line
`
`WHO
`
`SokTHISa a a Facebook's Exhibit No. 1008
`
`Facebook's Exhibit No. 1008
`Page 1
`
`

`

`—
`
`PUBLISHED BY
`Microsoft Press
`A Division of Microsoft Corporation
`One Microsoft Way
`Redmond, Washington 98052-6399
`Copyright © 1993 by Microsoft Press
`All rights reserved. No partof the contents of this book may be reproduced or
`transmitted in any form or by any meanswithoutthe written permission of the publisher.
`Library of Congress Cataloging-in-Publication Data
`Custer, Helen, 1961-—
`Inside windows NT / Helen Custer.
`p-
`cm.
`Includes bibliographical references and index.
`ISBN 1-55615-481-X
`1. Operating systems (Computers)
`QA76.76.063C89
`1992
`005.4'469--dc20
`Printed and boundin the United States of America.
`456789 AGAG 876543
`
`2. Windows NT.
`
`I. Title.
`
`92-26231
`CIP
`
`Distributed to the book trade in Canada by Macmillan of Canada,a division
`of Canada Publishing Corporation.
`Distributed to the book trade outside the United States and Canada by
`Penguin Books Lid.
`Penguin Books Ltd., Harmondsworth, Middlesex, England
`Penguin Books Australia Ltd., Ringwood, Victoria, Australia
`Penguin BooksN.Z. Ltd., 182-190 Wairau Road, Auckland 10, New Zealand
`British Cataloging-in-Publication Dataavailable.
`3Comis a registered trademark of 3Gom Corporation. Apple and Macintosh are
`registered trademarks of Apple Computer, Inc. Banyan and VINESareregistered trade-
`marks of Banyan Systems, Inc. DEC, PDP-II, VAX, and VMSareregistered trademarks
`and DECnet and MicroVAX are trademarks of Digital Equipment Corporation. Intelis
`a registered trademark and Intel386 and Intel486 are trademarks of Intel Corporation.
`Microsoft, MS-DOS, and XENIXare registered trademarks and Windows, and Windows
`NTare trademarks of Microsoft Corporation. OS/2is a registered trademarklicensed
`to Microsoft Corporation. NetWare and Novell are registered trademarks of Novell, Inc.
`Sun, Sun Microsystems, and Sun Workstation are registered trademarks of Sun Microsystems,
`Incorporated. UNIXis a registered trademark of UNIX Systems Laboratories.
`
`Acquisitions Editor: Dean Holmes
`Manuscript Editor: Nancy Siadek
`Project Editors: Nancy Siadek and Deborah Long
`Technical Editor: Jeff Carey
`
`Facebook's Exhibit No. 1008
`Page 2
`
`Facebook's Exhibit No. 1008
`Page 2
`
`

`

`INSIDE WINDOWS NT
`
`The object named Floppy0 is a device object, a special object type de-
`fined andused by the I/O system. In the object manager namespace,the de-
`vice object represents a launching pointintoafile system’s object domain,
`onethat the object manager knows nothing about.
`Whenthe I/O system created the device object type,it registered a parse
`methodforit. When the object managerlooks up an object name,it suspends
`its search when it encounters an object in the path that has an associated
`parse method. The object managercalls the parse method, passing to it the
`remainderof the object nameit is looking for.
`For example, when a process opens a handle to the object named
`\Device\Floppy0\docs\resume.doc,
`the object manager traverses its name
`tree until it reaches the device object named Floppy0. It sees that a parse
`method is associated with this object, and it calls the method, passingto it
`the rest of the object name it was searching for—in this case, the string
`\docs\resume.doc. The parse methodfor device objects is an I/O routine. The
`routine takes the namestring andpasses it to the appropriate file system,
`whichfindsthefile on the disk and opensit.
`The symbolic link objects described in Section 3.2.1.3 are also translated
`by a parse method. The symbolic link object type has a parse method associ-
`ated with it. The method takes one name, substitutes another nameforit, and
`then calls the object managerto restart its search for the object. (If the new
`name also contains a symbolic link object name, the parse methodis called
`again.)
`The security method, which is used by the I/O system,is similar to the
`parse method.It is called whenevera thread tries to change the security infor-
`mation protecting a file. This information is differentfor files than for other
`objects because security information is stored in the file itself rather than in
`memory. The I/O system, therefore, must be called in order to find the
`security information and changeit.
`
`Protecting Objects
`Although naming,sharing, and accounting for system resources in a uniform
`wayare all good reasonsfor the NT executive to use an object model, probably
`the most importantreasonis to ensure that WindowsNTis a secure operating
`system.
`Operating system security is a battle fought on many fronts. A secure
`multiuser system must protect one user’s files, memory, and other resources
`from other users. It must protect the operating system’s data, files, and
`memory from user programs. It should monitor attempts to bypass its security
`features, and so on. The U.S. Departmentof Defense has identified features of
`
`3.3
`
`74
`
`Facebook's Exhibit No. 1008
`Page 3
`
`Facebook's Exhibit No. 1008
`Page 3
`
`

