Information Technology Reference
In-Depth Information
SYSTEM
(its SID equals to S-1-5-18) and '
Administrators
' group (S-1-5-32-544) are
allowed to do '
Full Access
' to
Normal.dot
. All other cases are considered to be
vulnerable.
In the mentioned style, we can compose a full range of OSCV-criteria. It becomes
able to handle even context-related conditions, such as "The system is vulnerable, if
Administrator
can modify object
X
, provided she is connected to the local console".
Such conditions are indeed part of Microsoft Windows security model. From the point
of security, all kinds of user's activity in the system (such as connection to the local
console, applications running, etc) are mapped to Win32API functions calls operated
with the Windows recourses. List of functions calls and set of resources maintained
by the Windows security (so named as
securable objects
) are defined in MSDN.
Because of monitoring a variety of operations over the securable objects, we can
analyze the user's activity in the system.
We have the VCPU's input with a triple (M3S-scopc, ACR-scope, and SSC-scope)
written in SPSL. Then we have run the resolving program for SVC. The VCPU makes
calculus using our vulnerabilities detection technique. It takes the M3S-scope and
finds the target object mentioned in the SSC-scope. Then it calculates the sets of the
"pure" access rights taking into account all other security settings, e.g. privileges,
ownerships, and etc. To do this VCPU uses the ACR-scope. Then it compares the
rights sets, and makes the result tests for vulnerabilities using the SSC-scope and
ACR-scope (
Test P1
and
Test P2
). After the running procedure, we have got a result
file — the security evaluation
Report
. The following text example shows the report
file for our SVC.
*** SYSTEM SAFETY RESOLUTION ***
CRITERION #1:
Users are not allowed to edit the file Normal.dot
>>
VIOLATION DETECTED
:
subject group <
Users
>
has unauthorized permissions
bits [0, 1]
[
Read Data
,
Write Data
]
for object(s) file
c:\documents and settings\
administrator\
application data\
microsoft\templates\
normal.dot
..........[abbreviation]........
