CN100401223C - Strategy and method for realizing minimum privilege control in safety operating system - Google Patents
Strategy and method for realizing minimum privilege control in safety operating system Download PDFInfo
- Publication number
- CN100401223C CN100401223C CNB2005100116456A CN200510011645A CN100401223C CN 100401223 C CN100401223 C CN 100401223C CN B2005100116456 A CNB2005100116456 A CN B2005100116456A CN 200510011645 A CN200510011645 A CN 200510011645A CN 100401223 C CN100401223 C CN 100401223C
- Authority
- CN
- China
- Prior art keywords
- powers
- functions
- territory
- role
- privilege
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The present invention relates to the technical field of a digital computer safety information system, particularly to a strategy and a method for realizing minimum privilege control in a safety operating system, which comprises: providing layer mapping relation among a user, a role, a DTE domain and power and function; revising and adding core function relating to privilege, a system interface, and the functions of power and function management, power and function decision and power and function calculation comprising progress, roles, domains and program files at the operation system core; providing power and function management commands for an application layer and revising initial conversational program of the system. The present invention has the advantages that the present invention is in accordance with an interface standard of a portable operation system, and can be realized in a core layer of the operation system; the configuration management is simple and flexible, the isolation of domains and the dynamic regulation of the privilege are supported, the system harm caused by oversized privilege owned by a system user /processes can be prevented effectively, and the minimum privilege control can be realized on a network and in a system application environment.
Description
Technical field
The present invention relates to the safety information system technical field of digital machine, or rather, is strategy and the method that realizes least privilege control in a kind of secure operating system.
Background technology
Least privilege is the significant design principle of information system security, also is to guarantee that security system reaches the above grade of U.S.'s " Trusted Computer System Evaluation Criteria " B2 (DoD5200.28-STD-1985); international standard " IT safety assessment standard " the above grade of EAL5 (ISO/IEC15408-1999); CNS " computer information system class of security protection criteria for classifying " is the above grade of the fourth stage (GB17859-1999); CNS " infotech safety technique infotech safety evaluation criterion " (GB/T18336-2001) the above grade of EAL5 the key issue that must solve.
Owing to traditional reason, in present mainstream operation system (such as UNIX/LINUX), there are a power user and some privileged programs, power user/privilege process (carrying out the process that privileged program produces) has institute's privileged trading, domestic consumer/process does not have any privilege, this privilege management mode is convenient to system maintenance and configuration, but is unfavorable for the security of system.In fact, because their persons' that become the network attack of over-concentration of power main target of attack makes system constantly suffer security risk.Therefore, the purpose of high safety grade system realization least privilege control will guarantee that exactly system user/process only has the necessary least privilege collection of its task (rather than institute's privileged trading) of execution, in case the superuser password is lost, software error, Malware, maloperation or privilege abuse, and they are minimized the harm that system causes.
In the research and application to secure operating system both at home and abroad at present, the main existence: based on user/group id, based on the role with based on program, this three kinds of privilege control and management Strategy and technical method.
Method based on user/user's group id, be to create specific user/user's group and make of identity and the authority operation of specific program with certain specific user/user's group, such as the setuid mechanism in the LINUX system, its advantage is that the realization technology is very simple, shortcoming is: cause power user (specific user with all authorities) to do anything easily, present most of security systems no longer with it as major technique, only keeping provides compatibility or maintenance system to use.
Based on role's access control (RBAC) model, be strategy commonly used and the method that present secure operating system realizes privilege management.Its main mode is: the privilege that original power user has is distributed to different roles, assign appropriate role for the user again.Like this, cancellation user's appointment relation is very easy to, and the authority of authorizing or cancel the role also can not influence user's appointment relation.Though this method has been simplified empowerment management, guaranteed the isolation of responsibility and minimizing of user privilege, has two deficiencies: it only belongs to control a kind of static state, the user class granularity (1).Can only set up the privilege collection that always comes into force in fixing, the chain of processes life cycle for the subject process that the user creates by the role, but can not make privilege dynamic change of subject process with the variation of its safe context; (2) same main body is being carried out credible and should the territory isolation during insincere program, can not address this problem based on role's method.Such as: allow same user to run on a system simultaneously, cause and can be can not get guaranteeing by the integrality of the locked resource of their visits simultaneously with administrator role (trusted process) and the role of domestic consumer (untrusted process).
Based on the method for program, be that each program in the system is assigned an appropriate privileged mode, guarantee that each process only has the appropriate privilege of finishing its required by task.Such as, Trusted XENIX system gives a GPM (general privilege mechanism) vector for each program, and a privileged bit among the GPM identifies the permission of a privileged operation or does not allow.This privilege management mode can realize a kind of privilege control of program level granularity, minimizes the current privilege of each process.Shortcoming is: (1) must implement least privilege control to each program makes privilege management complicated; (2) must carry out appropriate privilege to each program and assign, otherwise the risk of system can increase thereupon.
The combination of these three kinds of methods or method, though can remedy the some shortcomings of traditional privilege control method to a certain extent, such as the granularity of isolation that can realize responsibility and refinement control, the territory that can not solve privilege control isolates and the dynamic requirement.Therefore, but provide a kind of fine granularity support region to isolate and the strategy and the technical method based on role's least privilege control of dynamic adjustments, for realizing that high safety grade system privilege management is very favorable.
