Facebook's Exhibit No. 1008
`
`Page 1
`
`Facebook's Exhibit No. 1008
`Page 1
`
`

`
`PUBLISHED BY
`Microsoft Press
`
`A Division of Microsoft Corporation
`One Microsoft Way
`Redmond, Washington 98052-6399
`
`Copyright © 1993 by Microsoft Press
`
`All rights reserved. No part of the contents of this book may be reproduced or
`transmitted in any form or by any means without the written permission of the publisher.
`
`Library of Congress Cataloging-in-Publication Data
`Custer, Helen, 1961-
`Inside windows NT / Helen Custer.
`p.
`cm.
`'
`Includes bibliographical references and index.
`ISBN 1-55615-481-X
`
`2. Windows NT.
`
`1. Title.
`
`92-25231
`
`CIP
`
`1. Operating systems (Computers)
`QA76.76.053C89
`1992
`005.4‘ 4.-69~~ dc20
`
`'
`
`Printed and bound in the United States of America.
`456789 AGAG876543
`
`Distributed to the book trade in Canada by Macmillan of Canada, a division
`of Canada Publishing Corporation.
`Distributed to the book trade outside the United States and Canada by
`Penguin Books Ltd.
`
`Penguin Books Ltd., Harmondsworth, Middlesex, England
`Penguin Books Australia Ltd., Ringwood, Victoria, Australia
`Penguin Books NZ. Ltd., 182-190 Wairau Road, Auckland 10, New Zealand
`
`British Cataloging-in-Publication Data available.
`
`3Com is a registered trademark of 3Com Corporation. Apple and Macintosh are
`registered trademarks of Apple Computer, Inc. Banyan and VINES are registered trade-
`marks of Banyan Systems, Inc. DEC. PDP-II, VAX, and VMS are registered trademarks
`and DECnet and MicroVAX are trademarks of Digital Equipment Corporation. Intel is
`a registered trademark and Intel386 and Intel486 are trademarks of Intel Corporation.
`Microsoft, MS-DOS, and XENIX are registered trademarks and Windows, and Windows
`NT are trademarks of Microsoft Corporation. 05/2 is a registered trademark licensed
`to Microsoft Corporation. NetWare and Novell are registered trademarks of Novell, Inc.
`Sun, Sun Microsystems, and Sun Workstation are registered trademarks of Sun Microsystems,
`Incorporated. UNIX is a registered trademark of UNIX Systems Laboratories.
`
`Acquisitions Editor: Dean Holmes
`Manuscript Editor: Nancy Siadek
`Project Editors: Nancy Siadek and Deborah Long
`Technical Editor: Jeff Carey
`
`Facebook's Exhibit No. 1008
`Page 2
`
`

`
`INSIDE WINDOWS NT
`
`The object named Floppy-0 is a device object, a special object type de-
`fined and used by the [/0 system. In the object manager namespace, the de-
`vice object represents a launching point into a file system's object domain,
`one that the object manager knows nothing about.
`When the I/O system created the device object type, it registered a parse
`method for it. When the object manager looks up an object name, it suspends
`its search when it encounters an object in the path that has an associated
`parse method. The object manager calls the parse method, passing to it the
`remainder of the object name it is looking for.
`For example, when a process opens a handle to the object named
`\Device\Floppy0\docs\resu.me.doc,
`the object manager traverses its name
`tree until it reaches the device object named Floppyfl. It sees that a parse
`method is associated with this object, and it calls the method, passing to it
`the rest of the object name it was searching for—in this case, the string
`\docs\nesurne.doc. The parse method for device objects is an I/O routine. The
`routine takes the name string and passes it to the appropriate file system,
`which finds the file on the disk and opens it.
`The symbolic link objects described in Section 3.2.1.3 are also translated
`by a parse method. The symbolic link object type has a parse method associ-
`ated with it. The method takes one name, substitutes another name for it, and
`
`then calls the object manager to restart its search for the object. {If the new
`name also contains a symbolic link object name, the parse method is called
`again.)
`The security method, which is used by the I/O system, is similar to the
`parse method. It is called whenever a thread tries to change the security infor-
`mation protecting a file. This information is dilferent for files than for other
`objects because security information is stored in the file itself rather than in
`memory. The I/O system, therefore, must be called in order to find the
`security information and change it.
`
`3.3
`
`Protecting Objects
`
`Although naming, sharing, and accounting for system resources in a uniform
`way are all good reasons for the NT executive to use an object model, probably
`the most important reason is to ensure that Windows NT is a secure operating
`system.
`Operating system security is a battle fought on many fronts. A secure
`multiuser system must protect one user’s files, memory, and other resources
`from other users. It must protect the operating system’s data, files, and
`memory from user programs. It should monitor attempts to bypass its security
`features, and so on. The US. Department of Defense has identified features of
`
`74
`
`Facebook's Exhibit No. 1008
`
`Page 3
`
`Facebook's Exhibit No. 1008
`Page 3
`
`

