ResumeCTF Writeups

Security Reference Monitor (SRM)

  • Most important subsystem in the kernel.

  • Implements the security mechanisms that restrict which users can access different resources.

  • Every process running on the system gets an access token

    • SRM manages the access token and defines the identity of the user associated with a process

  • Responsible for generating audit events whenever a user accesses a resource

    • These audit events can be used to identify malicious behavior on a system and also to diagnose security misconfigurations.

  • Security Identifiers (SIDs) - binary structures representing users and groups

  • Local Security Authority Subsystem (LSASS)

    • Converts user and group names to SIDs

    • Runs inside a privileged process independent from any logged-in users

  • Security Descriptor Definition Language (SDDL)

    • Format used to represent a SID as a string

    • SDDL can represent the entire security descriptor of a resource

  • Output contains the SID in SDDL format

    • S character - indicates that what follows is an SDDL SID

    • Version of the SID structure in decimal, has a fixed value of 1

    • The security authority. Authority 5 indicates the built-in NT authority

    • Two relative identifiers (RIDs) in decimal. The RIDs (here 32 and 545) represent the NT authority group

PreviousKernelNextObject Manager

Last updated