`

`The Object Manager and Object Security
`
`an operating system that make it secure. These features are categorized into
`sevenlevels of security, each one more stringent than thelast.”
`At the Class C2 level, the initial target for Windows NT,the following
`features must be present:
`
`® A secure logonfacility requires users to identify themselves by entering
`a unique logonidentifier and a password beforetheyare allowed ac-
`cess to the system.
`
`Discretionary access control allows an ownerofa resource to determine
`who can access the resource and what they can doto it. The owner
`doesthis by grantingaccess rights to a user or a group ofusers.
`Auditing providestheability to detect and record important security-
`related events or any attemptto create, access, or delete system
`resources.It uses logonidentifiers to record theidentity of the user
`who performed theaction.
`Memory protection prevents anyone from reading information written
`by someoneelse after a data structure has been released back to the
`operating system. Memoryis reinitialized beforeit is reused.
`
`Not all WindowsNTinstallationswill require all the security mechanisms that
`the system provides. The security system,therefore, allows a system adminis-
`trator to streamline the logon sequence, for example,or to adjust whether in-
`formation is collected in an audit log and,if so, how much.
`Facilities that are extremely security conscious, such as military installa-
`tions, require an even higherlevel of security than WindowsNTinitially pro-
`vides. Therefore, Windows NTis designed to evolve toward Class B2 security, a
`level known as Mandatory Access Control, in which each useris assigned a
`security clearance level andis prevented from giving lower-level users access
`to protected resources. For example, in secure U.S. governmentfacilities, one
`user might have a ‘‘Secret” security clearance and another a “Top Secret”
`security clearance. Mandatoryaccess control ensures that the user with the
`“Top Secret” clearance can neverallow the former user access to any “Top
`Secret” information, even by using discretionary access control. Similarly,
`B2 security requires the recognition of “‘compartments,” the separating of
`groupsofusers from one another. This type of protection is useful in indus-
`tries such as financial security exchanges, in which inappropriate access to
`stock offerings or mergers mightcreate conflicts of interest.
`
`
`7, Departmentof Defense Trusted Computer System Evaluation Criteria, DOD 5200.28-STD
`(December 1985).
`
`Petitioner Microsoft Corporation, Ex. 1008, p. 75
`Petitioner Microsoft Corporation, Ex. 1008, p. 75
`
`Facebook's Exhibit No. 1008
`Page 4
`
`Facebook's Exhibit No. 1008
`Page 4
`
`

