`
`Sok aTaa Petitioner Microsoft Corporation, Ex. 1008, Cover
`
`Petitioner Microsoft Corporation, Ex. 1008, Cover
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`LI. Title.
`
`
`
`
`
`92-26231
`
`CIP
`
`
`
`PUBLISHED BY
`
`
`Microsoft Press
`
`
`
`
`A Division of Microsoft Corporation
`
`
`
`One Microsoft Way
`
`
`
`Redmond, Washington 98052-6399
`
`
`
`
`
`Copyright © 1993 by Microsoft Press
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`All rights reserved. No part of the contents of this book may be reproduced or
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`transmitted in any form or by any means withoutthe written permission of the publisher.
`
`
`
`
`
`Library of Congress Cataloging-in-Publication Data
`
`
`Custer, Helen, 1961—
`
`
`
`
`
`Inside windows NT / Helen Custer.
`
`
`cm.
`p.
`
`
`
`
`Includes bibliographical references and index.
`
`
`ISBN 1-55615-481-X
`
`
`
`
`
`
`1. Operating systems (Computers)
`2. Windows NT.
`
`
`QA76.76.063C89
`1992
`
`005.4'469 --dc20
`
`
`
`
`
`
`
`
`Printed and. bound in the United States ofAmerica.
`
`
`
`456789 AGAG 876543
`
`
`
`
`
`
`
`
`
`
`
`Distributed to the book trade in Canada by Macmillan of Canada,a division
`
`
`
`
`of Canada Publishing Corporation.
`
`
`
`
`
`
`
`
`
`
`
`
`Distributed to the book trade outside the United States and Canada by
`
`
`
`Penguin Books Ltd.
`
`
`
`
`
`Penguin Books Ltd., Harmondsworth, Middlesex, England
`
`
`
`
`
`
`Penguin Books Australia Ltd., Ringwood, Victoria, Australia
`
`
`
`
`
`
`
`
`
`
`Penguin Books N.Z. Ltd., 182-190 Wairau Road, Auckland 10, New Zealand
`
`
`
`
`British Cataloging-in-Publication Data available.
`
`
`
`
`
`
`
`
`
`
`3Com is a registered trademark of 3Com Corporation. Apple and Macintosh are
`
`
`
`
`
`
`
`
`
`
`
`registered trademarks of Apple Computer, Inc. Banyan and VINESare registered trade-
`
`
`
`
`
`
`
`
`
`
`
`
`
`marks of Banyan Systems, Inc. DEC, PDP-II, VAX, and VMSare registered trademarks
`
`
`
`
`
`
`
`
`
`
`
`
`and DECnet and MicroVAX are trademarks of Digital Equipment Corporation.Intelis
`
`
`
`
`
`
`
`
`
`
`
`
`a registered trademark and Intel386 and Intel486 are trademarks of Intel Corporation.
`
`
`
`
`
`
`
`
`
`
`Microsoft, MS-DOS, and XENIX are registered trademarks and Windows, and Windows
`
`
`
`
`
`
`
`
`
`
`
`NT are trademarks of Microsoft Corporation. OS/2 is a registered trademark licensed
`
`
`
`
`
`
`
`
`
`
`
`to Microsoft Corporation. NetWare and Novell are registered trademarks of Novell, Inc.
`
`
`
`
`
`
`
`
`
`
`
`Sun, Sun Microsystems, and Sun Workstation are registered tradernarks of Sun Microsystems,
`
`
`
`
`
`
`
`
`
`Incorporated. UNIXis a registered trademark of UNIX Systems Laboratories.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Acquisitions Editor: Dean Holmes
`
`
`
`
`Manuscript Editor: Nancy Siadek
`
`
`
`
`
`
`Project Editors: Nancy Siadek and Deborah Long
`
`
`
`
`Technical Editor: Jeff Carey
`
`
`
`
`
`Petitioner Microsoft Corporation, Ex. 1008, Copyright
`
`Petitioner Microsoft Corporation, Ex. 1008, Copyright
`
`
`
`parse method. The object managercalls the parse method, passingto it the
`remainderof the object nameit is lookingfor.
