63:
the file is scanned, otherwise it is ignored. The manual scanner, then, to operate, opens the named event, sets it before scanning (disabling the service), scans the file system and resets the event back when finished. This design is prone to a squatting attack because a malicious program can set the
42:
operating system, which offers named objects as an interprocess synchronization mechanism. With named objects, a process may open a synchronization object as a shared resource by just specifying a name. Subsequent processes may use the same name to open that resource and have a way to synchronize
58:
when a user requests it. Under normal conditions the service should scan the system occasionally. However, if a user requests a manual scan, the service must stop temporarily to let the manual scanner work, otherwise every file would be scanned twice: by the manual scanner and by the service. To
43:
with the first process. The squatting attack is possible because, if the legitimate program does not enforce tight security rules for the resources, processes from arbitrary security contexts may gain access to them and ultimately take control of the system.
59:
solve this problem the vendor chooses to implement an event based synchronization mechanism, where the service keeps a named event opened and checks it whenever a file is opened. If the event is
185:
121:
The example serves just as an illustration. Additional components might be required for it to work properly, as e.g. a
32:
180:
139:
157:
24:
102:
81:
54:, which monitors and scans every file when it is opened, and a manual scanner, which scans the
8:
153:
47:
39:
28:
20:
51:
174:
122:
55:
50:
installed on a
Microsoft Windows machine. The solution has two pieces: a
31:
interferes with another program through the use of shared
140:"PsExec, User Account Control and Security Boundaries"
172:
64:named event and disable the service completely.
137:
35:objects in an unwanted or unexpected way.
173:
100:
79:
13:
14:
197:
138:Russinovich, Mark (2007-02-12).
115:
103:"Whidbey's Security Off Model"
94:
73:
1:
131:
80:Zhang, Junfeng (2006-04-23).
101:Farkas, Shawn (2005-04-28).
38:That attack is known in the
7:
158:Microsoft Developer Network
10:
202:
82:"Private Object Namespace"
186:Denial-of-service attacks
67:
46:Consider, for example,
181:Concurrency control
48:antivirus software
40:Microsoft Windows
193:
167:
165:
164:
149:
147:
146:
126:
119:
113:
112:
110:
109:
98:
92:
91:
89:
88:
77:
21:computer science
17:Squatting attack
201:
200:
196:
195:
194:
192:
191:
190:
171:
170:
162:
160:
152:
144:
142:
134:
129:
120:
116:
107:
105:
99:
95:
86:
84:
78:
74:
70:
33:synchronization
23:, is a kind of
12:
11:
5:
199:
189:
188:
183:
169:
168:
154:"Object Names"
150:
133:
130:
128:
127:
114:
93:
71:
69:
66:
9:
6:
4:
3:
2:
198:
187:
184:
182:
179:
178:
176:
159:
155:
151:
141:
136:
135:
124:
118:
104:
97:
83:
76:
72:
65:
62:
57:
53:
49:
44:
41:
36:
34:
30:
26:
22:
18:
161:. Retrieved
143:. Retrieved
117:
106:. Retrieved
96:
85:. Retrieved
75:
60:
45:
37:
16:
15:
56:file system
175:Categories
163:2007-05-15
145:2007-05-15
132:References
108:2007-05-15
87:2007-05-15
25:DoS attack
27:where a
52:service
29:program
123:driver
68:Notes
61:unset
19:, in
177::
156:.
166:.
148:.
125:.
111:.
90:.
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.