RU2583757C2 - System for session-based control of access to created files - Google Patents

Abstract

FIELD: information technology.

SUBSTANCE: invention relates to means of protection from unauthorised access to information. System for session control access to created files comprises a resolver, an automatic file tagging unit for storing file access rules, a unit for selecting session users file attribute storage unit, wherein first input of resolver is connected to first input of system with automatic file tagging unit first input with its second input is connected to third input of system, first output is connected to first input of a file attribute storage unit, output of which is connected to third input of automatic marking files, second output of which is connected with second input of file attribute storage, third output of automatic file tagging is connected to first input of storage file access rules, its second input to second input of system, third input is connected to first output of resolver, its second input to output of storage file access rules second output of resolver is connected to output of system, input/output of session selection by users is connected to input/output of system, input to fourth input of system, output to third input of resolver, to fourth input of automatic file tagging.

EFFECT: technical result consists in providing session access control to files.

1 cl, 2 dwg, 1 tbl

Description

The invention relates to the field of computer technology, and in particular to the field of protection against unauthorized access (unauthorized access) to information created and stored in computer systems (CS).

One of the key tasks of protecting information processed in the CS is the implementation of access control (delimiting access policy) to file objects, which can be designed both for storing information processed on a computer - created files, and for storing system objects - executable files and files OS and application settings - system files.

Analysis of literary sources allows us to note the following. Despite the fact that the most urgent modern task of access control is to implement a delimiting policy of access to information between access entities (the access subject is generally determined by the user’s account information and the process name (the full path name of the process executable file), in practice, the access of subjects to objects is differentiated. .e. the primary object when assigning access rights delimitation in known access control methods is an object, access rights of subjects are delimited to it. The main contradiction in such decisions consists in the following: there are simply no files created when the administrator defines a differentiated access policy, they are created later, during the system’s functioning. these are those objects (primarily files) that, in the first place, need protection against unauthorized access, since it is they that contain the protected information processed in the CS.

In known methods, the implementation of access control to static and to created file objects does not differ. In any case, access control is implemented to static (created prior to the system administration - assigning access rights to subjects 'objects) objects by assigning attributes to an object (subjects' access rights to objects). There are two possibilities for assigning rights. The first consists in solving the task of setting access rights to the created object indirectly, by including in the system at the time of setting the differentiation policy of access the corresponding static inclusive objects - folders (a kind of "containers"), access to which the subjects are differentiated by the administrator, including creating in them new objects. At the same time, the user is “forced” to create new file objects (files) only in those folders (containers) that are specially created for these purposes by appropriate delineations. The created file objects inherit access control from the corresponding inclusive objects.

As you can see, in this case access to the created objects (files) is not carried out as such, the file generally “disappears” as an entity from the delimiting access policy - it uses two entities - the access subject and the specially created container - the access object (folder). This approach implies the additional creation by the administrator of an inclusive object (with the assignment of access rights to subjects for it) for each subject (group of equal subjects) of access, which in itself is a complex administrative task. The task of administration is complicated many times if the subject of access should be not only an account, but also the process (application) itself, without which effective protection cannot be created in modern conditions.

The second possibility is to use the “Ownership” entity in the access control policy provided by modern universal operating systems, the essence of which is that the user who created the object (the “Owner” of the object) is empowered to differentiate access rights to this object for other users. In this case, despite the fact that again access rights in the form of attributes are ultimately assigned to a static object (the file is owned by the owner, after its creation - only after the file is created, the owner can assign access rights to this file), in a certain sense we can say on access control to the created files, since access rights to the created file are assigned by the owner user after the administrator sets the delimiting policy of access to objects. This is achieved due to the fact that the administration scheme itself is being changed, directly the way to set a differentiating policy - continuous administration is being implemented during the functioning of the system.

However, the administration functions are no longer assigned to the administrator, but directly to the user, which is unacceptable when building secure CAs in modern conditions, when an authorized user (insider) carries the most likely threat of unauthorized access to information processed on the CS.

Another opportunity to dramatically increase the level of protection is the implementation of session-based access control, which implies the implementation of a delimiting policy of access to resources between information processing sessions (modes), where the same user can work in different sessions (with different access rights to the same resources) . The rationale for the effectiveness of such access control, based on the developed probabilistic model of access control (the probability of attacks in different information processing sessions is fundamentally different), is presented in the work: Shcheglov K.A., Shcheglov A.Yu. Protection against attacks on application vulnerabilities. Access Control Models // Information Security Issues. - Moscow: VIMI, 2013 .-- Issue 101. - No. 2. - S. 36-43. As we see, for the implementation of session access control, the entity “session” should act as the subject of access — an entity for which access rights to resources are distinguished (in our case, file objects), and the user must be able to choose a session (mode) processing protected information, since in the general case he should be given the opportunity to work in various sessions with different access rights to resources, for example, in open and confidential.

