VMS Extended Access Control Facility
	by
General Cybernetic Engineering

Executive Summary:

Managing access to data critical to your business using ACL facilities in
native VMS can be cumbersome and still is vulnerable to intruders or people
acting in excess of their authority.

Want to be sure your critical records can't be accessed save at authorized
places, times, and with the programs that are supposed to access them
(instead of, say, COPY.EXE)?

Want to have protection against privileged users bypasssing access
controls?

Want to be able to password protect individual files?

Want to be able to invisibly hide selected files from unauthorized
intruders?

EACF builds in facilities permitting all of these, and is not vulnerable to
intruders who disable the AUDIT facility as all other commercial packages
which purport to monitor access are.

Discussion:

When your business depends on critical files, or when you are obliged
by law or contract to maintain confidentiality of data on your system,
in most cases the options provided by VMS for securing this data can
be cumbersome and far too coarse-grained.

The problem is that certain kinds of access to data are often needed
by people in a shop, but other access should be prevented and
audited. Moreover, the wide system access that can come as a result
of having system privileges often does not mean that it should be
used to browse or disclose data stored on the system. A system manager
will in general not, for example, have any valid reason to browse
the customer contact file, the payroll database, or a contract
negotiation file, save in a few cases where these files need to be
repaired or reloaded from backups. Likewise, a payroll clerk may
need read and write access to the payroll file, but not in general
with the COPY utility, nor from a modem, nor in most cases at 4AM.
Finally, a person who must have privileges to design a driver and test
it should ordinarily not have the run of the file system as well.

Given examples like these, it is easy to see that simple authorization
of user access to files is inadequate. While it is possible to build
systems that grant identifiers to attempt some extra control, these
can be circumvented by privilege, and create very long ACLs which become
impossible to administer over a long period as users come and go.

What is needed is a mechanism that is secure, cannot be circumvented
by turning on privileges, and which provides a simple to administer
and fine grained control that lets you specify who can get at your
critical files, with what images, when, from where, and with what
privileges. It is also desirable to be able to control what privileges
the images ever see, and to be able to check critical command files
or images for tampering before use, so that they cannot be used as
back doors to your system. It should be possible to demand extra
authentication for particular files as well, and to prevent a
malicious user from even seeing a particularly critical file unless
he can be permitted access.

All these functions, and more, are supported by EACF, which when installed
acts as a part of the VMS file system to add a fine grained access
control which works in addition to the normal VMS protections. Access is
controlled when either OPEN or DELETE is attempted on a file, giving
protection both against access and destruction.

Features:

EACF provides the following features:

* You can tag a file for maximum privileges, and EACF will deny access to
	the file to anyone with more privileges than are permitted. The
	default checks inhibit access via the READALL, BYPASS, or SYSPRV
	privileges. These checks apply for open or delete, so can be used
	to prevent both disclosure and damage to valuable files.
* You can install a file with a privilege mask that replaces all user
	privilege masks when the file is open. This can be used to keep
	Trojan code from ever seeing privileges, even where you have no
	source access to the code. (The max priv tag checks above apply to
	the process privileges before these mods are made, by the way.)
	This is designed to make it possible to have more- or less-
	privileged executables or command files. The ability to install a
	file with fixed privileges gives the first active Trojan code
	inhibitor in the industry.
* EACF can grant identifiers to a process when a file is open and revoke
	them automatically when it closes the file.
* EACF can reset the process' base priority when a particular file is
	opened. This can be used with selected images to either ensure CPU
	access or to prevent some "denial of service" attacks.

			NOTE:
	The tokens used to alter identifiers, privileges, or base priority
	are protected by cryptographic authenticator tags so they can
	neither be forged nor moved.

* EACF can check file integrity (comparing a cryptographic checksum of the
	file before it may be accessed) and refuse to allow the file to be
	accessed if it has been tampered with. Any sort of file (not just
	executables) can be protected in this way.
* EACF can attach passwords to files. The passwords must be entered via a
	utility prior to file access, and are stored in memory in a way
	which depends on UIC as well as the file password and identity, so
	that privileged users cannot simply copy the password information
	and use it for their own access from their accounts.
* EACF can check that the image being used to open (or delete) a file is
	permitted and/or not forbidden. Thus, for example, a person can be
	given access (from selected places and at selected times) to
	PAYROLL.DAT if using the PAYROLL.EXE application, but not using
	COPY.EXE.
* EACF can check access based on terminal location, time of day (to one
	hour granularity), and user name.  Access can be permitted or
	denied based on any or all of these criteria. Each file has its own
	security profile. A profile editor is part of the package,
	permitting easy maintenance of all security related file profile
	information.
* EACF can "hide" files. If file access is to be denied, in addition to
	generating security alarms, EACF can either deny access (for open
	or delete) or it can invisibly open another file, so the user who
	is illicitly accessing a file can be made to see some other file
	instead of the one he is trying to access. (This can be used to
	hide SYSUAF.DAT, the real payroll file, or anything else deemed
	important, without alerting an intruder. It can be vital for
	gathering evidence of attempted tampering while protecting
	the real files from danger.)
* A backup account can be set up to allow file access, and can be, like
	other accounts, permitted read-only access if desired.

Best of all, EACF does not depend on the audit facility, which intruders
generally disable. It prevents file access before it happens, instead of
merely attempting to stop a process or force an image exit after the file
is open and damage possibly already done. It can generate security alerts,
but even if the audit facility is disabled, EACF remains functional. The
security profiles EACF maintains are simple to administer or extend and can
be readily understood. The protection is kernel-based and can be selected
per disk and per file via simple configuration options.


EACF is brought to you by

General Cybernetic Engineering, Glenn C. Everhart, Pres.
25 Sleigh Ride Rd.
Glen Mills PA 19342-1440
610 358 5875
Everhart@Arisia.GCE.Com