`

`INSIDE WINDOWS NT
`
`The Windows NT security system is multifaceted, but protecting objects
`is the essence of discretionary access control and auditing (and later, of man-
`datory access control). The idea behind Windows NTsecurity is to create a
`gate through which every user of system resources must pass. Because all sys-
`tem resources that can be compromised are implemented as objects, the NT
`object manager becomes the gate. One need not poke around in numerous
`dark corners of the operating system to validate the integrity of Windows
`NT’s security system;the critical security-related operations can be found in a
`central location.
`The following subsections examine object protection from two perspec- ,
`tives: first, verifying the identity of users and, second, controlling which users
`can access which objects.
`
`3.3.1
`
`Access Tokens
`
`In order to control who can manipulate an object, the security system must
`first be sure of each user's identity. Therefore, the first line of protection in
`WindowsNT is the requirementthat every user log onto the system.
`As Chapter2, “System Overview,” described, an integral protected sub-
`system,the security subsystem, is responsible for authenticating users—thatis, for
`verifying that the logon information a user supplies matches the information
`stored in a security database. After the security subsystem determines that a
`logon is authentic, it constructs an object that it permanently attachesto the
`user's process. This object is called an access token, and it serves as the process's
`official identity card wheneverit tries to use a system resource. A sample ac-
`cess token is depicted in Figure 3-8.
`The first attribute shown in this example is the user's personal security
`7D, an identifier that usually corresponds to the user’s logon name.In large
`installations, a security ID might also incorporate the nameof the user's divi-
`
`Group IDs:
`
` Security ID:
`
`
`
`
`
`MARYH
`TEAM
`LOCAL
`INTERACTIVE
`WORLD
`None
`Privileges:
`Default owner: MARYH
`Primary group: TEAM1
`Default ACL:
`
`Figure 3-8. Sample Access Token
`
`76
`
`Facebook's Exhibit No. 1008
`Page 5
`
`Facebook's Exhibit No. 1008
`Page 5
`
`

`

`The Object Manager and Object Security
`
`sion or department (for example, ENGINEERING_MARYH). Group security
`IDs are formed from lists of user IDs. The second attribute shown in Figure
`3-8 is the list ofgroups to which MARYH belongs. Windows NT defines several
`standard group identifiers that are included in MARYH'’stoken.
`When a process tries to open a handle to an object, the object manager
`calls the security reference monitor, The security reference monitor gets the
`token associated with the process and uses its security ID and list of groups to
`determine whether the process can access the object.
`A small number of security-sensitive system services (such as create
`token) are also protected from use, The privileges attribute lists any of these
`special services that a user can call, Most users have no privileges.
`The user whocreates an object generally becomes its owner and can de-
`cide who else can use it. The access token's default access coniral list (ACL) at
`tribute is an initial list of protections applied to the objects the user creates.
`The primary group attribute provides the capability to collect security IDs
`into groups for organizational purposes, a feature of several operating system
`environments, including POSIX.
`Details about security [Ds and ACLs are explained in the next section.
`For now,look at Figure 3-9, which summarizes the attributes and services ap-
`plicable to access token objects.
`In addition to the create, open, and query services, the set token service
`also appears. Setting attributes in an object is a common service that is pro-
`vided for many NT executive objects. The remaining three services are in-
`tended for use primarily by security administration software.
`
`Object Type
`
`Object Body Attributes
`
`Figure 3-9. Access Token Object
`
`Facebook's Exhibit No. 1008
`Page 6
`
`Facebook's Exhibit No. 1008
`Page 6
`
`