Currently, various file access control systems are known.

So, for example, in application EPO N 0192243 (CL G06F 12/14, 1986) a method for protecting system files is described in which information defining the access rights of system users remains all the time in a secure processor. In the delimiting access policy, there are two entities - the subject and the access object, security labels must be assigned by the administrator and the subjects and access objects. The system does not allow implementing session control of access to file objects.

Patent No. 2134931 (class H04L 9/32, G06F 12/14) describes a method for providing access to objects in the operating system based on the assignment of security labels to subjects and access objects, while for each object of the operating system they are formed in advance and then stored in memory signal label of the object, i.e. access rights to objects assigned as security labels must again be assigned to administrators of static objects (folders). In the delimiting access policy, there are two entities - the subject and the access object, security labels must be assigned by the administrator and the subjects and access objects. The system does not allow implementing session control of access to file objects.

Closest to the technical solution and chosen by the authors for the prototype is a file access control system implemented in Microsoft Windows with the NTFS file system, which uses file attributes (in particular, Security Descriptor - to store file access rights (ACL) - this attribute contains information on file protection: ACL access list and audit field, which determines what kind of operations on this file should be registered) [M. Russinovich, D. Solomon. Microsoft Windows internal device. - St. Petersburg: Peter, 2005 - 992 p. (Chapter 8, Fig. 8.5. An example of checking access rights)].

The system is presented in figure 1. The file access control system contains a deciding unit 1, a file attribute storage unit 2, the first input of the deciding unit being connected to the first input of the system 3, the second input to the output of the file attribute storage unit 2, the first output to the first input of the file attribute storage unit 2 , the second output is with the output of system 4, the second input of the file attribute storage unit 2 is connected to the second input of system 5.

The system works as follows. The administrator or the “Owner” (the user who created the file) from the second input of the system 5 (from the input of setting the file access attributes) to the file attribute storage unit 2 sets the attributes (rights) of access to the files (to objects) of the entities in which for each file It indicates which entities have the right to access and which they are allowed to access the file (read, write, execute, rename, delete, etc.). When requesting access, which contains the name of the subject (the name of the user (account) and the name of the process requesting access, as well as the requested access rights - reading, writing, etc.) to the file, access request from the first input of system 3 ( from the input of the file access request) goes to the decisive block 1. To process the access request, the decisive block from the first output requests the file attributes storage block 2 for the attributes of the file to which access is requested, receives them at the second input and compares the requested file permissions with permitted file permissions specified in the file attributes. As a result of the comparison, the decisive unit issues a control signal to the output of system 4 (to the control output of the access permission / deny), allowing (if the request does not contradict the permissions) or rejecting the access requested from the system from the first input of system 3.

The disadvantage of the prototype is that it allows you to implement a delimiting policy of access to static objects (to objects created by the administrator before assigning access rights to folders), to files created in them only indirectly, through static objects - folders. The entire demarcation policy is implemented for two equal entities - the subject and the access object - access rights to the objects of the subjects are established. The practical ability to assign access rights to the files created by them by the owners does not allow building a secure CS; as a result, it should not be used in modern CSs - the user should be excluded from the administration (assignment of rights) file access rights scheme. All this limits the functionality of the file access control system and significantly complicates its administration. In addition, the prototype does not allow for session control of access to file objects, including created ones. The same user does not have the ability to work in different modes - with different delimitation of access rights to the same file objects in different sessions.

The present invention solves the problem of expanding the functionality of access control to files and simplifying the task of administering an access control system.

To achieve a technical result, a file access control system containing a decision block, a file attribute storage unit, the first input of the decision block is connected to the first input of the system, the second output to the system output, an automatic file markup block, an access rules storage block are added files, a session selection unit by users, the first input of the deciding unit connected to the first input of the automatic file markup unit, the second input of which connected to the third input of the system, the first output to the first input of the file attribute storage unit, the output of which is connected to the third input of the automatic file marking unit, the second input - with the second output of the automatic file marking unit, the third output of which is connected to the first input of the file access rule storage unit, the second input of which is connected to the second input system, the third input is with the first output of the decisive block, the second input of which is with the output of the file access rules storage block, the input / output of the session selection block by users is connected to the input / output of the system, input - with the fourth input of the system, the output - with the third input of the decisive block, with the fourth input of the block for automatic file marking.