Summary of the invention
The objective of the invention is: the above problem that on least privilege control strategy and technical method, exists at present mainstream operation system, a kind of POSIX of meeting standard-required is provided, can realize at the operating system kernel layer, dynamic adjustments, the system user/process that can effectively prevent of configuration management simple and flexible, support region isolation and privilege has excessive privilege and causes system's harm, realizes least privilege control strategy and technical method based on role, DTE territory and program in network and system applies environment.
The invention provides a kind of technology and method that can effectively limit the least privilege control that abuse, misuse and network attack work the mischief to operating system, promptly a kind of method that in secure operating system, realizes least privilege control, this method comprises:
Step S1: the demand for security of contradistinction system is divided into fine-grained powers and functions set with power user's privilege;
Step S2: security-related system call in search and the definite operating system, in system call, carry out necessary powers and functions inspection;
Step S3: the powers and functions state of determining credible supervisory routine and trusted application;
Step S4: utilize the administration order that newly provides to dispose the powers and functions property value and the relation of the appointment between user, role and the territory in default role, territory;
Step S5: by the security attribute and the initial powers and functions state that process is set of new conversational program checking login user, specifically comprise: increase new sign and authentication scheme earlier, make new conversational program not only verify conversation request person's username and password, also verify affiliated role of user and the affiliated territory of role, the role who guarantees appointment belongs to territory that this user allows the role that bears and appointment and belongs to this role and allow the territory that enters; Then, conversational program reads the attribute in assigned role and territory from corresponding policy configurations file, comprises the sign and the powers and functions property value in role and territory; Then,, the initial powers and functions state of process is set, comprises that it can inherit the powers and functions collection, maximum permission powers and functions collection and effective powers and functions collection according to the powers and functions property value in role's powers and functions and territory and POSIX definition about process powers and functions state; According to the ident value in role and territory, the initial roles of process and the ident value in territory are set again;
Step S6: the next one operation that determinating processes is carried out is to call execve () system call, and still the relevant operation of safety is carried out in request, if call execve () system call, then carries out the powers and functions computing or carries out the territory conversion; Otherwise, if the relevant operation of safety is carried out in request, then remove to call the powers and functions decision-making function by the powers and functions inspection, determine whether it allows to carry out the relevant operation of safety;
Step S7: whether determinating processes has the limited operation of request or surmount the powers and functions of visit: process is carried out a limited operation or is surmounted before the visit, earlier through authorization check, determine whether it has corresponding capacity, the powers and functions determination module detects effective powers and functions of executive process and concentrates whether have the behavior powers and functions of being asked, if have, then authorize its execution; Otherwise, stop this behavior;
Step S8: carry out limited operation or surmount visit;
Step S9: whether the program file that judgement will be carried out is an entry program of realizing the territory conversion, if then carry out the territory conversion; Otherwise, keep the territory constant;
Step S10: the contrast policy configurations is carried out the territory conversion of safety and the powers and functions state of retrieval neofield;
Step S11: the powers and functions state of search program file;
Step S12: new process powers and functions state value calculates according to the powers and functions operational method that provides in system, specifically comprise: if there is no territory conversion, then new process powers and functions state calculates according to the original role of the powers and functions state of the powers and functions state of current process, program file and process and the powers and functions state in territory in system; If there is the conversion of successful territory, then participate in the powers and functions computing except the powers and functions state of the powers and functions state that comprises current process and program file, also need the more powers and functions state of neofield, and role's powers and functions state remains unchanged.
In the such scheme, described step S2 comprises: find out system call security-related in the operating system, determine the concrete powers and functions that this system call is required according to the performed security function of this system call, before the security function of carrying out this system call correspondence, carry out necessary powers and functions inspection.
In the such scheme, described step S3 comprises: which credible supervisory routine and trusted application determines earlier has in the system; Then, by checking the source code of credible supervisory routine or trusted application, and, determine the safe related system calling sequence of credible program to the trace debug of trusted process; At last, the powers and functions that the security system of analyzing according to step S2 is called, and POSIX is to the definition of program file powers and functions state, determines the maximum permission powers and functions collection of credible program, effective powers and functions collection and can inherit the value of powers and functions collection, and sets up corresponding configuration file by the administration order of program file powers and functions.
In the such scheme, described step S4 comprises: earlier according to principle of least privilege, determine to realize in the system that responsibility isolates the role of required default configuration, and realize that trusted function and insincere function isolate the territory of required default configuration; Then, according to role's responsibility and domain-functionalities, and their the credible supervisory routines be responsible for or the powers and functions of trusted application, determine the powers and functions property value in each role and territory; At last, according to the demand that responsibility is isolated and function is isolated, determine the appointment relation between user, role and the territory, comprise user and role U-R, role and territory R-D, and territory transformational relation D-D, also comprise two kinds of restrictive conditions in addition: mutual exclusion role relation and mutual exclusion territory relation.
In the such scheme, the powers and functions state of the file of search program described in the step S11 comprises: process is before carrying out execve () system call function, from the powers and functions state of core strategy library searching program file, comprise the maximum powers and functions state of permitting the powers and functions collection, can inherit powers and functions collection and effective powers and functions collection of retrieval earlier
In the such scheme, the definition that is divided into fine-grained powers and functions set described in the step S1 is consistent with portable operating system interface POSIX standard-required; Limited operation described in the step S8 or surmount visit and comprise operation and the visit that is used for update system core privilege policy library.
