeneo
`atean andibleoravlaibieaiarmmaaecurity administrator‘: machine when
`the action occurs. Auditing can help reduce Iheriak of computer tampering.
`
`Filling II All TOQIIIC
`
`Anacoeunokenideuifieaaptoceu(andiuthruda)totIIcoperaingayuun.
`viumuaaecutixydaauipmtanmenuawhichofIheaeprooena(orgrmpa
`dpIooenca)canamenanoIj:cLWltenathnndopeiuainndienoanobjec1.
`Ihcoljettmanquandthaaecmilyqucnpuuhiainlornniionnnguherw
`deinuiinewbctherdncalluainlidheghenthchaudicilialrqnening.
`Fjuns-llondnencnpqeilllnnleavlnllnanzuiawluluscrllls
`opaualuandicucqueuingayudumuheanneulaaneveutoljact.
`
`Petitioner Microsoft Corporation, Ex. 1008, p. 79
`
`Petitioner Microsoft Corporation, Ex. 1008, p. 79
`
`

`
`INSIDE WINDOWS NT
`
`leeurltyfoltsn
`
`Figure 3-11. checking an Object‘: Protection
`
`When checking an AOL. the security system proceeds through the list
`from first AC]! to last. When it finds the security or group [D of the caller. it
`stops ltssearchandcheckswhether theACEal|owsthetypeofaccess the user
`is attempting. If It finds an ACE that allows the access. it stops searching and
`returns a handle to the caller. If it reaches the end of the list without finding
`the security or group ID of the caller. the al|er‘s request is denied.
`In Figure 3-11, the event object‘: ACL allows LEES synchronize access in
`its first entry. Because LEES requested synchronize access. the security system
`immediately stops its search. and the object manager returns to 1.288 a
`handle that contains synchronize access to the event. Notice that the third
`ACE explicitly denies LEES synchronise access. based on her membership In
`TEAM2. However. because of the order of the A08: in this access control list.
`the third ACE is ignored in this case. (This is a somewhat artificial example
`because the system generally planes ACE: that deny access at the beginning of
`the list.)
`It would not be efficient for the security system to make this check every
`time 1 process uses as handle. An AOL can have many entries. at prooen can
`access many objects during its lifetime. and numerous processes can he active
`at any time. Therefore, the check takes place only when a handle is opened.
`
`Petitioner Microsoft Corporation, Ex. 1008, p. 80
`
`Petitioner Microsoft Corporation, Ex. 1008, p. 80
`
`

`
`Tmobiactflamcarandotioctseumy
`
`not each time the handle is used. (None that since ltemel-mode code uses
`pointersratherthan handles to accessobjccts. theacoesscbeclt is not per.
`formed when the operating system usesobjects. In other words, the NT exccu.
`tive “trusts" itself in a security sense.)
`The next time LEES uses the event handle, the object manager simply
`compares the granted access (synchronize) stored in the handle with the type
`ofaccusimplicdby the servioeshe hascalled. Ifshe mllsawaitscrvice, the
`call will succeed. Ifshe calls setevent. however. the service will fail. In order to
`call set event, either she must have opened the first handle requeaing both
`synchroniaeandmodify-stateaccessorshe mustnowopenartewhandle and
`request modify-state access.
`Note that once a process succasfully opens a handle, the access rights
`thathane beengranted cannotbe revokedbytltesecuritysysteoneven ifthe
`object's ACL changes. The old handle is essentially grandfathered in beause
`the developers decided efficient security checks were more important than
`the ability to revoke granted access rights. The latter capability would have
`required a completesecurity check each time a handle is used. rather than
`only when the handle is originally created as the current design specifies. The
`performance improvement achieved by storing granted access rights directly
`in handles is significant, especially for objects with long AC1; attached.
`
`In concussion
`
`NT executive objects represent a unifying theme in Windows NT. They pro-
`vide a basis for managing system resources uniformly. They also serve as a fo-
`ul point for important tasks such as naming. sharing, and protecting
`resources. In addition. they supply a set ofprimitives that environment subsys-
`tems use to implement their versions of objects and object-like resources.
`Each environment subsystem uses executive objects to provide the facilities
`and resources that its client applications expect.
`The user-mode objects presented in this chapter are based on a set of
`more primitive objects implemented by the NT kernel. The discussion of
`kernel objects and their tapabilities is deferred until Chapter 7. “The
`Kernel." In the next chapter, we'll examine two special objects that are in-
`tegral to Windows N'I"s functioning: processes and threads.
`
`Petitioner Microsoft Corporation, Ex. 1008, p. 81
`
`Petitioner Microsoft Corporation, Ex. 1008, p. 81
`
`

`
`
`
`an asyn-
`
`r by wait-
`y testing
`iurc call.
`
`user. See
`
`.ure call
`
`3 and a
`
`wuspm-
`
`
`
`be exe-
`hread's
`
`request 1
`: condi-*
`
`auditing The ability to detect and record important securi
`particularly any attempt to create,
`NT security system uses security
`formed the action. See also 5
`rity ID.
`
`ty-related events,
`
`authentication package
`Windows NT security s
`devices. See also autlzentication.
`
`335
`
`Petitioner Microsoft C0fP0rati°n> EX‘ 1008’ p" 335
`
`Petitioner Microsoft Corporation, Ex. 1008, p. 335