Security Features and Memory Usage,...
in [Win32 Kernel]
|
Prev: Volume Shadow Copy Service error: Unexpected error calling routineCoCreateInstance. hr = 0x800401f0
Next: Opportunistic Background Processing On Idle Web Server
From: Kerem Gümrükcü on 26 Feb 2010 07:02 Well, this question maybe sounds little od, but how much of memory (percentage) does all this ACL and ACE stuff cover in a running system. Sure, this depends on the ACEs in the ACL and all other extra information, but is there a number, maybe 5% or more, maybe less we can say,... This is something i wonder since the last days i have to deal with lots of security features in windows,...they all need some memory, but how much,...? K. -- ----------------------- Beste Gr�sse / Best regards / Votre bien devoue Kerem G�mr�kc� -----------------------
From: Paul Baker [MVP, Windows Desktop Experience] on 26 Feb 2010 09:33 It sounds like you're trying to guess what is using your memory and, in truth, that is many different things. There are plenty of relatively recent features that are contributing way more than ACLs are. It's smells of a stab in the dark. Sure, security features may result in an increased demand for resources, just as many features may, but I really think ACLs use a tiny amount of memory by today's standards. Remember that ACLs have been a cornerstone of security in Windows for 17 years. Have you been wondering about your memory usage for 17 years? Probably not! To answer your question more directly, as you have noted yourself, it depends on various things. It's going to depend on, well, which ACLs are in memory :D And that's going to depend on each application's needs. Generally, an ACL is not going to be in memory much longer than it needs to be to perform an access check. It's going to spend most of it's time on disk as part of NTFS or the registry. I don't think you'll find large numbers of ACLs floating around eating up all your memory :) Paul "Kerem G�mr�kc�" <kareem114(a)hotmail.com> wrote in message news:ux4tOuttKHA.6140(a)TK2MSFTNGP05.phx.gbl... > Well, this question maybe sounds little od, > but how much of memory (percentage) does > all this ACL and ACE stuff cover in a running > system. Sure, this depends on the ACEs in the > ACL and all other extra information, but is there > a number, maybe 5% or more, maybe less we > can say,... > > This is something i wonder since the last days > i have to deal with lots of security features in > windows,...they all need some memory, but how > much,...? > > K. > > -- > ----------------------- > Beste Gr�sse / Best regards / Votre bien devoue > Kerem G�mr�kc� > -----------------------
From: Stefan Kuhr on 26 Feb 2010 15:18 Kerem, On 2/26/2010 1:02 PM, Kerem G�mr�kc� wrote: > Well, this question maybe sounds little od, > but how much of memory (percentage) does > all this ACL and ACE stuff cover in a running > system. Sure, this depends on the ACEs in the > ACL and all other extra information, but is there > a number, maybe 5% or more, maybe less we > can say,... > > This is something i wonder since the last days > i have to deal with lots of security features in > windows,...they all need some memory, but how > much,...? > > K. > A little anecdote: When I was a pupil, one of my friends was so frustrated during a history exam that he wrote a suggestion to our teacher in his exam: "A suggestion for a problem to be solved by your students in the next exam: Describe the universe and give three suitable examples." Your question sounds a bit to me like this problem. How much all this security stuff adds, has a lot of facets and there is no hard and fast rule or answer. It is not only that secured objects are ACL'd and that ACLs need to be placed at some point somewhere in memory, it is also that accesses to secured objects require additional code to be to run, be it an AccessCheck call in your own code or in the security subsystem, if a secured object in the OS is accessed. Because ACLs can be of arbitrary length and because tokens can theoretically be of arbitrary length (if we neglect the existence of such ugly things as token bloat), it all depends how people actually use NT security. However, you can reduce the amount of required memory, if case you are currently challenged to design a system with private object security, by using ACL inheritance. Hope this helps, -- S
From: Pavel A. on 26 Feb 2010 17:05 Maybe there is some windbg extension for this. ask in windbg newsgroups. -- pa "Kerem G�mr�kc�" <kareem114(a)hotmail.com> wrote in message news:ux4tOuttKHA.6140(a)TK2MSFTNGP05.phx.gbl... > Well, this question maybe sounds little od, > but how much of memory (percentage) does > all this ACL and ACE stuff cover in a running > system. Sure, this depends on the ACEs in the > ACL and all other extra information, but is there > a number, maybe 5% or more, maybe less we > can say,... > > This is something i wonder since the last days > i have to deal with lots of security features in > windows,...they all need some memory, but how > much,...? > > K. > > -- > ----------------------- > Beste Gr�sse / Best regards / Votre bien devoue > Kerem G�mr�kc� > -----------------------
From: Kerem Gümrükcü on 26 Feb 2010 19:36
Hi, thanks for the answers. I Know that my question sounds a little strange and i am aware of the fact, that e.g. a handle is not just a typedef to a new datatype and acls are just some structs in memory and that there is so much of more like describing headers, state information and lots of internal memory and code handling and maintaining this. My question was more like: If we strip all the security stuff from the OS an expect everything to run in one level/security,...ow much of code/memory would we save. I just was wonderung how much of code/ memory all this security features are covering on the OS and when it runs how much of the OS memory does this cover. I KNOW that this is a question that is hard or even nealry cannot not to be answered, but i was wondering what others can tell me about that,... Regards Kerem -- ----------------------- Beste Gr�sse / Best regards / Votre bien devoue Kerem G�mr�kc� ----------------------- |