Windows Access Control Demystified

[sudhakar+bugtraq () cs princeton edu]

Hello everybody,

We have constructed a logical model of Windows XP access control, in a declarative but executable (Datalog) format.  We 
have built a scanner that reads access-control configuration information from the Windows registry, file system, and 
service control manager database, and feeds raw configuration data to the model.  Therefore we can reason about such 
things as the existence of privilege-escalation attacks, and indeed we have found several user-to-administrator  
vulnerabilities caused by misconfigurations of the access-control lists of commercial software from several major 
vendors.  We propose tools such as  ours as a vehicle for software developers and system administrators to model and 
debug the complex interactions of access control on  installations under Windows.


The full version of the paper can be found at:

http://www.cs.princeton.edu/~sudhakar/papers/winval.pdf


All the vendors and CERT are aware of this paper. The bugs are *not* 
remotely exploitable. The CERT id is VU#953860.


regards,
Sudhakar Govindavajhala and Andrew Appel.

Bio:

Sudhakar Govindavajhala is a finishing PhD student at Computer Science department, Princeton  university. His interests 
are computer security, operating systems and networks. Sudhakar is looking for employment  opportunities.


Andrew Appel is a Professor of Computer Science at Princeton University.  He is currently on sabbatcal at INRIA 
Rocquencourt. His interests are computer security, compilers, programming  languages, type theory, and  functional 
programming.