`For example, when a process opens a handle to the object named
`\Device\Floppy0\docs\resume.doc, the object manager traverses its name
`tree until it reaches the device object named Floppy0. It sees that a parse
`method is associated with this object, and it calls the method, passingto it
`the rest of the object name it was searching for—in this case, the string
`\docs\resume.doc. The parse methodfor device objects is an I/O routine. The
`routine takes the namestring and passes it to the appropriate file system,
`whichfindsthe file on the disk and opensit.
`The symbolic link objects described in Section 3.2.1.3 are also translated
`by a parse method. The symbolic link object type has a parse method associ-
`ated with it. The method takes one name, substitutes another nameforit, and
`then calls the object managerto restart its search for the object. (If the new
`namealso contains a symbolic link object name, the parse methodis called
`again.)
`The security method, which is used by the I/O system,is similar to the
`parse method,It is called whenever a thread tries to changethe security infor-
`mation protecting a file. This information is differentfor files than for other
`objects because security informationis stored in thefile itself rather than in
`memory. The I/O system, therefore, must be called in order to find the
`security information and changeit.
`
`Protecting Objects
`Although naming, sharing, and accounting for system resources in a uniform
`wayare all good reasonsfor the NT executive to use an object model, probably
`the most importantreason is to ensure that WindowsNTis a secure operating
`system.
`Operating system security is a battle fought on many fronts. A secure
`multiuser system must protect one user’s files, memory, and other resources
`from other users. It must protect the operating system’s data, files, and
`memory from user programs.It should monitor attempts to bypassits security
`features, and so on. The U.S. Departmentof Defense has identified features of
`
`Petitioner Microsoft Corporation, Ex. 1008, p. 74
`
`3.3
`
`74
`
`Petitioner Microsoft Corporation, Ex. 1008, p. 74
`
`
`
`a uniquelogon identifier and a password before they are allowed ac-
`cess to the system.
`
`® Discretionary access control allows an ownerof a resource to determine
`whocanaccess the resource and what they can doto it. The owner
`does this by grantingaccess rights to a user or a groupofusers.
`& Auditing providesthe ability to detect and record important security-
`related events or any attemptto create, access, or delete system
`resources.It uses logon identifiers to record the identity of the user
`who performedtheaction.
`® Memory protection prevents anyone from reading information written
`by someoneelse after a data structure has been released back to the
`operating system. Memoryis reinitialized before it is reused.
`
`Notall WindowsNTinstallations will require all the security mechanismsthat
`the system provides. The security system, therefore, allows a system adminis-
`trator to streamline the logon sequence, for example,or to adjust whether in-
`formationis collected in an audit log and,if so, how much.
`Facilities that are extremely security conscious, such as military installa-
`tions, require an even higherlevel of security than Windows NT initially pro-
`vides. Therefore, Windows NTis designed to evolve toward Class B2 security, a
`level known as Mandatory Access Control, in which each user is assigned a
`security clearance level andis prevented from giving lower-level users access
`to protected resources. For example, in secure U.S. governmentfacilities, one
`user might have a “‘Secret’’ security clearance and anothera “Top Secret”
`security clearance. Mandatory access control ensures that the user with the
`“Top Secret’”’ clearance can never allow the former user access to any ““Top
`Secret” information, even by using discretionary access control. Similarly,
`B2 security requires the recognition of “‘compartments,” the separating of
`groupsofusers from one another. This type of protection is useful in indus-
`tries such asfinancial security exchanges, in which inappropriate access to
`stock offerings or mergers might create conflicts of interest.
`
`
`
`7, Department of Defense Trusted ComputerSystem Evaluation Criteria, DOD 5200.28-STD
`(December1985).
`
`Petitioner Microsoft Corporation, Ex. 1008, p. 75
`
`Petitioner Microsoft Corporation, Ex. 1008, p. 75
`
`
`
`INSIDE WINDOWS NT
`
`The Windows NT security system is multifaceted, but protecting objects
`is the essence of discretionary access control and auditing (and later, of man-
`datory access control). The idea behind Windows NT security is to create a
`gate through which every user of system resources must pass. Because all sys-
`tem resources that can be compromised are implemented as objects, the NT
`object manager becomes the gate. One need not poke around in numerous
`dark corners of the operating system to validate the integrity of Windows
`NT's security system; the critical security-related operations can be found in a
`central location.
`The following subsections examine object protection from two perspec- ,
`tives: first, verifying the identity of users and, second, controlling which users
`can access which objects.
