[cap-talk] ... enforcement - ambient authority -definition correction

marcs marcs at skyhunter.com
Fri Oct 1 13:31:39 EDT 2004

> >user is the owner, for heavens sake). However, I have since 
> spent a year 
> >digging in the heart of WinXP security, and it's just not 
> true. Windows 
> >doesn't do POLA at any level of granularity :-)
> I'm curious to find out more about the last two sentences 
> above.  Of course 
> WinXP does allow distinct logons and has some kind of distinct access 
> rights for separate logons (e.g. administrative access).  It 
> appears to 
> label files with a userid and have a notion of groups similar 
> to Unix.  Are 
> you saying it is all a sham?  Can you elaborate a bit (pick a 
> new subject 
> if you like)?

POLA requires that you be able to designate fine grain authorities. Forget
about bundling authority with designation, you first have to be able to
designate an authority, some way, some how. 

The limits to what can be designated for control under a Windows ACL (or a
Linux ACL, for that matter) are severe. The one that just leapt out at me
(stabbed me in the back, actually), is the inability to say, "hey, for user
account X, deny access to the network" (not that this would be anywhere near
POLA. I would consider it marginally adequate if I could say, "for user
account X, here is the list of IP addresses and domain names the user may
access. Now, let's be clear. There is a full page of network access controls
on Windows, if you dig around enough for them...and they're all strange and
generally pointless. It looks like they arbitrarily identified everything
that was easy to shut off or turn on at some deep, obscure system level,
slapped checkboxes for 'em in a window, and declared themselves victorious. 

Really, there are no (meaningful) controls for any aspect of the system
except files and registry keys. Clocks, clipboards, screens, keyboards,
devices in general, loaded running objects (like background services),
anything else that might be considered an authority, none are covered. And
since ACLs are not composable or extensible (I can't interpose one in front
of the other, or anything like that, as in a capability system), putting a
different authority under the control of the ACL system requires
modification of the kernel. Sheesh.

I actually read a paper from a researcher at Microsoft who modified the
kernel to support the kind of network access controls I needed. In his
concluding paragraph he laments (very gently, of course) that his controls
won't go into the production version of Windows. Sheesh and sheesh again.


More information about the cap-talk mailing list