`

`INSIDE WINDOWS NT
`
`3.3.2 Access Control Lists
`All objects, including files, threads, events, and even access tokens, are as-
`signed security descriptors when they are created.* The main feature of a
`security descriptoris a list of protections that apply to the object, called an
`aceess control list (ACL). The owner of an object, usually the user who creates
`it, has discretionary access control over the object and can change the object's
`ACLto allow others to access the object or to disallow them from accessing it.
`Figure 3-10 is a simplified picture of a file object and its ACL.
`
`Object
`Header
`
`
`Access Control List
`
`
`Allow
`Allow
`
`
`DAVEC
`TEAM?
`
`
`
`Read Data
`Read Dats
`
`
`Write Data
`
`
`
`Figure 3-10. Access Control List (ACL)
`
`Each entry in an ACL is known as an access control entry (ACE). An ACE
`contains a security ID and a set of access rights. A user with a matching
`security LD might be allowed thelisted access rights, denied them, or allowed
`them with auditing. The accumulation of access rights granted by individual
`ACEs forms the set of access rights granted by an ACL.
`Suppose you attemptto list a file, for example. If the file object's ACL
`contains an ACE with your security ID or one of your group [Ds in it, and if
`that ACE contains the access right called read data, you are allowed to list the
`file. In addition,if the operation you are attempting isa privileged operation,
`such as create token, you must have the privilege to create an access token.
`Otherwise, accessed is denied.
`As shown in Figure 3-10, an ACE can also be created for a group security
`ID. DAVEC has read access to the file object, the members of group TEAM1
`have read and write access, and all other users have execute access.
`
`:
`
`8. There are exceptions. Only objects that can be shared by more chan one process are required to
`have a security descriptor, This group includes all named objects plus all named and unnamed pro-
`cess, thread, and token. objects.
`
`78
`
`Facebook's Exhibit No. 1008
`Page 7
`
`Facebook's Exhibit No. 1008
`Page 7
`
`

`

`The Object Manager and Object Security
`
`To determine which ACL to assign to a new object, the security system
`applies one of three mutually exclusive rules, in the following order:
`
`1, Ifa caller explicitly provides an ACL when creating the object, the
`security system applies that ACL. to the object.
`2. Ifa caller does not supply an ACL and the object has a name,the
`security system looks at the ACL on the object directory in which
`the new object name is stored, Some of the object directory’s ACEs
`might be marked “inherit,"’ meaning that they should be applied to
`new objects created in the object directory, If any of these inherita-
`ble ACEs are present, the security system forms them into an ACL,
`which it attaches to the new object.
`3. If neitherof the first two cases occurs, the security system retrieves
`the default ACL from the caller's access token and applies it to the
`
`In addition to an ACL, an object's security descriptor contains a field
`that regulates auditing of the object. Auditing refers to the security system's
`ability to “spy” on selected objects and their users and to gencrate messages
`or alarms when someone attempts a restricted operation on an object. For ex-
`ample, the security system can audit attempts to read or modify a system-
`owned file. If someone tries to change the file, the security system writes a
`message to the audit log, identifying the user by security ID. The system
`manager can generate security reports that retrieve information from the
`log. For highly secure systems, the security system is even designed to gener-
`ate an audible or a visible alarm on a security administrator's machine when
`the action occurs, Auditing can help reduce the risk of computer tampering.
`
`Putting It All Together
`An access token identifies a process (and its threads) to the operating system,
`whereas a security descriptor enumerates which of these processes (or groups
`of processes) can access an object. When a thread opens a handle to an object,
`the object manager and the security system put this information together to
`determine whether the caller should be given the handleit is requesting.
`Figure 3-11 on the next page illustrates what happens when user LEES
`opens a handic, requesting synchronize access to an event object.
`
`Facebook's Exhibit No. 1008
`Page 8
`
`Facebook's Exhibit No. 1008
`Page 8
`
`

`

`INSIDE WINDOWS NT
`
`Group IDs; TEAM!
`TEAM2
`LOCAL
`INTERACTIVE
`WORLD
`
`Security Token Security ID: LEES Seceecereedareneaese,
`Privileges: None
`
`Figure 3-11. Checking an Object's Protection
`
`When checking an ACL, the security system proceeds through the list
`from first ACE to last. When it finds the security or group ID of the caller,it
`stopsits search and checks whether the ACE allows the type of access the user
`is attempting.Ifit finds an ACE that allows the access, it stops searching and
`returns a handle to thecaller, If it reaches the endof thelist without finding
`the security or group ID ofthe caller, the caller's request is denied.
`In Figure 3-11, the event object's ACL allows LEES synchronize access in
`its first entry, Because LEES requested synchronize access, the security system
`immediately stops its search, and the object manager returns to LEES a
`handle that contains synchronize access to the event. Notice that the third
`ACEexplicitly denies LEES synchronize access, based on her membership in
`‘TEAM2. However, because of the order of the ACEs in this access controllist,
`the third ACE is ignored in this case. (This is a somewhatartificial example
`because the system generally places ACEs that deny access at the beginning of
`thelist.)
`It would not be efficient for the security system to make this check every
`time a process uses a handle, An ACL can have many entries, a process can
`access many objects duringits lifetime, and numerous processes can be active
`at any time. Therefore, the check takes place only when a handle is opened,
`
`Facebook's Exhibit No. 1008
`Page 9
`
`Facebook's Exhibit No. 1008
`Page 9
`
`

