Automatic Configuration Vulnerability Analysis
We have constructed a logical model of Windows XP access control, in a declarative but executable (Datalog) format. We have built a scanner that reads access-control configuration information from the Windows registry, file system, and service control manager database, and feeds raw configuration data to the model. We found a surprising result: commercial software from major vendors routinely has user-to-administrator privilege-escalation vulnerabilities that result not from buffer overruns (or other bugs inside the software) but just from misconfigurations of permissions and registry entries. Our scanner and analyzer run efficiently, and quickly detect these configuration bugs. Furthermore, our new Windows model can be combined with previous models of Unix, firewalls, and CERT advisories to give a more accurate global picture of the vulnerabilities in a heterogenous enterprise network. Our tool could be used by software vendors (and system integrators) to improve their installation configurations and by sysadmins for day-to-day vulnerability analysis.