`
`The Object Manager and Object Security
`
`an operating system that make it secure. These features are categorized into
`seven levels of security, each one more stringent than the last.7
`At the Class C2 level, the initial target for Windows NT, the following
`features must be present:
`
`I A secure @tmfacility requires users to identify themselves by entering
`a unique logon identifier and a password before they are allowed ac-
`cess to the system.
`
`I Dis.-sretimtmy access control allows an owner ofa resource to determine
`who can access the resource and what they can do to it. The owner
`does this by granting access rights to a user or a group of users.
`
`I Auditing provides the ability to detect and record important security-
`related events or any attempt to create, access, or delete system
`resources. It uses logon identifiers to record the identity of the user
`who performed the action.
`
`I Memory protection prevcnts anyone from reading information written
`by someone else after a data structure has been released back to the
`
`operating system. Memory is reinitialized before it is reused.
`
`Not all Windows NT installations will require all the security mechanisms that
`the system provides. The security system, therefore, allows a system adminis-
`trator to streamline the logon sequence, for example, or to adjust whether in-
`formation is collected in an audit log and, if so, how much.
`Facilities that are extremely security conscious, such as military installa-
`tions, require an even higher level of security than Windows NT initially pro-
`vides. Therefore, Windows NT is designed to evolve toward Class B2 security, a
`level known as Mandatory Access Control, in which each user is assigned a
`security clearance level and is prevented from giving lowervlcvel users access
`to protected resources. For example, in secure U.S. government facilities, one
`user might have a “Secret" security clearance and another a “Top Secret”
`security clearance. Mandatory access control ensures that the user with the
`“Top Secret" clearance can never allow the former user access to any “Top
`Secret" information, even by using discretionary access control. Similarly,
`B2 security requires the recognition of “cornpartments," the separating of
`groups of users from one another. This type of protection is useful in indus-
`tries such as financial security exchanges, in which inappropriate access to
`stock offerings or mergers might create conflicts of interest.
`
`7. Department of Defense Trusted Computer System E\-’a.l1I.7tlil:Il'l Criteria, DOD 5200.23-STD
`(December 198:3).
`
`Petitioner Microsoft Corporation, Ex. 1008, p. 75
`Petitioner Microsoft Corporation, Ex. 10%, p. 75
`
`Facebook's Exhibit No. 1008
`
`Page 4
`
`Facebook's Exhibit No. 1008
`Page 4
`
`

`
`INSIDE WINDOWS NT
`
`The Windows NT security system is multifaceted, but protecting objects
`is the essence of discretionary access control and auditing (and later, of man-
`datory access control). The idea behind Windows NT security is to create a
`gate through which every user of system resources must pass. Because all sys-
`tem resources that can be compromised are implemented as objects. the NT
`object manager becomes the gate. One need not poke around in numerous
`dark comers of the operating system to validate the integrity of Windows
`NT's security system; the critical security—related operations can be found in a
`central location.
`
`The following subsections examine object protection from two perspec- ,
`tives: first. verifying the identity of users and, second. controlling which users
`can access which objects.
`
`Access Tokens
`
`In order to control who can manipulate an object, the security system must
`first be sure of each user's identity. Therefore, the first line of protection in
`Windows NT is the requirement that every user log onto the system.
`As Chapter 2, “System Overview," described, an integral protected sub-
`system, the secitrityrutuytstan, is responsible for aulhentimting uscrs— that is, for
`verifying that the logon information a user supplies matches the information
`stored in a security database. After the security subsystem determines that a
`logon is authentic, it constructs an object that it permanently attaches to the
`user‘: process. This object is called an scans taken, and it serves as the process’:
`official identity card whenever it tries to use a system resource. A sample ac-
`ccs token is depicted in Figure 3-8.
`The first attribute shown in this example is the user's personal security
`ID, an identifier that usually corresponds to the user's logon name. In large
`installations, a security ID might also incorporate the name of the user's divi-
`
`Security ID:
`Group IDs:
`
`MARYH
`TEAM1
`LOCAL
`INTERACTIVE
`WORLD
`
`None
`Priviegee:
`Default owner: MARYH
`
`Primary group: TEAM1
`Deiault ACL:
`
`Flgtn 3-8. Sample Access Token
`
`Facebook's Exhibit No. 1008
`Page 5
`
`