This is a kind of technical method that comes the privilege to system to manage based on role's access control model by expansion, for system provides level mapping relations between user, role, DTE (the territory type puts teeth in) territory and the powers and functions (a kind of franchise ability carrying out limited operation or surmount visit of powers and functions sign); Revise Core Feature and the system interface relevant at operating system kernel, comprise that powers and functions management, the powers and functions of process, role, territory and program file are judged and the powers and functions calculation function with adding privilege; The administration order of application layer powers and functions is provided, revises the conversational program of system.
For system provides level mapping relations between user, role, DTE territory and the powers and functions, comprise configuration, administer and maintain user, role, territory and powers and functions association attributes thereof; For the user, be that configuration and leading subscriber allow role's aggregate attribute of bearing; For the role, be that configuration and role of manager's sign, role's powers and functions value, role allow the territory that enters to gather and role's aggregate attribute of mutex relation; For the DTE territory, be the territory set of configuration and management domain sign, territory powers and functions value, (auto) conversion automatically, the territory set that can carry out (exec) conversion and the territory aggregate attribute of mutex relation.
For system provides level mapping relations between user, role, DTE territory and the powers and functions, comprise the mapping relations between role and the DTE territory: for a role, be definition its allow the territory aggregate attribute that enters; For a DTE territory, be that definition allows it to change or carry out the territory aggregate attribute that the territory conversion enters automatically; By above the two combination, make system support same role's main body to enter different territories and have different privileges because of carrying out the territory conversion, reach the dynamic adjustments and the territory isolation effect of privilege.
Revise Core Feature and the system interface relevant at operating system kernel, comprise the management of process, role, territory and program file powers and functions with adding privilege; For process, be for the system process structure increases a current role identification and current execution domain identifier, and corresponding management functions and interface; For role, territory and program file, be to set up corresponding security attribute storage representation in the system core, comprise the expression of role's capability list, territory capability list and program file capability list, and corresponding management functions and interface; For program file, for preventing that malicious user from replacing original program by program of the same name and obtaining privilege, by the time attribute of time attribute in the configuration file and program file relatively, if inconsistent, judge that then a program file is replaced, so with its powers and functions attribute automatic clear.
Revise Core Feature and the system interface relevant at operating system kernel, comprise that the powers and functions of process are judged and the powers and functions calculation function with adding privilege; Powers and functions are judged determine according to effective powers and functions collection of current process whether it has the privilege (powers and functions or one group of powers and functions) that will carry out function, had then to allow, otherwise refuse; To the powers and functions computing, be when the subject process executive routine, to call, be the requirements of a kind of POSIX of meeting standard powers and functions mechanism, produce the new powers and functions state of current process based on the powers and functions state of current role, territory and the performed program of main body: the new powers and functions inherited collection is the powers and functions the inherited collection of program file and the common factor of the powers and functions the inherited collection of the subject process of carrying out it; New permission powers and functions collection is the union of the powers and functions the inherited collection of program maximum permission powers and functions collection and current process, is again the subclass of the powers and functions in subject role and main body territory simultaneously; New effective powers and functions collection is the effective powers and functions collection of program file and the common factor of the maximum permission of current process powers and functions collection.
The administration order of application layer powers and functions is provided, revises the initial session program of application layer; For the powers and functions administration order, comprise by calling original safe interface the function of process powers and functions being set and the role of process and the administration order of DTE Domain Properties being set by newly-increased related system interface; For conversational program, in program, increase and revise the system function call of relevant system initial processes powers and functions setting.
The technical method of above-mentioned privilege management, at first according to the demand for security and POSIX (portable operating system interface) standard-required of system, define one group of appropriate powers and functions, and kernel representation, the application layer of realization powers and functions are represented and translation function between the two and interface.
Sign and the authentication scheme consistent with this method is provided, comprise functions such as administering and maintaining of the management of user, role, territory and powers and functions association attributes thereof and respective profiles, with configuration, the management and maintenance of supporting the level mapping relations between user, role, DTE territory and the powers and functions.Wherein: new user property comprises that the user allows role's set of bearing; Role's attribute comprises territory set that role identification, role's powers and functions value, role allow to enter and role's set of mutex relation, the attribute in territory comprise domain identifier, territory powers and functions value, (AUTO) conversion automatically the territory set, can carry out territory set that (EXEC) transform and the territory of mutex relation is gathered.
Provide the core layer data structure consistent to represent, to support the realization of obtaining and be provided with mechanism of process powers and functions with this method.Be included as the storage representation that each subject process increases a current role identification and current execution domain identifier and sets up following security attribute in the system core: the expression of role's capability list, territory capability list and program file capability list.
Core Feature and the interface consistent with this method is provided, be included in the management function and the interface of core realization security attribute (sign of role, territory and program file and powers and functions state), carry out the function (judging whether current process has certain privilege that will carry out function) that powers and functions judge and realize the machine-processed requirement of a kind of POSIX of meeting standard powers and functions, with the relevant powers and functions calculation function of powers and functions state of the program of current role, territory and the execution of main body.
