NT framework

Windows NT security framework provides framework for implementing different kind of security policies based on object access control. The framework is represented by kernel mode driver that intercepts objects operations and provides other services to the security policies. Policy rules work in kernel as a part of kernel mode driver. Framework supports several security policies working at the same time. The effective result of all policies is minimal granted access.

Main architecture of Windows NT framework corresponds GFAC (Generalized Framework for Access Control).

The interception module is based on advanced technology that has following advantages:

• Intercept operations on any type of objects (no matter which system services calls are used to access them), including: files, named pipes, mailslots, devices, registry keys, LPC ports, processes, jobs, sections, synchronization objects (events, semaphores), network access through TDI, GUI windows messages.
• Doesn't suffer typical vulnerabilities for such systems, e.g. TOCTOU ( Time-Of-Check-to-Time-Of-Use) problem
• Provides many options in handling intercepted operations
• Provides several options in identification objects and processes(executables)

Attribute module assigns and retrieves security policy object attributes. At the same time several security policies are supported as well as several sets of attributes.

The security framework is ideally suite for security products implementing any kind of mandatory security policies. Also it has functionality to implement more traditional security products, such as on-access antiviruses, personal firewalls and others.

As the framework covers comprehensive set of objects, it may provide unique security features that are not currently available, e.g. block advanced shatter attacks.