Information Technology Reference
In-Depth Information
appID(['{b8c54a54-355e-11d3-83eb-00a0c92a2f2d}'])],
[['s-1-5-32-544',tnn,[0]],['s-1-5-4',tnn,[0]],
['s-1-5-18',tnn,[0]],
['s-1-5-18',tnn,[1]]]).
Access control rules express the restrictions on a system behavior. The system
states transformation is able after the access authorized in kernel mode within the
security subsystem of MS Windows by the system's reference monitor (access control
mechanism). Using an object's ACL, it compares information about the client and the
information about the object to determine whether the user has the desired access
rights (for example, read/write permission) to that object (for example, a file).
Depending on the outcome of this comparison, the security service will respond to the
client, either serving the object or returning an access-denied failure.
To embody this mechanism, we have investigated the MS Windows inside (e.g.
using the gray-box testing strategy) and looked through innumerous Microsoft Press.
It made us able to re-compose the MS Windows protection subsystem in the form of
logical clauses.
Such specification can be called as the ACR-scope. The following code example
shows the ACR-scope of SVC. For want of paper space, we do not describe all of the
MS Windows ACR-scope in SPSL. We have just prepared a sample of the read access
checking with some comments describing the system reference monitor working:
..........[abbreviation]........
allow_file_read
(U, F):-
% System security settings allow user U to traverse
% through containers of file F
allow_traverse
(U, F),
% EPL is effective permissions list
%
for user U and file F
effective_permissions
(U, F, EPL),
% Get PL, the list of privileges granted to user U
privileges_list
(U, PL),
% Privilege "Backup files and directories"
%
is granted to user U
(
member
(backup, PL), !;
% Permission "Read data" is granted to user U
member
(0, EPL),
% Permission "Read attributes" is granted to user U
(
member
(7, EPL),!;