The application layer powers and functions management consistent with this method and the function and the program of modification initial session process powers and functions state are provided.Comprise and call the function that original security system interface is provided with the process powers and functions, with newly-increased powers and functions related system interface the function of role, DTE Domain Properties and core roles, territory and the program file capability list of process is set, and increase with revise conversational program in call relevant function the support storehouse.
The invention has the advantages that: the DTE territory relation that (1) enters by assigning the role to allow, make same Role Users because of running on different DTE territories, realize the territory isolation characteristic; (2) by the automatic conversion between the territory being set or carrying out transformational relation, variation in DTE territory forms different privileges when making the powers and functions state of system process to carry out function with it, realizes the dynamic adjustments of privilege; (3) come the required powers and functions attribute of designated program file by the foundation program function, make the powers and functions state of each process of system can be controlled on the program level granularity; (4) by a kind of new powers and functions genetic mechanism is provided in core layer, make system can support the realization of above privilege control measure effectively.
Description of drawings
Fig. 1 is the mapping relations between the related authorized entity of privilege control strategy among the present invention.
Fig. 2 represents to implement the architecture of the privilege control module in the secure operating system of the present invention.
Fig. 3 is a method flow diagram of realizing least privilege control in the secure operating system of the present invention.
Embodiment
According to top technical scheme, provide the present invention below based on the realization in the secure operating system of LINUX for example at one.
Fig. 1 represents the mapping relations between the related authorized entity of privilege control strategy, and it is as follows that these passes tie up in the safe LINUX system the concrete technical step of implementing:
1, definition powers and functions set C is about to original system power user privilege and is divided into some fine-grained powers and functions.The definition (originally the LINUX system only supports the definition of 32 powers and functions) of 64 powers and functions is supported in current design, demand for security that must clear and definite system during the design's requirements definition powers and functions, the security mechanism that will implement based on system, such as autonomous access control (DAC), force access control (MAC) and territory type to put teeth in (DTE) technology, find out the relevant visit/operating function of all safety, define powers and functions by following principle again: (1) powers and functions allows system process not to be subjected to the restriction of a particular safety demand, such as the restriction that the CAP_MAC_READ powers and functions allow to surmount " safe level that the safe level of main body must be arranged object ", guarantee that powers and functions only provide minimum authority to carry out a specific incident; (2) definition of powers and functions wants definite and unique, the authority that does not promptly have the combination of powers and functions or powers and functions can provide another powers and functions to give, and such as the CAP_DACOVERRIDE permission reading and writing of DAC and surmounting of execution, then CAP_DAC_READ needn't define again; (3) on the basis of supporting principle (1) and (2), powers and functions are few more good more, in case the definition of meticulous, too much powers and functions causes that management is gone up and use on misunderstanding, obscure and make mistakes.At last, realize that kernel representation, the application layer of powers and functions in system represented and two kinds of expressions between translation function and system interface.
2, realize configuration, administer and maintain user U, role R, territory D and the systemic-function of mapping relations between them.Current design is supported in considers this problem in the sign of system and the authentication scheme: (1) is revised the data structure of user U and is represented, make it comprise the user and allow role's aggregate attribute (U-R mapping relations) of bearing, and, make them can administer and maintain the configuration file relevant with user property by revising corresponding user management order USERADD, USERMOD and USERDEL; (2) data structure that increases sign role R is represented and configuration file and administration order, role's attribute comprises that the territory set (R-D mapping relations) that role identification, role's powers and functions value (R-C mapping relations), role allow to enter and the role of mutex relation gather, and the Role Management order comprises ROLEADD, ROLEMOD and ROLEDEL; (3) data structure that increases sign DTE territory is represented and configuration file and administration order, the attribute in territory comprises that the territory set of domain identifier, territory powers and functions value (D-C mapping relations), (AUTO) conversion automatically maybe can be carried out the territory set (D-D mapping relations) of (EXEC) conversion and gather in the territory of mutex relation, and the territory administration order comprises DOMAINADD, DOMAINMOD and DOMAINDEL.
3, realize disposing, administering and maintaining the systemic-function of the powers and functions (F-C mapping relations) of program file F.The native system design assigns the order and the configuration file of powers and functions attribute to solve this problem by increasing to program file.According to the POSIX standard, the powers and functions attribute that the native system support is assigned for each program file comprises three set: maximum permission powers and functions collection, can inherit powers and functions collection and effective powers and functions collection; Replace original program by program of the same name and obtain privilege for preventing malicious user, after current design support program file is replaced, with its powers and functions attribute automatic clear, the foundation that the decision procedure file is replaced is its time in configuration file and wants the time of executive routine inconsistent.
4, realize disposing, administering and maintaining the systemic-function of system process P powers and functions association attributes (P-C, P-R and P-D dynamic mapping relationship).According to the POSIX standard, the powers and functions state representation of the support process of LINUX system own comprises three set: maximum permission collects, can inherit collection and active set.For the powers and functions state of representing process and the relation in role and territory, need further address this problem by following three aspects: (1) is by revising powers and functions state and role and the Domain Properties that conversational program comes the initialization consumer process; (2) process data structure of modification core increases current process role identification of bearing and the DTE domain identifier that enters; (3) provide a kind of role, DTE territory and the performed relevant powers and functions genetic mechanism (specific implementation is seen the explanation of Fig. 2) of program new, in core with current process, when subject process is called the exec executive routine, at first by this new powers and functions genetic mechanism, for the process that produces is calculated its powers and functions state, with the franchise ability that determines that this process is current.
