Improving the granularity of access control in Windows NT

Swift, Michael M.; Brundrett, Peter; Dyke, Cliff Van; Garg, Praerit; Hopkins, Anne; Chan, Shannon; Goertzel, Mario; Jensenworth, Gregory

doi:10.1145/373256.373271

Cited by 14 publications

(10 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Although Windows has a richer access control model than Linux users and groups [42], Windows adopts similar practices for some resources, such as requiring Administrator privilege to create a raw socket [34].…”

Section: Related Workmentioning

confidence: 99%

Practical techniques to obviate setuid-to-root binaries

Jain

Tsai

John

et al. 2014

Proceedings of the Ninth European Conference on Computer Systems

View full text Add to dashboard Cite

Trusted, setuid-to-root binaries have been a substantial, long-lived source of privilege escalation vulnerabilities on Unix systems. Prior work on limiting privilege escalation has only considered privilege from the perspective of the administrator, neglecting the perspective of regular users-the primary reason for having setuid-to-root binaries.The paper presents a study of the current state of setuidto-root binaries on Linux, focusing on the 28 most commonly deployed setuid binaries in the Debian and Ubuntu distributions. This study reveals several points where Linux kernel policies and abstractions are a poor fit for the policies desired by the administrator, and root privilege is used to create point solutions. The majority of these point solutions address 8 system calls that require administrator privilege, but also export functionality required by unprivileged users. This paper demonstrates how least privilege can be achieved on modern systems for non-administrator users. We identify the policies currently encoded in setuid-to-root binaries, and present a framework for expressing and enforcing these policy categories in the kernel. Our prototype, called Protego, deprivileges over 10,000 lines of code by changing only 715 lines of Linux kernel code. Protego also adds additional utilities to keep the kernel policy synchronized with legacy, policy-relevant configuration files, such as /etc/sudoers. Although some previously-privileged binaries may require changes, Protego provides users with the same functionality as Linux and introduces acceptable performance overheads. For instance, a Linux kernel compile incurs less than 2% overhead on Protego.

show abstract

Section: Related Workmentioning

confidence: 99%

Practical techniques to obviate setuid-to-root binaries

Jain

Tsai

John

et al. 2014

Proceedings of the Ninth European Conference on Computer Systems

View full text Add to dashboard Cite

show abstract

“…One is that resources that are protected in filesystems are different, and have different relationships with one another than in VCSes. The second is that typically, such schemes, such as the ones in POSIX-compliant systems [27] and Windows ACLs [29,30], have only two levels of administrators: a superuser ("root") and the owner of a file or directory. The owner has full discretion in handing out rights to resources that he owns.…”

Section: Related Workmentioning

confidence: 99%

An authorization scheme for version control systems

Chamarty

Patel

Tripunitara

2011

Proceedings of the 16th ACM Symposium on Access Control Models and Technologies

View full text Add to dashboard Cite

We present gitolite, an authorization scheme for Version Control Systems (VCSes). We have implemented it for the Git VCS. A VCS enables versioning, distributed collaboration and several other features, and is an important context for authorization and access control. Our main consideration behind the design of gitolite is the balance between expressive power, correctness and usability in realistic settings. We discuss our design of gitolite, and in particular the four user-classes in its delegation model, and the administrative actions a user at each class performs. We discuss also our ongoing work on expressing gitolite precisely in first-order logic, to thereby give it a precise semantics and establish correctness properties. gitolite has been adopted in open-source software development, university and industry settings. We discuss our experience with these deployments, and present some performance results related to access enforcement from a real deployment.

show abstract

“…Many authors, including some of the present ones, have proposed authentication schemes that try to support a more complex notion of principal than merely "the logged-in user" [6,16,29,33]. Most commonly, such schemes allow a principal to adopt a "role" or "restricted context" with the intention of reducing or enhancing the principal's privileges.…”

Section: Related Workmentioning

confidence: 99%

Authorizing applications in singularity

Wobber

Yumerefendi

Abadi

et al. 2007

Proceedings of the 2nd ACM SIGOPS/EuroSys European Conference on Computer Systems 2007

View full text Add to dashboard Cite

We describe a new design for authorization in operating systems in which applications are first-class entities. In this design, principals reflect application identities. Access control lists are patterns that recognize principals. We present a security model that embodies this design in an experimental operating system, and we describe the implementation of our design and its performance in the context of this operating system.

show abstract

Improving the granularity of access control in Windows NT

Cited by 14 publications

References 9 publications

Practical techniques to obviate setuid-to-root binaries

Practical techniques to obviate setuid-to-root binaries

An authorization scheme for version control systems

Authorizing applications in singularity

Contact Info

Product

Resources

About