`
`3.3.1
`
`Access Tokens
`
`In order to control who can manipulate an object, the security system must
`first be sure of each user's identity. Therefore, the first line of protection in
`WindowsNT is the requirementthat every user log onto the system.
`As Chapter2, “System Overview,” described, an integral protected sub-
`system, the security subsystem, is responsible for authenticating users—thatis, for
`verifying that the logon information a user supplies matches the information
`stored in a security database. After the security subsystem determines that a
`logon is authentic, it constructs an object that it permanently attaches to the
`user's process. This object is called an access token, and it serves as the process’s
`official identity card wheneverit tries to use a system resource. A sample ac-
`cess token is depicted in Figure 3-8.
`Thefirst attribute shown in this example is the user's personal security
`ID, an identifier that usually corresponds to the user's logon name.In large
`installations, a security ID mightalso incorporate the nameof the user's divi-
`
`
`
`Figure 3-8. Sample Access Token
`
`76
`
`Petitioner Microsoft Corporation, Ex. 1008, p. 76
`
`Petitioner Microsoft Corporation, Ex. 1008, p. 76
`
`
`
`The Object Manager and Object Security
`
`sion or department (for example, ENGINEERING_MARYH). Groupsecurity
`[Ds are formed from lists of user IDs. The second attribute shown in Figure
`5-8 is the list ofgroups to which MARYH belongs. Windows NT defines several
`standard group identifiers that are included in MARYH’s token.
`When a process tries to open a handle to an object, the object manager
`calls the security reference monitor. The security reference monitor gets the
`token associated with the process and uses its security ID and list of groups to
`determine whether the process can access the object.
`A small number of security-sensitive system services (such as create
`token) are also protected from use, The privileges attribute lists any of these
`special services that a user can call, Most users have no privileges.
`The user who creates an object generally becomes its owner and can de-
`cide who else can use it. The access token's default access condrol list (ACL) at-
`tribute is an initial list of protections applied to the objects the user creates.
`The primary group attribute provides the capability to collect security [Ds
`into groups for organizational purposes, a feature of several operating system
`environments, including POSIX.
`Details about security [Ds and ACLs are explained in the next section.
`For now, look at Figure 3-9, which summarizes the attributes and services ap-
`plicable to access token objects.
`Ln addition to the create, open, and query services, the set token service
`also appears. Setting attributes in an object is a common service that is pro-
`vided for many NT executive objects. The remaining three services are in-
`tended for use primarily by security administration software.
`
`Object Type
`
`Object Body Attributes
`
`Figure 3-9. Access Token Object
`
`Petitioner Microsoft Corporation, Ex. 1008, p. 77
`
`Petitioner Microsoft Corporation, Ex. 1008, p. 77
`
`
`
`INSIDE WINDOWS NT
`
`3.3.2 Access Control Lists
`All objects, including files, threads, events, and even access tokens, are as-
`signed security descriptors when they are created. The main feature of a
`security descriptor is a list of protections that apply to the object, called an
`access control list (ACL). The owner of an object, usually the user who creates
`it, has discretionary access control over the object and can change the object's
`ACL to allow others to access the object or to disallow them from accessing it.
`Figure 3-10 is a simplified picture of a file object and its ACL.
`
`
`Access Control List
`
`
`
`Allow
`Allow
`TEAM?
`
`
`
`Read Data
`Read Dats
`
`
`Write Data
`
`
`ACE
`
`ACE
`
`Object
`Header
`
`
`
`Allow
`WORLD
`File Exacute
`
`ACE
`
`
`
`Figure 3-10. Access Control List (ACL)
`
`Each entry in an ACL is known as an access control entry (ACE). An ACE
`contains a security ID and a set of access rights. A user with a matching
`security ID might be allowed the listed access rights, denied them, or allowed
`them with auditing. The accumulation of access rights granted by individual
`ACEs forms the set of access rights granted by an ACL.
`Suppose you attemptto list a file, for example. If thefile object's ACL
`contains an ACE with your security ID or one of your group [Ds in it, and if
`that ACE contains the access right called read data, you are allowed tolist the
`file. In addition, if the operation you are attempting isa privileged operation,
`such as create token, you must have the privilege to create an access token.
