Separation of Duty in Privileged Operating Systems

In operating systems, privilege is used to control the most important resources and functions, so administrators must enforce separation of duty (SoD) to ensure privilege safety. In this paper, how privilege would support SoD is studied by analyzing the issue of implicit authorization. The source of privilege is first discussed, and the definition of privilege is decomposed into restriction rules and execution rules. The execution rules explain the effects of privilege precisely, which are ignored by most access control models. Then by logically deducing rules, authorization is further deduced, which indicates that there is implicit authorization in privilege mechanisms. Implicit authorization may cause violation of SoD constraints, so all implicit authorizations are displayed in an authorization deduction graph. By exploring the properties and the mechanism requirements of SoD, the consistency between SoD constraints and the privilege mechanism can be ensured. Finally, the POSIX capability mechanism is taken as an example, and formalized into the BMPS model. Its deficiencies in supporting SoD are found and corrected, and a feasible security policy consistent with the SoD requirements is provided.