`

`The Object Manager and Object Security
`
`not each time the handle is used. (Note that since kernel-mode code uses
`pointers rather than handles to access objects, the access check is not per-
`formed when the operating system uses objects. In other words, the NT execu-
`tive “trusts” itself in a security sense.)
`The next time LEES uses the event handle, the object manager simply
`compares the granted access (synchronize) stored in the handle with the type
`of access implied by the service she has called. If she calls a wait service, the
`call will succeed, If she calls set event, however, the service will fail. In order to
`call set event, either she must have opened the first handle requesting both
`synchronize and modify-state access or she must now open a new handle and
`request modify-state access.
`Note that once a process successfully opens a handle, the access rights
`that have been granted cannot be revoked by the security system, even if the
`object's ACL changes, The old handleis essentially grandfathered ia because
`the developers decided efficient security checks were more important than
`the ability to revoke granted access rights. The latter capability would have
`required a complete security check each time a handle is used, rather than
`only when the handleis originally created as the current design specifies. The
`performance improvement achieved by storing granted access rights directly
`in handles is significant, especially for objects with long ACLs attached.
`
`In Conclusion
`
`NT executive objects represent a unifying theme in Windows NT. They pro-
`vide a basis for managing system resources uniformly, They also serve as a fo-
`cal point for important tasks such as naming, sharing, and protecting
`resources. In addition, they supply a set ofprimitives that environment subsys-
`tems use to implement their versions of objects and object-like resources,
`Each environment subsystem uses executive objects to provide the facilities
`and resources thatits client applications expect.
`The user-mode objects presented in this chapter are based on a set of
`more primitive objects implemented by the NT kernel. The discussion of
`kernel objects and their capabilities is deferred until Chapter 7, ‘The
`Kernel.”’ In the next chapter, we'll examine two special objects that are in-
`tegral to Windows NT’s functioning: processes and threads.
`
`81
`
`Facebook's Exhibit No. 1008
`Page 10
`
`Facebook's Exhibit No. 1008
`Page 10
`
`

`

`an asyn-
`> by wait-
`y testing
`lure call.
`
`ser. See
`
`
`
`
`
`ure call
`Sanda
`
`vous pro-
`
`be exe-
`hread’s
`
`request
`; condi-
`
`ication
`
`(if other enabling condi
`directs the thread to execute the APC.See also APCobject and APCqueue.
`
`Win32 server only when
`See also batching.
`tantsecurity-related events,
`auditing The ability to detect an
`d record impor
`particularly any attemptto create, access, or delete objects. The Windows
`NT security system uses security IDs (SIDs) to record
`formedthe action. See also security ID.
`which process per-
`a user’s logon information, Performed by an
`authentication package in conjunction with the WindowsNTsecuritysub-
`System. See also authentication package.
`authentication Packag
`Windows NT s€curity system
`devices, See also authentication.
`
`tem. It decreases each
`low. See also working set.
`
`lls drawing functions. Theclient-side
`dynamic-link library (DLL) stores
`drawing application programming
`interface (API) calls in a queue, send
`ing them in a single message to the
`Server when the queue gets full or wh
`€n the userenters input. See also ai-
`tribute caching.
`
`335
`
`
`
`Facebook's Exhibit No. 1008
`Page 11
`
`Facebook's Exhibit No. 1008
`Page 11
`
`