`Otherwise, accessed is denied.
`As shown in Figure 3-10, an ACE can also be created for a group security
`ID. DAVEC has read access to the file object, the members of group TEAM1
`have read and write access, and all other users have execute access.
`
`:
`
`8. There are exceptions. Only objects that can be shared by more chan one process are required to
`have a security descriptor, This group includes all named objects plus all named and unnamed pro-
`cess, thread, and token objects.
`
`78
`
`Petitioner Microsoft Corporation, Ex. 1008, p. 78
`
`Petitioner Microsoft Corporation, Ex. 1008, p. 78
`
`
`
`The Object Manager and Object Security
`
`To determine which ACL to assign to a new object, the security system
`applies one of three mutually exclusive rules, in the following order:
`
`1, Ifa caller explicitly provides an ACL when creating the object, the
`security system applies that ACL to the object.
`2. Ifa caller does not supply an ACL and the object has a name, the
`security system looks at the ACL on the object directory in which
`the new object name is stored, Some of the object directory’s ACEs
`might be marked “inherit, meaning that they should be applied to
`new objects created in the object directory, If any of these inherita-
`ble ACEs are present, the security system forms them into an ACL,
`which it attaches to the new object.
`If neitherof the first two cases occurs, the security system retrieves
`the default ACL from the caller's access token and applies it to the
`new object.
`
`Sad
`
`In addition to an ACL, an object's security descriptor containsafield
`that regulates auditing of the object. Auditing refers to the security system's
`ability to “spy” on selected objects and their users and to gencrate messages
`or alarms when someone attempts a restricted operation on an object. For ex-
`ample, the security system can audit attempts to read or modify a system-
`owned file. If someone tries to change the file, the security system writes a
`message to the audit log, identifying the user by security [D. The system
`manager can generate security reports that retrieve information from the
`log. For highly secure systems, the security system is even designed to gener-
`ate an audible or a visible alarm on a security administrator's machine when
`the action occurs, Auditing can help reduce the risk of computer tampering,
`
`Putting It All Together
`An access token identifies a process (and its threads) to the operating system,
`whereas a security descriptor enumerates which of these processes (or groups
`of processes) can access an object. When a thread opens a handle to an object,
`the object manager and the security system put this information together to
`determine whether the caller should be given the handleit is requesting.
`Figure 3-11 on the next page illustrates what happens when user LEES
`opens a handic, requesting synchronize access to an event object.
`
`Petitioner Microsoft Corporation, Ex. 1008, p. 79
`
`Petitioner Microsoft Corporation, Ex. 1008, p. 79
`
`
`
`INSIDE WINDOWS NT
`
`Group IDs: TEAM!
`TEAM2
`LOCAL
`INTERACTIVE
`WORLD
`
`Security Token Security ID: LEES *****""""" seesenee 5
`Privileges: None
`
`Figure 3-11. Checking an Object's Protection
`
`When checking an ACL, the security system proceeds through thelist
`from first ACE to last. When it finds the security or group ID of the caller,it
`stopsits search and checks whether the ACEallows the type of access the user
`is attempting.If it finds an ACE that allows the access, it stops searching and
`returns a handle to the caller, If it reaches the endof the list without finding
`the security or group ID of the caller, the caller's request is denied.
`In Figure 3-11, the event object's ACL allows LEES synchronize access in
`its first entry, Because LEES requested synchronize access, the security system
`immediately stops its search, and the object manager returns to LEES a
`handle that contains synchronize access to the event. Notice that the third
`ACEexplicitly denies LEES synchronize access, based on her membership in
`TEAM2. However, because of the order of the ACEs in this access controllist,
`the third ACE is ignored in this case. (This is a somewhat artificial example
`because the system generally places ACEs that deny access at the beginning of
`thelist.)
`It would notbe efficient for the security system to make this check every
`time a process uses a handle, An ACL can have manyentries, a process can
`access many objects duringits lifetime, and numerous processes can be active
`at any time. Therefore, the check takes place only when a handle is opened,
`
`Petitioner Microsoft Corporation, Ex. 1008, p. 80
`
`Petitioner Microsoft Corporation, Ex. 1008, p. 80
`
`
`
`The Object Manager and Object Security
`
`not cach time the handle is used, (Note that since kernel-mode code uses
`pointers rather than handles to access objects, the access check is not per-
`formed when the operating system uses objects. In other words, the NT execu-
`tive “trusts” itself in a security sense.)
