lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <d87b02ad0601312100i68783b56w@mail.gmail.com>
Date: Wed Feb  1 05:00:28 2006
From: lucianobellou at gmail.com (Luciano Faletti)
Subject: Windows Access Control Demystified.

Interesting, very interesting. I'll take a look

regards,
Luciano
(new in the list)

2006/1/31, sudhakar+fulldisclosure@...princeton.edu <
sudhakar+fulldisclosure@...princeton.edu>:
>
>
> Hello everybody,
>
> We have constructed a logical model of Windows XP access control, in a
> declarative but executable (Datalog) format.  We have built a scanner
> that reads access-control configuration information from the Windows
> registry, file system, and service control manager database, and feeds
> raw configuration data to the model.  Therefore we can reason about
> such things as the existence of privilege-escalation attacks, and
> indeed we have found several user-to-administrator vulnerabilities
> caused by misconfigurations of the access-control lists of commercial
> software from several major vendors.  We propose tools such as ours as
> a vehicle for software developers and system administrators to model
> and debug the complex interactions of access control on installations
> under Windows.
>
>
> The full version of the paper can be found at:
>
> http://www.cs.princeton.edu/~sudhakar/papers/winval.pdf
>
>
> All the vendors and CERT are aware of this paper. The bugs are *not*
> remotely exploitable. The CERT id is VU#953860.
>
>
> regards,
> Sudhakar Govindavajhala and Andrew Appel.
>
> Bio:
>
> Sudhakar Govindavajhala is a finishing PhD student at Computer Science
> department, Princeton University. His interests are computer security,
> operating systems and networks. Sudhakar is looking for employment
> opportunities.
>
>
> Andrew Appel is a Professor of Computer Science at Princeton University.
> He is currently on sabbatcal at INRIA Rocquencourt. His interests are
> computer security, compilers, programming languages, type theory, and
> functional programming.
>
>
>
>
>
>
> Sudhakar Govindavajhala                   Department of Computer Science
> Graduate Student,                         Princeton University
> Ph : +1 609 258 1763
>                 http://www.cs.princeton.edu/~sudhakar
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060201/b8959f52/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