[SAT Homepage]   XSAT Project: Short Description

Keywords

Operating Systems, Network Administration, Security / Protection, Access Control List (ACL), Windows NT / Windows 2000, XSAT (=eXtended Security Analysis Tool)

Basic considerations

Many operating systems (e.g. Microsoft Windows NT / Windows 2000) support an object-oriented view of access control. The Access Matrix [Silberschatz Abraham, Galvin Peter. Operating System Concepts, Addison-Wesley Publishing Company] , which describes who is allowed to execute which operations on an object, is tightly bound with the object and stored in the form of an Access Control List (ACL).

 Object 1   Object 2   Object 3   Object 4   Object 5   Object 6     ...   
 User1  - - change change - - ...
 User2  - - - - read - ...
 ...  ... ... ... ... ... ... ...
 Group1  change change - - change - ...
 Group2  read read exec exec - read ...
 ...  ... ... ... ... ... ... ...
Computer1 Computer2 ...

(Every entry in the Access Matrix typically holds bits that represent special permissions such as Read / Write / Execute / Delete. Information pertaining to denial of permission, such as DenyRead / DenyWrite, is sometimes also included.)

The access matrix is a sparse matrix and is stored as a large set of lists with one dedicated list per object. It is therefore relatively easy to determine whether a user or group has access to a dedicated object. However, due to the effort involved, it is almost impossible to determine the set of objects any particular user has access to. This is a consequence, on the one hand, of the ease with which an administrator can inspect the non-empty entries of a column of the access matrix (=ACL); and, on the other hand, of the uselessness of standard tools in looking at a row of the access matrix.

Compounding the problem is the fact that a user’s effective permissions are derived from multiple rows of the access matrix, since almost every user is a member of a number of (sometimes hierarchically organised) groups and collects permissions by group membership.

To make matters even worse, the access matrix itself is relatively large (in a standard system there exist hundreds of users and groups, and hundreds of thousands of objects such as files, directories, Registry keys, entries in the Active Directory, etc.). Since the objects are distributed amongst multiple computers, the access control information is also distributed. So it is much too time consuming and error prone to inspect all these objects without a special tool.

In addition, in most cases a user/group has access to a large set of objects, so even a simple listing of all objects that a user/group has access to is of no use. The listing would be far too long. Special effort must therefore be invested in order to ensure compact representation of this information.

How operating systems manage objects

In standard operating systems, classes of objects are organised in hierarchical structures (users in groups and groups in groups, files and directories and subdirectories, containers and subcontainers, structure of registry keys, etc.). In many cases, if a new object is created, it inherits the permissions of its parent object. This inheritance is implemented in several ways based on different concepts, e.g.:

Main emphasis of the project

The main goal of the project is to design and evaluate approaches to the problem of how permissions (in particular) of hierarchically structured persistent objects can be visualised in a compact, useful and significant way.

The project will deal with "ad personam" permissions as well as effective permissions (which result from group membership) to ensure that the administrator need not rack his brain too much over group structure. In addition, the different concepts of inheritance (as stated above) shall be covered in the one approach.

The approaches developed will be evaluated in a test implementation based on Windows NT and Windows 2000. Special attention will be given to the NT file system (NTFS), the Registry, the Active Directory and the Metabase of the Internet Information Server (IIS).

Brief example

The following tree-structures correspond to the access matrix above:

  • User1 is a member of Group1, which is itself a member of Group2.
  • User2 is a member of Group2 only.
  • Object1 to Object4 represent the drive E:, a directory dir3 and two files.

This - admittedly oversimplified and specific - example produces the following output when asked about the effective permissions belonging to User1 on Computer1: E:\ [change].

The same query for User2 gives the following result: E:\ [read], demonstrating that the user has read-access to the whole disk. The system then finds the exceptions to this - here given by the single extra line E:\dir3 [exec], which shows that the user has only execute-access on this directory and beneath. (More detailed examples may be found in here.)

General remarks

We believe that the problem of efficiently analysing user-specific permissions belonging to a distributed environment, and visualising them in a concise and meaningful manner, is of fundamental importance to a number of operating systems. In addition, Windows NT / 2000 is a suitable testing ground for checking and verifying our results in a real world environment.

Last modified 2001-09-26 by the SAT-Team.