`The next time LEES uses the event handle, the object manager simply
`compares the granted access (synchronize) stored in the handle with the type
`of access implied by the service she has called. If she calls a wait service, the
`call will succeed, If she calls sct event, however, the servicewill fail. In order to
`call set event, either she must have opened the first handle requesting both
`synchronize and modlify-state access or she must now open a new handle and
`request modify-state access.
`Note that once a process successfully opens a handle, the access rights
`that have been granted cannot be revoked by the security system, even if the
`object's ACL changes. The old handle is essentially grandfathered in because
`the developers decided efficient security checks were more important than
`the ability to revoke granted access rights, The latter capability would have
`required a complete security check each time a handleis used, rather than
`only when the handle is originally created as the current design specifies. The
`performance improvement achieved by storing granted access rights directly
`in handles is significant, especially for objects with long ACLs attached.
`
`In Conclusion
`
`NT executive objects represent a unifying theme in Windows NT. They pro-
`vide a basis for managing system resources uniformly, They also serve as a fo-
`cal point for important tasks such as naming, sharing, and protecting
`resources. In addition, they supply a set ofprimitives that environment subsys-
`tems use to implement their versions of objects and objectlike resources,
`Each environment subsystem uses executive objects to provide the facilities
`and resources that its client applications expect.
`The user-mode objects presented in this chapter are based on a set of
`more primitive objects implemented by the NT kernel. The discussion of
`kernel objects and their capabilities is deferred until Chapter 7, ‘The
`Kernel.”’ In the next chapter, we'll examine two special objects that are in-
`tegral to Windows NT’s functioning: processes and threads,
`
`81
`
`Petitioner Microsoft Corporation, Ex. 1008, p. 81
`
`Petitioner Microsoft Corporation, Ex. 1008, p. 81
`
`
`
`
`Glossary of Terms and Acronyms
`
`an asyn-
`asynchronous1/0 AmodelforI/Oin which an applicationissuesan I/O re-
`
`>bywait-
`quest and then continues executing while the device transfers the data.
`ytesting
`The application synchronizeswith the completion ofthedata transfer by
`
`
`lurecall. waitingonafile handle oran eventhandle. ComparesynchronousTO.
`
`iser. See
`asynchronousprocedurecall(APC) Afunctionthatexecutesasynchronously
`
`
`
`in the contextofaParticular thread. Thekernel issuesasoftwareinterrupt
`
`when the thread executes (if other enabling conditions are present) and
`
`directs the thread to execute the APC. See alsoAPCobject and APCqueue.
`attribute caching A technique used in the Win32 subsystem to achieve per-
`formance gains when a Win32 application calls drawing functions, The
`client-side dynamic-link library (DLL) remembers when an application
`changes someattribute of the screen display and sends the data to the
`Win32 server only when the application draws something on the screen
`Seealso batching.
`.
`ys
`.
`.
`auditing The ability to detectand record importantsecurity-related events,
`particularly any attemptto create, access, or delete objects. The Windows
`NTsecurity system uses security IDs (SIDs) to record which process per-
`formed the action. See also securityID.
`authentication Validation of a user’s logon information Performed by an
`authentication package in conjunction with the Windows NTsecuritysub-
`System. See also authenticationpackage.
`
`
`
`
`
`
`
`
`
`
`
`dbyan |
`
`ure call
`> and a
`Louspro-
`be exe-
`hread’s
`request
`- condi.
`'
`
`ication —
`acess a
`
`
`tribute caching. 335
`
`,
`
`|
`
`fh
`Wie
`
`
`
`devices, See also authentication.
`
`backing store A storage medium, such
`as a disk, that serves as backup “‘mem-
`ory” for paging when physical memory becomesfull. See also paging.
`
`drawing functions. The client-side
`rawing application programming
`i
`i
`interfac€
`(API) calls ina queue, sendi
`ng them in a single message to the
`server when the queue gets full or wh
`€n the user enters input. See also ai-
`
`Petitioner Microsoft Corporation, Ex. 1008, p. 335
`
`Petitioner Microsoft Corporation, Ex. 1008, p. 335
`
`