New in the present invention is the provision of a file access control system with an automatic file markup unit, a file access rule storage unit, a session selection unit for users and their connections.

As a result of the analysis of the prior art by the applicant, including a search by patent and scientific and technical sources of information and identification of sources containing information about analogues of the claimed technical solution, no source was found characterized by features identical to all the essential features of the claimed technical solution. The determination from the list of identified analogues of the prototype as the closest analogue in terms of the totality of features made it possible to establish the set of distinguishing features essential to the applicant’s technical result of the claimed system of session control of access to the generated files. Therefore, the claimed technical solution meets the criterion of "novelty."

An additional search carried out by the applicant did not reveal known solutions containing features that match the distinctive features of the claimed system of session control of access to generated files that are distinct from the prototype. The claimed technical solution does not follow for the specialist explicitly from the prior art and is not based on a change in quantitative characteristics. Therefore, the claimed technical solution meets the criterion of "inventive step".

The set of essential features in the present invention made it possible to expand the functionality of access control to files, as well as simplify the task of administering the system.

As a result, we can conclude that:

- the proposed technical solution has an inventive step, because it does not explicitly follow from the prior art;

- the invention is new, since the prior art on available sources of information did not reveal analogues with a similar set of features;

- the invention is industrially applicable, as it can be used in all areas where implementation of access control (access rights delimitation) to files is required.

The invention is illustrated by the drawing shown in Fig.2.

The inventive system of session control of access to the generated files contains: a decisive block 1, an automatic file markup unit 2, a file access rule storage unit 3, a session selection unit by users 4, a file attribute storage unit 5, the first input of the deciding unit 1 being connected to the first input system 6, with the first input of the automatic file markup unit 2, the second input of which is connected to the third input of the system 9, the first output is with the first input of the file attribute storage unit 5, the output of which is connected to the third input of the machine file marking 2, the second output of which is with the second input of the file attribute storage unit 5, the third output of the automatic file marking unit 2 is connected to the first input of the file access rule storage unit 3, the second input of which is with the second input of the system 8, the third input is with the first output of the deciding unit 1, the second input of which is with the output of the file access rules storage block 3, the second output of the deciding unit 1 is with the output of system 7, the input / output of the session selection unit by users 4 is connected to the input / output of system 10, the input is with the fourth system input 11, output - with the third input of the decisive unit 1, with the fourth input of the automatic file markup unit 2.

Consider the operation of the session control system for access to created files.

From input 9 to block 2, the administrator sets the access to the files created in which session, by what subjects (under which accounts, by what processes), which should be controlled (delimited) - i.e. the access entity is defined by the following entity: “session, user name (SID), process name (full path name of the process executable file)”. All files created by these entities will be automatically marked out by the system when they are created - the attributes of the subject ("session, user name (SID), process name (full path name of the process executable file") that created file. If these users modify previously created files (not yet marked up) or files created by other entities (created files which are not marked up), they will also be marked in block 2 in the same way. From input 8 to block 3, the administrator sets access rules for marked up (created) files, for example, in the form of a table (or matrix) of access rules having the structure shown in Table. one.

Table 1 An example of the structure of a table (or matrix) of access rules N access rules The subject (session, user, process) that created the file (these files are automatically marked out) The subject (session, user, process) that has the right to access the created (marked up) file Permitted access rights to the created (marked up) file

The access subject in Table 1 is specified by listing the relevant components: name (designation) of the session, user name (SID), process name (full path name of the process executable file). In this case, the subject, when assigning access rules, is defined as follows - access in such and such a session, by such and such a user, by such and such a process.

Comment. In the "default" rules (this rule should be set automatically by the system), it is advisable to prohibit the execution of all files created by interactive users during the operation of the system, which is an effective way to protect against malicious programs.

From the input 11 of the system to block 4, the administrator sets the sessions in which users are allowed to work (for each user, the account sets the set of sessions in which he can work, or the maximum session level - security label (mandate), if the sessions can be ordered by levels of the hierarchy and implemented mandatory access control), as well as identification and authentication (password) user data, for subsequent identification and authentication of the user in the system to set him the current session.

Remark 1. An access subject is generally defined by the following entity: “session, user name (SID), process name (full-path name of the process executable file)”. In particular cases, some elements identifying the subject may not be used, for example, distinctions can be made only between sessions, or only for the subject “session, user”, or only “session, process”, etc.

Remark 2. When defining access subjects, rules can use masks and environment variables, for example, a mask * (All) can be used to set rules for any (all) sessions, any user, and any process.

Remark 3. When using hierarchical or non-hierarchical security labels, the elements of the subject, the session and the user can be assigned security labels - mandates, while the decisive unit 1, when analyzing the correctness of the access request (the consistency of the request to the given rules), performs arithmetic comparison of these labels for equality, more less - mandatory access control is implemented.