`
`Th-Omcwnrlosv-wdobjsctssouvty
`
`sion or depamnem (for example. £NGlN£l'.Rll\C_ MARYH). Group security
`Ibsareforrnedfrosnliusoful.-rlfla Thesecondanributeshounin Figure
`S-Gistheliuofgroqsstovrhich MAIIYH belongs. W'tndo~rsNTdefines several
`sranhrtl group identifiers that are included in HAllYH°s token.
`Wlsenaruncessuiamopenalnndlemanobjecndteobjectmarugcr
`calls the security reference monitor. The security reference monitor gets the
`token anociatedwith the pmoessand usesitssecuritylb and liuofgrvoupsto
`determine whether the process can access the object.
`A small number of security-sensitive system services (such as create
`token) are also protected from use. The privileges attribute lists any of these
`special services that at user can call. Most users have no privileges.
`The user who creates an object generally becomes its owner and can de-
`cide who else can use it. The acceu to|ten‘s default awn: control list (ACL) at-
`tribute is an initial list of protections applied to the objects the user creates.
`The primary group attribute provides the capability to collect security IDs
`into groups for organisational purposes. a feature 0! several operating system
`erwlronrnems. incltuling POSIX.
`Detailsahoutsecurity lbsandmibareexplslnedin thenextsection.
`For now, Iookstl-1gure 3-9,uhlch surnmsrhes the attributes andservia:np-
`pllcalie to access token objects.
`lnsdditianmIheaeste,open.andqueryservloes.thesetto&enservioe
`alsoappeanseuhtgatuihttesinsnolsjectisacannwn servicethatispm-
`vided for many NT executive objects. The remaining three services are in-
`tended for use primarily by security sdmlnlstrstiort software.
`
`Figure 3-0. AooessTolton Object
`
`Facebook's Exhibit No. 1008
`Page 6
`
`

`
`msuos wmoows NT
`
`3.3.2 Access Control Lists
`
`All objects, including files, threads, events, and even acoem tokens. are as-
`signed security descriptor: when they are created} The main feature of a
`security descriptor is a list of protections that apply to the object. called an
`access control list (ACL). The owner of an object. usually the user who creates
`it, has discretionary access control over the object and can change the object's
`ACL to allow others to access the objector to disallow them from accessing it.
`Figure 8-10 is a simplified picture of a file object and its ACL.
`
`Hgurc 3-1n. Access Control List (ACLJ
`
`Each entry in an ACL is known as an access control entry (ACE). An ACE
`contains a security ID and a set of access rights. A user with a matching
`Security ID might be allowed the listed access rights, denied them, or allowed
`them with auditing. The accumulation of acces rights granted by individual
`ACE: forms the set of access rights granted by an ACL.
`Suppose you attempt to list a file. for example. If the file object's ACL
`contains an ACE with your security ID or one of your group [D5 in it, and if
`that ACE contains the access right called read data. you are allowed to list the
`file. In addition. if the operation you are attempting isa privileged operation,
`such as create token. you must have the privilege to create an access token.
`Otherwise, accessed is denied-
`
`As shown in Figure 3-10, an ACE can also be created for a group security
`ID- DAVEC. has read access to the file object, the members of group TEAMI
`have read and write access. and all other users have execute access.
`
`8. There are exoeptiorut Only objects that cut be shared by more than one process are required to
`have a security descriptor. This group includau all named objects plus all named and unnamed pro-
`cus, thread, and taken objects.
`
`Facebook's Exhibit No. 1008
`Page 7
`
`

`
`Th-out-uwna-wvobhctsoam
`
`Todeterminewhichhcltoasign toa mvohjecnthenecuruygygggn
`applies one of three mutually exclndve rules. in the following order.
`
`I. lfacallerexplieidyprovldesenACLwlIencreuingtheohject.u.c
`secttritysystemappliest!ntACLtot.heobjett.
`
`2. Ifacallerdoesmtntpplyanhfltand the ohjecthuaname. the
`security uyatem lookaat the M1. on the object directory in which
`the new object name is Itorod. Some of the object directory’: ACE;
`might be marked "inherit." meaning that they should be applied to
`new objects created in the object directory. If any of these inherita-
`ble ACE: are present, the aecurity ayttcm forms them into an ACL,
`which it attaches to the new object.
`
`. If neither of the first two cases occurs. the aecurtty system reu-ievu
`the default Act, from the caller’: access token and applies it to the
`
`in addition to an Act. an object'a security descriptor contains a field
`thn regulate: auditingofthe object. Audithgrefetn to the rcurity ryucm's
`ahiity lo
`on neleeted object: and their um: and to generate meager
`oralannswhensomeoneattemptnarestrictedopetationon anohjev:t.F'orea-
`anq)le.tltereunityaynernanatiditattenquitoreadormodifyaryIun-
`owned6le.lfurnoonenieotodungcthefile.thetocurityryItemwritesa
`message to the audit log, identifying the user by security It). The tyuem
`manager can generate security report: that retrieve information from the
`log. For highly secure systems, the tecurity Iyttan ll even designed to gener-
`ate an audible or a visible alarm on a security administrator‘: machine when
`the action occurs. Auditing can help reduce the risk of computer tampering.
`
`Putlng It All Together
`
`Anacoeaatokenidentifieuproceaa(andit|thread.s) totheoperatingsyatern.
`whrreanaeeurity descriptor emunentes which of these proceses (or groups
`ofprooeaencannccettanolajectwhenathreodopemaltnndletoanohjech
`theohjectmanagennd the aecurityryuern putthininlormation together to
`determine whether the caller should heglven the handle it istequeating.
`Ftgute3-llattheneItpqeillttunteurlnthappeIuul|enuaerl.ELS
`oprruahandle.roqueatingrynchroniaeaoccntnaneventohjet-t.
`
`Facebook's Exhibit No. 1008
`Page 8
`
`

