特权约束系统职责隔离问题研究
Separation of Duty in Privileged Operating Systems
-
摘要: 特权控制操作系统最重要的资源,需要应用职责隔离原则,确保特权安全.与现有研究不同,从特权隐式授权方面探讨对职责隔离的支持问题.通过分析特权来源,将特权定义分解为约束规则与执行规则,弥补了现有访问控制研究中对权限效果描述不足的缺陷.两类规则间的逻辑推导说明授权间的推导关系,即特权间存在隐式授权,可能不满足职责隔离要求.利用授权推导关系图准确而全面地反映了特权机制的所有隐式授权.从特权的职责隔离属性,及职责隔离对特权的机制要求两方面探讨上层职责隔离需求与底层特权控制实施的一致性问题.以目前广泛应用的POSIX权能机制为例,给出其形式化模型BMPS模型的定义,指出该机制支持职责隔离存在的问题,并对该机制进行了改进,给出满足职责隔离要求的特权策略实施方案.Abstract: In operating systems, privilege is used to control the most important resources and functions, so administrators must enforce separation of duty (SoD) to ensure privilege safety. In this paper, how privilege would support SoD is studied by analyzing the issue of implicit authorization. The source of privilege is first discussed, and the definition of privilege is decomposed into restriction rules and execution rules. The execution rules explain the effects of privilege precisely, which are ignored by most access control models. Then by logically deducing rules, authorization is further deduced, which indicates that there is implicit authorization in privilege mechanisms. Implicit authorization may cause violation of SoD constraints, so all implicit authorizations are displayed in an authorization deduction graph. By exploring the properties and the mechanism requirements of SoD, the consistency between SoD constraints and the privilege mechanism can be ensured. Finally, the POSIX capability mechanism is taken as an example, and formalized into the BMPS model. Its deficiencies in supporting SoD are found and corrected, and a feasible security policy consistent with the SoD requirements is provided.