Re: KAuth Analog for Windows
Re: KAuth Analog for Windows
- Subject: Re: KAuth Analog for Windows
- From: Terry Lambert <email@hidden>
- Date: Fri, 27 Feb 2009 15:31:10 -0800
On Feb 27, 2009, at 6:09 AM, brian mcgann wrote
Does anyone know of any analog of any kind to KAuth for Windows?
I've had great success with it on the Mac and I'm looking to extend
my functionality in whole or in part to Windows.
It depends on what you intend to do with it.
The kauth KPI set has a number of intended functions, and you could
always add your own by knowing the semantics of an event point and
acting however you want based on perceived state. The intended ones
are:
(1) Notification only -- "This happened - deal with it"
There are not necessarily corollary events for Windows for all of the
notifications in Mac OS X; to be fair, the same is true going the
other way. But as far as I am aware, there is no central clearing-
house mechanism in Windows.
(2) Authorization of operations -- answering the question "Can actor A
perform action B on object C?"
This is probably best described as "light-weight Mandatory Access
Controls", and it predates them. It also doesn't have the highest
overhead and most problematic part of MAC, which is revocation.
To implement this, we had to go through and change every single place
that computed and applied effective rights to ask that question,
instead. It was a significant architectural change, and exposing the
internals like kauth does to allow third parties to plug in their own
policy modules required a lot of additional architectural changes.
As far as I am aware, Windows doesn't support anything like mandatory
access controls as a centralized architectural mechanism. Windows NT
3.5.1 did pass both common criteria auditing and orange book B1
security certification on specific hardware, which is the stuff that
predates the NSAs and DARPAs work on mandatory access controls, but
I'm not sure how it was carried through architecturally, or if they
supported policy modules. More recent versions of Windows have CC
certified to IEL4.
As far as I'm aware, Mac OS X is the first commercial OS to support
this sort of thing (pluggable policy modules) at all in an off-the-
shelf product (see <http://www.trustedbsd.com/> for more information
on the project that MAC in BSD sources came from).
Newer versions of Windows (specifically, Vista and Windows Server
2008) support a concept called "Mandatory Integrity Control", but the
granularity is pretty low, and I'm pretty sure it doesn't support
pluggable modules; see also:
<http://www.securityfocus.com/infocus/1887>
<http://blogs.technet.com/steriley/archive/2006/07/21/442870.aspx>
(3) Management of credentials and common criteria auditing information
Credentials identify the actor and, in some cases, the object being
acted upon, when the object is another actor, rather than something
that has access as a property rather than a right (example: a file
with an ACL on it).
I'm pretty sure the Windows implementation uses user-space
authentication plugins to establish authority, and then uses common
code not under the user's control to set up the credentials, and audit
labels (if any), that the OS uses internally.
-
You would probably be better off asking the BSD/PAM/MAC and CC/ITSEC
people for information, or asking on a Microsft-related mailing list
instead of a Mac OS X one, since the kauth stuff is all original work
by Apple, and most of the MAC stuff was derived from work done under
contract from us, the NSA, and DARPA, among others.
-- Terry
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden