[mdlug] The new "surface" computer

G Balaji gopinathan.balaji at gmail.com
Wed Jul 18 14:31:07 EDT 2007 

On 7/18/07, Robert Adkins <radkins at impelind.com> wrote:
> -------- Original Message  --------
> Subject: Re:[mdlug] The new "surface" computer
> From: G Balaji <gopinathan.balaji at gmail.com>
> To: MDLUG's Main discussion list <mdlug at mdlug.org>
> Date: Wednesday, July 18, 2007 1:24:22 PM
> > I dont recall everything, nor do I recall correctly, but I think: -
> >
> > 1. One of the initial reasoning for introduction of ADS was security.
> >
> > 2. Windows 2000 Professional edition was the only commercial OS (does
> > this exclude *BSD/Linux?) to be certified by the US Military that it
> > was compliant for one of their (top) INFOSEC standards, and I think
> > ADS played a big part in it.
> >
> > 3. ADS, in secure environments, is used to increase security by
> > placing additional file attributes - say, a document can be marked as
> > non-printable, even if it is readable and writeable. It can also be
> > used to embed file-application attributes - say, a document can be
> > opened with only Application X. It can also be used to embed
> > file-application-user attributes - say, a document can be printable
> > only by user X and only by using application Y. If these features of
> > ADS are used in the right secure environments, a file cannot be
> > compromised - modified/copied/sent-over-network etc, as long as the
> > (securely hardened) operating system is running.  These are in
> > addition to the security restrictions (ownership, group rights, disk
> > quota restrictions etc..) that are handled by, and stored in the file
> > system manager.
> >
> > Also, ADS is programmer-extensible - any programmer can enhance their
> > security system by embedding their own dreamt-up custom rights using
> > ADS.
> >
> > Of course, this customizable aspect of it was what was used by malware writers.
> >
> > Apologies for not providing references.. some of what I'd read was on
> > real paper (the description of the referred INFOSEC standard was part
> > of a graduate-level Network Security course curriculum*); but most if
> > not all of the above can be looked into, and be either rejected or
> > accepted.
> >
> > [* : some body else might recognize the actual standard from one of
> > what I thought was its salient feature: a user with a certain
> > clearance-level security can read a document at his security clearance
> > level and all lower levels, but can author/write a document only at
> > his clearance-level or higher]
> >
> > -B.
> >
> >
>     All of that is fine and dandy and some of that does make sense...
> except.
>
>     A. Without using an externally available tool, there is no way for a
> user to know become aware that ADS has been used on their PC. (User
> includes the System Administrator who may have built the system and
> installed the OS as well.)
>
>     B. Everything I have read shows that there is no logging performed
> regarding the creation, modification or deletion of any ADS elements.
>
>     C. Even with what you wrote about the
> security/government/military/secret "benefits" of this, from what I have
> read pretty much anyone who has RW access to a given file can easily
> strip out anything placed into or inject more into the ADS of a given
> file. The utility is a simple built-in Windows command with no real
> security built into it. The NTFS Driver would have to be customized to
> understand to even look for the extra bits tucked away in the ADS in
> order to be of any real use.
>
>     -Rob
>
>
> _______________________________________________
> mdlug mailing list
> mdlug at mdlug.org
> http://mdlug.org/mailman/listinfo/mdlug
>

All true. I agree.

If the NTFS driver is not ADS-aware, then, yes the benefits of ADS washes away.
But, similarly, it is true of almost all non-encrypted file systems -
if the file system is not running, then there is no security for its'
files - the intruder can load his own file system manager, disregard
security flags, and steal information.

ADS was intended to be used as a small, but important, measure in
ensuring overall security of an operating system - but this works only
if all other measures are in place and are effective.

If not in the original design decisions, at least from the (harsh)
lessons learnt, ADS should have been severely restricted - if nothing
else, at least in the max size an ADS stream can grow up to.

-B.

More information about the mdlug mailing list