Fig. 2 represents the architecture of the privilege control module in the safe LINUX operating system, and the concrete implementation step of the technical scheme of employing is as follows:
1, realizes modular architecture.The general-purpose accessing control framework (LSM) of supporting the dynamic load security module has been adopted in the native system design, by increasing a privilege control module, support the security system interface K11 (management interface that comprises process, role, territory and program powers and functions) that expansion is new, and the original security system interface K12 of modification system (such as, READ, WRITE operates) and can carry out type systematic interface K13 (such as EXEC, EXECL) safe HOOK point of invocation function realizes least privilege control strategy decision-making of the present invention and separating that strategy is implemented.
2, realize several key functions of least privilege control in core layer:
(1), realize that in the privilege control module powers and functions judge the K21 function, it comes the privilege of decision request according to effective powers and functions collection of current process is to allow or refusal; Execution surmounts before visit or the limited operation in system at every turn, all must call this powers and functions decision-making function, and the franchise behavior of being asked is made a policy.
(2), in the privilege control module, realize a kind of new powers and functions calculation function K22, when making main body carry out (EXEC) program,, obtain to finish the required appropriate privilege of program function by calling this powers and functions calculation function at every turn.The privilege of the powers and functions computing of a LINUX support body process itself is designated 0 or non-0 with its validated user, give institute's privileged trading or without any privilege, the native system design realizes an improved powers and functions computing, it does not rely on the user ID of subject process, and the powers and functions Attribute Association in performed program file, subject role and main body territory:
The new powers and functions inherited collection is the powers and functions the inherited collection of program file and the common factor of the powers and functions the inherited collection of the subject process of carrying out it;
New permission powers and functions collection is the union of the powers and functions the inherited collection of program maximum permission powers and functions collection and current process, is again the subclass of the powers and functions in subject role and main body territory simultaneously;
New effective powers and functions collection is the effective powers and functions collection of program file and the common factor of the maximum permission of current process powers and functions collection.
(3), the maintenance and management interface and the function (SYS_CAPSET and SYS_CAPGET) of the process powers and functions attribute of supporting except LINUX system itself, the native system design is also called security in core by security system, has realized administering and maintaining systemic-function and the interface of process powers and functions association attributes K0, program file capability list K31, role's capability list K32 and DTE territory capability list K33 in the privilege control module.
3, realize the management of application layer.Diagram administration order A12 comprises the empowerment management of user management, Role Management, the management of DTE territory and program file, they are used for setting up and the tactful relevant configuration literary composition of maintenance system privilege A11, and dynamic-configuration and capability list K31, the K32 and the K33 that safeguard core layer.
4, realize the control of system initialization and privilege access.Comprise conversational program among the diagram A13, such as LOGIN program in the LINUX system, it must guarantee to have only role and the main body territory login system of legal users with system's permission, and in this process, be embodied as initial processes and give security attributes such as appropriate role, territory and initial powers and functions, thereby can guarantee that process carries out effective powers and functions and judge and the powers and functions computing between active stage; Also comprised the application program that needs to call safe interface in the system in addition among the A13, before their each execution, will carry out the powers and functions computing earlier, visited or limited operation to obtain appropriate relevant the surmounting of privilege execution.
Fig. 3 is illustrated in the concrete strategy of privilege control and the process flow diagram of method implemented in the safe LINUX operating system, and step is as follows:
Step S1: the demand for security of contradistinction system is divided into fine-grained powers and functions set with power user's privilege, powers and functions are concrete expressions of franchise ability, such as, system implementation autonomous access control (DAC) and force access control (MAC), then surmounting the reading and writing of DAC and MAC policy control or carrying out authority is to define by corresponding powers and functions to represent.The powers and functions sets definition that the present invention supports is consistent with the POSIX standard-required.
Step S2: search and the system call of determining that safety is relevant, in system call, carry out necessary powers and functions inspection.In the present invention, find out the relevant system call of safety in the operating system earlier, comprise the system call of carrying out limited operation and surmounting visit, such as SYS_MOUNT in the LINUX system and SYS_READ system call; Then, call performed security function according to this type systematic and determine what its required concrete powers and functions are; At last, corresponding security function increases necessary powers and functions inspection before carrying out in this type systematic calls, and promptly under the situation of access control policy refusal, checks whether executive agent has the powers and functions of appointment, have then to allow, otherwise refusal.
Step S3: the powers and functions state of determining credible supervisory routine and trusted application.In the present invention, determine in the system which credible supervisory routine and trusted application is arranged earlier, credible supervisory routine is meant program and the order of being responsible for carrying out by the keeper, such as reboot in the LINUX system and insmod order, trusted application is meant that the user is spendable, relates to the application program of security of system, orders such as passwd; Then, by checking the source code of credible program, and, determine the safe related system calling sequence of credible program to the trace debug of trusted process; At last, the powers and functions that the security system of analyzing according to step S2 is called, and POSIX is to the definition of program file powers and functions state, but determines the matter of fundamental importance powers and functions collection of credible program, effective powers and functions collection and can inherit the value of powers and functions collection, and sets up corresponding configuration file by the administration order of program file powers and functions.
