ACM (Access Control Model), Security Identifiers (SID), security descriptors (Security Descriptor), ACL (Access Control List), access tokens (access token)

The words in Windows core programming cannot dispel doubts. Let's explain it to us in msdn. If you want to give a detailed introduction, go to msdn and take a closer look. I just want to describe it in a language that is easy to understand.

 

Windows ACM and access control mode are composed of two parts. One is access tokens, and the other is Security Identifiers ).

 

An access token is the information used by the process to access the data that indicates its identity and privilege.

The security descriptor is the security information of the security object to be accessed. Such as what kind of user access requests can be allowed, and what kind of user or group access is to be rejected.

• Security Identifiers (SID)

I often hear Sid. What is Sid? According to msdn, Sid is the unique value used to identify the trustful Party, and its length is variable. The trusted party is the user, group, and session. Therefore, we can basically regard Sid as a user name, a group name, and a session name. They are only certified for security and will not be repeated, that is, they are secure and reliable. If we mention the SID of Michael, we can understand it as "Michael (real)".

• Security descriptors (Security Descriptor)

Msdn says the Security Descriptor contains the security information that describes a security object. In fact, this sentence is correct, but it is probably true. Let's take a look at what the security descriptor describes?

 

Security descriptors include:

1. Sid of the owner of the security object associated with the security descriptor and Sid of the main group of the owner

2. a dacl (Discretionary Access Control List)

3. a sacl (system access control list)

4. A set of control bits that match the meaning of the Security Descriptor

 

The first point does not need to be mentioned. The second and third points refer to the following ACL for detailed explanation. DACL and SACL are two types of ACL. The fourth point is unknown.

• ACL (Access Control List, access control list)

When we mention something like an access control list, we will be more afraid. In fact, at first I was very scared. Because I used to have no feelings for those computer theoretical terms. But after understanding it, it is quite good.

The ACL includes two types of access control lists, but the basic format of the List is the same, that is, the List entry (also called the access control entry, Ace, access control entry ). The two security control lists are:

 

1. DACL (Free Access Control List)

Just like its name, DACL is a free (corresponding) access control list that shows everyone else. What does this mean? Let's take a look at what is in DACL. You can see it clearly.

 

 

I believe that I can understand more than half of this image. A dacl is a list, and each list entry (ACE) is an access control instruction for a Sid, which describes whether the SID is denied or allowed. If yes, what permissions are granted to this Sid. Of course, this figure is very vivid, but in reality Ace is not a string. What is the ace like?

Ace actually consists of four parts, but the above picture is too good.

The four parts are:

 

1. Access to a user SID of this ace (corresponding to Andrew)

2. the user's access permission mask (read, write, execute)

3. There are three ace types in total. Access-denied ace, access-allowed ace, system-Audit ace. The first two are DACL and the last is SACL.

4. Can this ace be inherited by other security objects.

 

How does DACL work?

Just like what I want to display, the thread needs to display its own token to access a secure object (it is very user-friendly, in fact, there is an operating system to view the thread access tokens data structure ), compare the access tokens user Sid, group Sid, and permissions with each ace data item in the DACL until an ace is compared to explicitly allow the operations required by this thread, you can also explicitly deny the access request of this thread, or you cannot find any of the above cases to end up, then the default deny. The comparison of the linked list is sequential from start to end. If the order of the linked list changes, the original access request may be the same.

For example, if the order of ace3 and ace1 is changed, the request of thread a is allowed. So the order is very important. So if you want to build a DACL for a security descriptor, the programmer should be cautious when using APIs to add an ace. Note that an ace is always added at the end of a linked list when you add an API function.

 

Ace inheritance has not been fully studied and is currently stranded!

 

2. SACL (system access control list)

 

What is SACL? It is actually an audit center. The list lists the types of access requests that need to be recorded by the system. Once a user accesses a security object, the access permission requested by the user matches an ace in the SACL, the system will record whether the user's request is denied or allowed. In the future, security objects may issue warnings for unauthorized user access, as mentioned in msdn.

• Access tokens (access token)

We can understand the access token in this way, but we should first introduce the complete concept.

The access token contains 12 items:

1. Security ID of the current user (described later ),
2. The Security ID of the group to which the current user belongs.
3. The Security ID of the authorized session.
4. A list of all privileges of a user (including the user itself and the group to which the user belongs ).
5. The Security ID of the token owner.
6. Security ID of the user's main group.
7. Default Free Access Control List (will be introduced later ).
8. Source Access Token
9. Indicates whether the token is a source token or a simulated token.
10. Optional linked list, indicating which Sid is restricted by this token
11. Current simulated token level
12. Other data

When you see so many data items, you should know how much security measures will cost.

An access token describes the Security Information of a process or thread. This information indicates the identifier and privilege of the user associated with the process or thread. When a user logs on to the system, the system compares the user password with the response password in the system database. If the verification succeeds, the system generates an access token for the user. In the future, all the threads opened by this user will inherit from this token. Use this token to access the security object. (The access token obtained by the Administrator after logging on to Windows Vista is different from the token started by the Administrator. The process token is filtered, in other words, to reduce the permission, the process must send an application to obtain the Administrator's access token (or club permission). The system displays a dialog box to check whether the program can be started in this way .)

 

Each process has at least one access token, that is, the master access token. Why is it the master? Because some processes may simulate another user and will or another user's token, and that token is the simulated token. The system reviews the access and security objects of processes and uses the primary access token. The specific information is unknown for the moment.

 

This is basically a preliminary understanding of Windows ACM.