From the input / output of system 10, the user in block 4 sets the current session (after authentication and authentication, selects a session from the list specified for him by the administrator from the input of system 11, or not exceeding the maximum session level allowed for him when implementing mandatory access control), data on the current user session (identification signs of the user and the session selected by him) in the system are transferred to blocks 1 and 2.

At the same time, several users can work in the system (after identification and authentication and session selection, which can be carried out both locally and remotely) both in different and in the same sessions, which allows the task to be set in the system of the subject of access simultaneously by three entities: session, name user name (SID), process name (full path name of the process executable file). In this case, one user can select only one current session.

Upon receipt of input to the file access request system 6 (the request contains the user name, process name and the requested access right - write, read, etc. - this information is received in blocks 1 and 2), upon request from the first output of block 2 to the first input of block 5, from the output of block 5 to the third input of block 2, the attributes of the file to which access is requested are read (the file markup created by block 2 is the accounting information of the person who created this file). This data or information about the absence in the file attributes of the accounting information of the subject (the file was not marked up) that created the file is transferred by block 2 to block 3 - to the first input. If the file to which access is requested was not previously marked (its attributes do not contain the accounting information of the subject that created it) or a new file is created and the access request (to create, write, leading to file modification) comes from the controlled subject, the second output of block 2, the file to which access is requested is automatically marked out - the account information of the person who created / modified the previously unlabeled file is recorded in its attributes from the second input of block 5.

In block 3, the first input from the third output of block 2 receives the name of the access subject defined by block 2, who created the file to which access is made, or information that the file is not marked, i.e. access to it is not controlled. Based on this information, block 3, using the column of the access table (matrix), see Table 1, selects the appropriate access rules for the markup file to which access is requested. Upon request, from the first output of the decision block 1 by block 3, the appropriate access rules selected by it are issued to the second input of block 1, or information that the requested access (access to the requested file) is not controlled.

Comment. There can be several suitable rules in the general case, including due to the possibility of using masks. Suitable rules are determined by the consistency of the identifier of the access subject in the access matrix to the subject requesting access to the file.

An access request is received at the first input of the deciding unit 1 (the request contains the user name, process name and the requested access right - write, read, etc.), at the second input - access rules for the file to which access is requested, at the third input - an identification sign of the current session. The decision block 1, according to a more accurate description of the subject in the access matrix, from the rules transmitted to him by the rule block 3, selects the rule that most closely relates to the request. This rule is selected according to a more exact match of the subject's descriptor specified in the matrix with the identification features of the subject making the access request. For example, a session can be set by level (for example, confidential) or by a mask, for example * (All). If a user access request is carried out confidentially in the session, and there is a rule in the matrix that covers the analyzed access request (which falls under), this rule will be selected, otherwise the system will analyze the rule for the session specified by the mask * (All).

After choosing a rule, the decisive unit 1 analyzes the conformity of the access request to the file specified for it by the selected access rule, and as a result of this analysis it generates a control signal to the system output 7 (from the second output) that allows or denies the access requested from the system.

If it is necessary for the user to change the current session from the input / output of system 10, the user in block 4 sets the new (changes) the current session (after identification and authentication, selects a session from the list specified for him by the administrator from the input of system 11, or not exceeding the maximum level allowed for him) sessions when implementing mandatory access control), data on the current user session in the system (identification signs of the user and the session selected by him) are transferred to blocks 1 and 2, the corresponding The Laws of control (distinction) access - for the newly selected user session. At each moment of time, each user is uniquely compared by the system with the session selected by him.

Comment. Until the user selects the session from the input / output of the system 10 - the identifying attributes of the session are sent to blocks 1 and 2 by block 4, the system has access control rules for the "unselected session" mode. At the same time, the system works similarly to the description above, the access control rules for the “unselected session” mode are appropriately set by the administrator from inputs 8 and 9 of the system (in Table 1, in the rules set by the administrator for the “unselected session” mode in the access subject, the session is identified by the corresponding image - the corresponding identification sign of the absence of a session choice is used).

As you can see, the system administration steps are simple. The administrator sets once (during the installation of the system) rules in the form of a table (matrix) of access, which apply to all files created during the operation, wherever (in which folders) they are not created by users. Those. delimitations are established at the moment of the absence of created files and apply to all files created during the operation of the CS. The access object is excluded from the administration scheme - all distinctions are established exclusively between the subjects.