Step S4: utilize the administration order that newly provides to dispose the powers and functions property value and the relation of the appointment between user, role and the territory in default role, territory.In the present invention,, determine to realize in the system that responsibility isolates the role of required default configuration, and realize that trusted function and insincere function isolate the territory of required default configuration earlier according to principle of least privilege; Then, according to role's responsibility and domain-functionalities, and their the credible supervisory routines be responsible for or the powers and functions of trusted application, determine the powers and functions property value in each role and territory; At last, according to the demand that responsibility is isolated and function is isolated, determine the appointment relation between user, role and the territory, comprise user and role (U-R), role and territory (R-D) and territory transformational relation (D-D), also comprise two kinds of restrictive conditions in addition: mutual exclusion role relation and mutual exclusion territory relation.
Step S5: by the security attribute and the initial powers and functions state that process is set of new conversational program checking login user.In the present invention, increase new sign and authentication scheme earlier, make new conversational program (such as the LOGIN logging program), not only verify conversation request person's username and password, to verify that also the present invention is security attributes such as the role of its definition and territory, the role who promptly guarantees appointment belongs to territory that this user allows the role that bears and appointment and belongs to this role and allow the territory that enters; Then, conversational program reads the attribute in assigned role and territory from corresponding policy configurations file, comprises the sign and the powers and functions property value in role and territory.Then,, the initial powers and functions state of process is set, comprises that it can inherit the powers and functions collection, maximum permission powers and functions collection and effective powers and functions collection according to the powers and functions property value in role's powers and functions and territory and POSIX definition about process powers and functions state; According to the ident value in role and territory, the initial roles of process and the ident value in territory are set again.
Step S6: the next one operation that determinating processes is carried out is called execve () system call or is asked to carry out the relevant operation of safety.In the present invention, carry out the powers and functions computing during process transfer execve () or carry out the territory conversion, otherwise, remove to call the powers and functions decision-making function by the powers and functions inspection that step S2 analyzes, determine whether it allows to carry out the relevant operation of safety.
Step S7: whether determinating processes has the limited operation of request or surmounts the powers and functions of visit.Among the present invention, process is carried out the relevant operation of a safety (limited operation or surmount visit) before, and process authorization check earlier promptly be asked the decision-making of powers and functions determination module, determines whether it has corresponding capacity.The powers and functions determination module detects effective powers and functions of executive process and concentrates whether have the behavior powers and functions of being asked, and has, and then authorizes its execution, does not have, and then stops this behavior.
Step S8: carry out limited operation or surmount visit.In the present invention, process will judge at step S7 and just begin to carry out a limited operation under its situation about being authorized to or surmount visit, comprising the operation and the visit of the franchise policy library of update system core.
Step S9: whether the program file that judgement will be carried out is an entry program of realizing the territory conversion.In the present invention,, judge whether the program that execve () system call is carried out is the entry program of a neofield, is, then carry out the territory conversion according to the territory transformational relation permission of policy configurations; Not then to keep the territory constant.
Step S10: the contrast policy configurations is carried out the territory conversion of safety and the powers and functions state of retrieval neofield.In system of the present invention, carry out before the territory conversion of safety, what the entry program of wanting earlier to relate among the determination step S8 was carried out is that the conversion of (auto) territory is still changed in execution (exec) territory automatically, if exec territory conversion, require the user clearly to specify the title that to switch the neofield that enters, and verify that the domain name of appointment and the conversion between the current field meet policing rule.If change successfully in the territory,, participate in the powers and functions computing of step S12 from the powers and functions value of core strategy library searching neofield.
Step S11: the powers and functions state of search program file.In the present invention, before a process successful execution execve () the system call function, want the powers and functions state of elder generation from core strategy library searching program file, comprise that step S3 is its three powers and functions collection determining: maximum is permitted the powers and functions collection, can be inherited powers and functions collection and effective powers and functions collection, participates in the powers and functions computing of step S12.
Step S12: new process powers and functions state value calculates according to the powers and functions operational method that provides among Fig. 2 in system.In the present invention, if there is no territory conversion, new process powers and functions state calculates according to the original role of the powers and functions state of the powers and functions state of current process, program file and process and the powers and functions state in territory in system; If there is the conversion of successful territory, participate in the powers and functions computing except the powers and functions state of the powers and functions state that comprises current process and program file, also need the more powers and functions state of neofield, and role's powers and functions state remains unchanged.
