Thus, Windows uses negative access rights, whereas UNIX does not, generating some differences
in their authorization mechanisms.
Example 4.2. Figure 4.1 shows an example ACL for an object foo. foos ACL contains three
ACEs. The field principal SID specifies the SID to which the ACE applies. These ACE apply to
Access Control List
Process P1
Process P2
Principal SID Alice
ACE Type Grant
Access Rights Read, Execute
Access Control Entry 1
Principal SID Bob
ACE Type Grant
Access Rights Read
Access Control Entry 2
Principal SID Group1
ACE Type Deny
Access Rights Read, Write
Access Control Entry 3
Principal SID Alice
Group SIDs Group1, Group2
Alias SIDs
Principal SID Bob
Group SIDs Group 2
Alias SIDs
Figure 4.1: Windows Access Control Lists (ACLs) and process tokens for Examples 4.2 and 4.3
the SIDs Alice, Bob, and Group1. The other two important fields in an ACE are its type (grant
or deny) and the access rights (a bitmask). The Alice and Bob ACEs grant r ights, and the Group1
ACE denies access to certain rights. The access rights bitmask is interpreted based on the object type
field in the ACE. We describe how the ACL is used in authorization in the next section.
Windows authorization queries are processed by a specific component called the Security Reference
Monitor (SRM). The SRM is a kernel component that takes a process token, an object SID, and a
set of operations, and it returns a boolean result of an authorization query. The SRM uses the object
SID to retrieve its ACL from which it determines the query result.
Because of the negative permissions, the way that the SRM processes authorization queries
is more complicated than in the UNIX case. The main difference is that the ACEs in an ACL are
ordered, and the ACEs are examined in that order. The SRM searches the ACEs until it finds a set
of ACEs that permits the operation or a single ACE that denies the operation. If an ACE grants
the necessary operations
, then the request is authorized. However, if a deny ACE is encountered
that includes one of the requested operations, then the entire request is denied.
Example 4.3. Returning to Example 4.2 above, the ACEs of the objects ACL are ordered as shown
in Figure 4.1. Note that the ACE field for access rights is really a bitmap, but we list the operations to
simplify understanding. Further, we specify the process tokens for two processes, P1 and P2. Below,
we show the authorization results for a set of queries by these processes for the target object.
P1, read: ok
P1, read, write: no
P2: read: ok
P2: read, write: no
Both P1 and P2 can read the target object, but neither can write the object. P1 cannot write
the object bec ause the P1 token include Group1 which matches the deny ACE for writing. P2
cannot write the object because the ACE for Bob does not permit w riting.
Mediation in Windows is determined by a set of object managers. Rather than a monolithic set
of system calls to access homogeneous objects (i.e., files) in UNIX, each object type in Windows has
an object manager that implements the functions of that type. While the Windows object managers
all run in the kernel, the object managers are independent entities. This can be advantageous from
a modularity perspective, but the fact that object managers may extend the system presents some
challenges for mediation. We need to know that each new object manager mediates all operations
and determines the rights for those operations correctly. There is no process for ensuring this in
In Windows, the trusted computing base consists of all system services and processing running
as a trusted user identity, such as Administrator
. Windows provides a setuid-like mechanism
for invoking Windows Services that run at a predefined privilege, at least sufficient to support all
clients. Thus, vulnerabilities in such services would lead to system compromise. Further, the ease
of software installation and complexity of the discretionary Windows access control model often
result in users running as Administrator. In this case, any user program would be able to take
control of the system. This is often a problem on Windows systems. With the release of Windows
Vista, the Windows model is extended to prev ent programs downloaded from the Internet from
It may take multiple ACEs to grant all the requested operations, so this refers to the ACE that grants whatever remaining
operations were requested.
In addition, these services and processes may further depend on non-Administrator processes, which would make the system
TCB even less secure.

Get Operating System Security now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.