In addition, as we see, session control of access to the created files is implemented, in which the same user registered in the system, as well as the same process, can work in the CS in different modes (sessions) with different access rights to one and the same files created during the operation of the system, moreover, one or several users can work in the system at the same time, both in different and in the same sessions (the user cannot work simultaneously in several sessions).

Thus, the description of the system operation illustrates the achievement of the goal - the solution to the problem of expanding the functionality of access control to files, as well as simplifying the task of administering the system.

The invention is industrially applicable in terms of the possibility of technical implementation included in the system block automatic markup files and block storage rules for accessing files.

The technical implementation of the storage block for file access rules and the session selection block by users is a fairly standard solution for storing and processing data (access table (matrix)), user identification and authentication.

The technical implementation of the automatic file markup block depends on which file system and how the claimed solution interacts. Consider an example of a technical implementation when the system works with the Microsoft Windows NTFS file system (other technical implementations are possible here).

This decision was tested by the applicant when building a prototype of a means of information protection.

In order for the claimed system not to conflict with the delimitation policy implemented by the OS, the system does not directly use the attributes used by the OS to store data for automatic file marking. To store the file attributes created by the system that are used by the system to implement access control (for automatically writing / reading file markup credentials), the so-called "alternative data streams" are used.

An alternative stream is a memory area that is “rigidly” attached to a specific file and into which you can write, respectively, from which information can be read. An alternative stream can be deleted and deleted when the file for which it is created is deleted.

NTFS implemented and documented (described the native OS feature) support for alternative data streams (Alternate Data Streams) - it was added to NTFS for compatibility with the Macintosh HFS file system, which used a resource stream to store icons and other file information. Using alternative streams allows you to store data about the file discreetly from the user and not accessible by conventional means. Explorer and other applications work with a standard stream (file) and cannot read data from alternative streams.

Creating alternative threads is a documented opportunity. You can create them, for example, as follows from the command line. First you need to create a base file to which the stream will be attached.

Create a file: C: \> echo Just a plan text file> sample.txt

Next, using the colon as the operator, create an alternative stream:

C: \> echo You can’t see me> sample.txt: secret.txt

You can use the following commands to view the contents:

C: \ more <sample.txt: secret.txt

or

C: \ notepad sample.txt: secret.txt

If everything is done correctly, then we will see the text: You can’t see me, when you open it from the explorer this text will not be visible.

An alternative stream allows you to write an unlimited amount of information into it, while it is "rigidly" connected to the base file (to which the stream is attached) - it can be deleted and will be deleted only when the file is deleted.

Comment. Alternative data streams can be attached not only to a file, but also to a folder.

Thus, an alternative stream is a memory area that is “rigidly” connected with a specific file and can be written to, from which information can be read (by known, described methods), while data recorded in an alternative stream is stored secretly from the user and is not available by conventional means.

As a result, this documented feature - the described ability to create an alternative stream (protected from users) for a file, with the ability to store service information in it (for the claimed system - for storing file markup data), is described, technically feasible and can be used to implement the claimed technical solution that was tested by the applicant when creating a prototype of a means of information protection.

All used blocks are technically feasible and their implementation is achieved by standard means.

Thus, in the present invention solved the problem of expanding the functionality of access control to files and simplifying the task of administering an access control system. Given the current level of development of computer technology, it is technically feasible.

Claims (1)

A system for session control of access to the created files, containing a deciding unit that analyzes the correctness of the access request (consistency of the request with the given rules) to enable / disable the requested access request, a file storage unit, the first input of the deciding unit that analyzes the correctness of the access request (consistency of the request with the given the rules) in order to allow / prohibit the requested access request, connected to the first input of the system, the second output - to the output of the system, characterized in what is additionally introduced into it: a block for automatic file marking, a block for storing file access rules, a block for users to select a session, and the first input of the deciding block that analyzes the correctness of the access request (consistency of the request to the given rules) in order to allow / deny the requested access request is connected to the first input of the automatic file markup unit, the second input of which is connected to the third input of the system, the first output - with the first input of the file attribute storage unit, the output of which is connected to the input of the automatic file markup unit, the second input is with the second output of the automatic file markup unit, the third output of which is connected to the first input of the file access rule storage unit, the second input of which is connected to the second input of the system, the third input - with the first output of the decision unit, analyzing the correctness of the access request (consistency of the request to the given rules) in order to allow / prohibit the requested access request, the second input of which is with the output of the file access rules storage block, input / you the session selection block is connected by users to the input / output of the system, input - to the fourth input of the system, output - to the third input of the decision block, which analyzes the correctness of the access request (consistency of the request to the specified rules) in order to allow / deny the requested access request, with the fourth input of the block automatic file markup.

Images