Claims (6)
1. in secure operating system, realize the method that least privilege is controlled for one kind, it is characterized in that this method comprises:
Step S1: the demand for security of contradistinction system is divided into fine-grained powers and functions set with power user's privilege;
Step S2: security-related system call in search and the definite operating system, in system call, carry out necessary powers and functions inspection;
Step S3: the powers and functions state of determining credible supervisory routine and trusted application;
Step S4: utilize the administration order that newly provides to dispose the powers and functions property value and the relation of the appointment between user, role and the territory in default role, territory;
Step S5: by the security attribute and the initial powers and functions state that process is set of new conversational program checking login user, specifically comprise: increase new sign and authentication scheme earlier, make new conversational program not only verify conversation request person's username and password, also verify affiliated role of user and the affiliated territory of role, the role who guarantees appointment belongs to territory that this user allows the role that bears and appointment and belongs to this role and allow the territory that enters; Then, conversational program reads the attribute in assigned role and territory from corresponding policy configurations file, comprises the sign and the powers and functions property value in role and territory; Then,, the initial powers and functions state of process is set, comprises that it can inherit the powers and functions collection, maximum permission powers and functions collection and effective powers and functions collection according to the powers and functions property value in role's powers and functions and territory and POSIX definition about process powers and functions state; According to the ident value in role and territory, the initial roles of process and the ident value in territory are set again;
Step S6: the next one operation that determinating processes is carried out is to call execve () system call, and still the relevant operation of safety is carried out in request, if call execve () system call, then carries out the powers and functions computing or carries out the territory conversion; Otherwise, if the relevant operation of safety is carried out in request, then remove to call the powers and functions decision-making function by the powers and functions inspection, determine whether it allows to carry out the relevant operation of safety;
Step S7: whether determinating processes has the limited operation of request or surmount the powers and functions of visit: process is carried out a limited operation or is surmounted before the visit, earlier through authorization check, determine whether it has corresponding capacity, the powers and functions determination module detects effective powers and functions of executive process and concentrates whether have the behavior powers and functions of being asked, if have, then authorize its execution; Otherwise, stop this behavior;
Step S8: carry out limited operation or surmount visit;
Step S9: whether the program file that judgement will be carried out is an entry program of realizing the territory conversion, if then carry out the territory conversion; Otherwise, keep the little change in territory;
Step S10: the contrast policy configurations is carried out the territory conversion of safety and the powers and functions state of retrieval neofield;
Step S11: the powers and functions state of search program file;
Step S12: new process powers and functions state value calculates according to the powers and functions operational method that provides in system, specifically comprise: if there is no territory conversion, then new process powers and functions state calculates according to the original role of the powers and functions state of the powers and functions state of current process, program file and process and the powers and functions state in territory in system; If there is the conversion of successful territory, then participate in the powers and functions computing except the powers and functions state of the powers and functions state that comprises current process and program file, also need the more powers and functions state of neofield, and role's powers and functions state remains unchanged.
2. the method that realizes least privilege control in secure operating system according to claim 1 is characterized in that described step S2 comprises:
Find out system call security-related in the operating system, determine the concrete powers and functions that this system call is required, before the security function of carrying out this system call correspondence, carry out necessary powers and functions inspection according to the performed security function of this system call.
3. the method that realizes least privilege control in secure operating system according to claim 1 is characterized in that described step S3 comprises:
Determine in the system which credible supervisory routine and trusted application is arranged earlier; Then, by checking the source code of credible supervisory routine or trusted application, and, determine the safe related system calling sequence of credible program to the trace debug of trusted process; At last, the powers and functions that the security system of analyzing according to step S2 is called, and POSIX is to the definition of program file powers and functions state, determines the maximum permission powers and functions collection of credible program, effective powers and functions collection and can inherit the value of powers and functions collection, and sets up corresponding configuration file by the administration order of program file powers and functions.
4. the method that realizes least privilege control in secure operating system according to claim 1 is characterized in that described step S4 comprises:
Earlier according to principle of least privilege, determine to realize in the system that responsibility isolates the role of required default configuration, and realize that trusted function and insincere function isolate the territory of required default configuration; Then, according to role's responsibility and domain-functionalities, and their the credible supervisory routines be responsible for or the powers and functions of trusted application, determine the powers and functions property value in each role and territory; At last, according to the demand that responsibility is isolated and function is isolated, determine the appointment relation between user, role and the territory, comprise user and role U-R, role and territory R-D, and territory transformational relation D-D, also comprise two kinds of restrictive conditions in addition: mutual exclusion role relation and mutual exclusion territory relation.
5. the method that realizes least privilege control in secure operating system according to claim 1 is characterized in that the powers and functions state of the file of search program described in the step S11 comprises:
Process earlier from the powers and functions state of core strategy library searching program file, comprised the maximum powers and functions state of permitting the powers and functions collection, can inherit powers and functions collection and effective powers and functions collection of retrieval before execution execve () system call function.