`
`INSIDE WINDOWS NT
`
`security Token
`
`Group IDs: TEAM!
`TEAM2
`LOCAL
`INTERACTIVE
`WORLD
`Privileges: Nona
`
`Flwro 3-11. Checking an Objecrs Protection
`
`When checking an ACL, the security system proceeds through the list
`from first ACE to last. When it finds the security or group [D of the caller. it
`stops its search and checks whether the ACE allows the type of access the user
`is attempting. If it finds an ACE that allows the access. it stops searching and
`returns a handle to the caller. If it reaches the end of the list without finding
`the security or group ID of the caller. the caller's request is denied.
`In Figure 3-1], the event object's ACL allows LEES synchronize access in
`its first entry. Because LEES requested synchronize access. the security system
`immediately stops its search, and the object manager returns to LEES a
`handle that contains synchronize access to the event. Notice that the third
`ACE explicitly denies LEES synchronize access, based on her membership in
`TEAM2. However. because of the order of the Mills in this access control list,
`
`the third ACE. is ignored in this case. (This is a somewhat artificial example
`because the system generally planes ACEs that deny access at the beginning of
`the list.)
`It would not be eflicient for the security system to make this check every
`time a process uses a handle. An ACL can have many entries. as process can
`access many objects during its lifetime. and numerous processes can be active
`at any time. Therefore, the check takes place only when a handle is opened.
`
`Facebook's Exhibit No. 1008
`Page 9
`
`

`
`The Object Manager and Otficl Seculty
`
`not each time the handle is used. (Note that since kernel-mode code uses
`pointers rather than handles to access objects. the access checlt is not per.
`formed when the operating system usesobjects. In other words, the NT execu-
`tive “trusts" itself in a security sense.)
`The next time LEES uses the event handle, the object manager simply
`compares the granted aocess (synchronize) stored in the handle with the type
`of access implied by the service she has called. If she calls a wait service, the
`call will succeed. If she calls set event. however. the service will fail. In order to
`
`call set event, either she must have opened the first handle requeaing both
`synchronize and modify-state access or she must now open a new handle and
`request modify-state access.
`Note that once a process successfully opens a handle, the access rights
`that have been granted cannot be revoked by the security system. even if the
`object's ACL changes. The old handle is essentially grandfathered in because
`the developers decided efficicnt security checks were more important than
`the ability to revoke granted access rights. The latter capability would have
`required a completesecurity check each time a handle is used. rather than
`only when the handle is originally created as the current design specifies. The
`performance improvement achieved by storing granted access rights directly
`in handles is significant, especially for objects with long ACLs attached.
`
`In Coneluslon
`
`NT executive objects represent a unifying theme in Windows NT. They pro-
`vide a basis for managing system resources uniformly. They also serve as a fo-
`cal point for important tasks such as naming, sharing, and protecting
`resources. in addition. they supply a set ofprimitiva that environment subsys-
`tems use to implement their versions of objects and object—1ilu: resources.
`Each environment subsystem uses executive objects to provide the facilities
`and resources that its client applications expect.
`The user—modc objects presented in this chapter are based on a set of
`more primitive objects implemented by the NT kernel. The discussion of
`kernel objects and their capabilities is deferred until Chapter 7. “The
`Kernel." ln the next chapter, we'll examine two special objects that are in-
`tegral to Windows N'I"s functioning: processes and threads.
`
`Facebook's Exhibit No. 1008
`Page 10
`
`

`
`-.-- — '7/S"-'1".'v».'
`
`Glossary of Terms and Acronyms
`
`ure call
`3 and a
`
`muspm"
`
`be exe-
`hread ’s
`
`request
`; condi-
`
`Win32 server only when
`
`See also batching.
`
`auditing The ability to detect and record impor
`particularly any attempt to create,
`
`authentication package in c
`system See also autlzentication package.
`
`Facebook's Exhibit No. 1008
`Page 11