6. the method that realizes least privilege control in secure operating system according to claim 1 is characterized in that,
The definition that is divided into fine-grained powers and functions set described in the step S1 is consistent with portable operating system interface POSIX standard-required;
Limited operation described in the step S8 or surmount visit and comprise operation and the visit that is used for update system core privilege policy library.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100116456A CN100401223C (en) | 2005-04-28 | 2005-04-28 | Strategy and method for realizing minimum privilege control in safety operating system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100116456A CN100401223C (en) | 2005-04-28 | 2005-04-28 | Strategy and method for realizing minimum privilege control in safety operating system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1854961A CN1854961A (en) | 2006-11-01 |
| CN100401223C true CN100401223C (en) | 2008-07-09 |
Family
ID=37195174
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2005100116456A Expired - Fee Related CN100401223C (en) | 2005-04-28 | 2005-04-28 | Strategy and method for realizing minimum privilege control in safety operating system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100401223C (en) |
Families Citing this family (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101615236B (en) * | 2009-07-24 | 2011-07-20 | 北京工业大学 | Constructing method for trusted application environment based on mandatory access control technology |
| CN102034052B (en) * | 2010-12-03 | 2014-04-16 | 北京工业大学 | Operation system architecture based on separation of permissions and implementation method thereof |
| CN102043927B (en) * | 2010-12-29 | 2013-04-10 | 北京深思洛克软件技术股份有限公司 | Data divulgence protection method for computer system |
| CN102592076B (en) * | 2011-12-20 | 2015-01-07 | 北京神州绿盟信息安全科技股份有限公司 | Data tamper-proof method and device |
| CN103020512B (en) * | 2012-11-26 | 2015-03-04 | 清华大学 | Realization method and control system for safe control flow of system |
| CN104484594B (en) * | 2014-11-06 | 2017-10-31 | 中国科学院信息工程研究所 | A kind of franchise distribution method of the Linux system based on capability mechanism |
| CN106295319B (en) * | 2016-08-02 | 2019-07-19 | 中标软件有限公司 | Operating system safety protecting method |
| CN107871077B (en) * | 2016-09-27 | 2021-06-15 | 斑马智行网络(香港)有限公司 | Capability management method and device for system service and capability management method and device |
| CN106557699A (en) * | 2016-11-11 | 2017-04-05 | 大唐高鸿信安(浙江)信息科技有限公司 | Operating system security strengthening system based on powers and functions module |
| CN107103230A (en) * | 2017-04-24 | 2017-08-29 | 深信服科技股份有限公司 | A kind of authority control method and system |
| CN107315950B (en) * | 2017-05-03 | 2020-10-09 | 北京大学 | Automatic division method for minimizing authority of cloud computing platform administrator and access control method |
| CN107643982A (en) * | 2017-09-13 | 2018-01-30 | 北京元心科技有限公司 | The ability detection method and device of program process |
| CN110598393B (en) * | 2018-06-12 | 2022-02-08 | 杨力祥 | Safe user architecture and authority control method |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JPH1115549A (en) * | 1997-06-26 | 1999-01-22 | Hitachi Ltd | Security check system with operator operation |
| EP1035462A1 (en) * | 1999-03-08 | 2000-09-13 | Software Ag | Method for checking user access |
| CN1493995A (en) * | 2002-11-02 | 2004-05-05 | 华为技术有限公司 | Method of control system safety management |
-
2005
- 2005-04-28 CN CNB2005100116456A patent/CN100401223C/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JPH1115549A (en) * | 1997-06-26 | 1999-01-22 | Hitachi Ltd | Security check system with operator operation |
| EP1035462A1 (en) * | 1999-03-08 | 2000-09-13 | Software Ag | Method for checking user access |
| CN1493995A (en) * | 2002-11-02 | 2004-05-05 | 华为技术有限公司 | Method of control system safety management |
Non-Patent Citations (4)
| Title |
|---|
| 安全操作系统标识与鉴别及访问控制机制的设计与实现. 王瑜.中国科学院研究生院硕士学位论文. 2004 |
| 安全操作系统标识与鉴别及访问控制机制的设计与实现. 王瑜.中国科学院研究生院硕士学位论文. 2004 * |
| 高安全级操作系统形式设计的研究. 季庆光.中国科学院研究生院博士学位论文. 2004 |
| 高安全级操作系统形式设计的研究. 季庆光.中国科学院研究生院博士学位论文. 2004 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1854961A (en) | 2006-11-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100401223C (en) | Strategy and method for realizing minimum privilege control in safety operating system | |
| US7774827B2 (en) | Techniques for providing role-based security with instance-level granularity | |
| US7698744B2 (en) | Secure system for allowing the execution of authorized computer program code | |
| Suhendra | A survey on access control deployment | |
| US6192476B1 (en) | Controlling access to a resource | |
| US9917863B2 (en) | Method and system for implementing mandatory file access control in native discretionary access control environments | |
| US5664098A (en) | Dual decor capability for a host system which runs emulated application programs to enable direct access to host facilities for executing emulated system operations | |
| Abrams | RENEWED UNDERSTANDING OF ACCESS CONTROL POLICIES¹ | |
| US20020174224A1 (en) | Stack-based access control | |
| US20060193467A1 (en) | Access control in a computer system | |
| US20140215558A1 (en) | Establishment of a trust index to enable connections from unknown devices | |
| JPH06103058A (en) | Data structure for program authorization information | |
| CN102034052A (en) | Operation system architecture based on separation of permissions and implementation method thereof | |
| US20100100929A1 (en) | Apparatus and method for security managing of information terminal | |
| CN104735091A (en) | Linux system-based user access control method and device | |
| US7203697B2 (en) | Fine-grained authorization using mbeans | |
| Jaeger et al. | Support for the file system security requirements of computational e-mail systems | |
| CN107566375B (en) | Access control method and device | |
| Huang et al. | Research on Distributed Dynamic Trusted Access Control Based on Security Subsystem | |
| CN115550010A (en) | Key environment access control method based on block chain | |
| CN109815735A (en) | To the management-control method and system of different user access same asset file permission | |
| Kudtharkar et al. | Attribute based access control for cloud resources using smart contracts | |
| CN113691539A (en) | Enterprise internal unified function authority management method and system | |
| CN105653928A (en) | Service denial detection method for large data platform | |
| WO2024007096A1 (en) | Privacy data protection method for android system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20080709 Termination date: 20140428 |