CN109753819B - Method and device for processing access control policy - Google Patents
Method and device for processing access control policy Download PDFInfo
- Publication number
- CN109753819B CN109753819B CN201811653828.1A CN201811653828A CN109753819B CN 109753819 B CN109753819 B CN 109753819B CN 201811653828 A CN201811653828 A CN 201811653828A CN 109753819 B CN109753819 B CN 109753819B
- Authority
- CN
- China
- Prior art keywords
- access control
- expression
- rule
- policy
- object information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The invention discloses a method and a device for processing an access control strategy, wherein the method comprises the following steps: defining object information participating in operation in the access control strategy; and constructing an access control strategy for the object information according to a preset construction rule, wherein the strategy comprises the following steps: the method comprises the following steps that a policy declaration part, a policy judgment expression, an access control rule list and a policy disposal expression are included, each access control rule in the access control rule list comprises the rule judgment expression and the rule disposal expression, the judgment expression is a logic expression, and the disposal expression is a code command; performing predetermined processing on the access control strategy to convert the access control strategy into a data format which can be identified by an executor of the access control strategy, and storing the access control strategy in the data format into an access control strategy list; and when the access is received, traversing the access control strategy list according to the received object information to execute the operation corresponding to the handling expression or the default handling expression.
Description
Technical Field
The present invention relates to the field of data processing, and in particular, to a method and an apparatus for processing an access control policy.
Background
Access control is a commonly used technique in the field of information security, and is also a theoretical basis for computer and network security, and the main purpose of the access control is to determine the access rights of a subject to an object according to rules.
Access control mainly comprises the following three elements: a subject, an object, and a control strategy. Wherein, the main part: the initiator of the access action, e.g., user, process, service, etc. A principal is typically an object that is authenticated. Object: objects accessed, such as files, data objects, processes, devices, operating system objects, and the like. And (3) control strategy: the set of rules that a subject applies when accessing an object describes the mechanism of authorization.
In addition, the enforcer of the access control policy in a computer information security system is typically a lower level system core component, as well as various third party supplied filters.
The existing description of the access control policy rules generally adopts the following three ways:
(1) access Control Matrix (ACM): is a conceptual model for initially implementing an access control mechanism, and defines access rights between a subject and an object in a two-dimensional matrix, wherein one dimension describes the subject, the other dimension describes the object, and the matrix grid represents access authorization (permission or denial) of the subject to the object. In practical applications, it is used less because of its greater memory consumption and difficulty in maintenance.
(2) Access Control List (ACL): a list of access control rules is established with the object as the center, and different subjects give access authorization to the object in each rule. The method is simple and practical, the authority is easy to recover (ACL is deleted along with the object), the method is suitable for the scenes with limited number of subjects and huge number of objects, and the method is widely applied to computer operating systems, for example, the Windows system is to apply the ACL to limit the access authority of users to files.
(3) Access Control Capabilities List (ACCL): and establishing an object list which is accessed by the subject by taking the subject as a center. This method has the advantage of simple transfer of rights between users (by transferring the ACCLs), and has the disadvantage of being applicable to systems with a large number of subjects and a limited number of objects because the ACCLs of all subjects need to be modified when the objects are changed (for example, when the objects are added or deleted).
However, the above access control policies are only applicable to conventional operating systems, and in systems related to computer information security (e.g. host protection system, network protection system), the network environment is complex, and access between a single user and an object is not achieved, and the above access control policies cannot meet complex access control requirements.
Disclosure of Invention
In view of this, embodiments of the present invention provide a method and an apparatus for processing an access control policy, so as to solve the following problems in the prior art: in a computer information security-related system, the network environment is complex, and the existing access control strategy cannot meet the complex access control requirement.
In one aspect, an embodiment of the present invention provides a method for processing an access control policy, where the method includes: defining object information participating in operation in an access control policy, wherein the object information at least comprises: subject information, object information, action information and related attribute information thereof; and constructing an access control strategy for the object information according to a preset construction rule, wherein the strategy comprises the following steps: the access control method comprises a policy declaration part, a policy judgment expression, an access control rule list and a policy disposal expression, wherein each access control rule in the access control rule list comprises a rule judgment expression and a rule disposal expression, the judgment expression is a logic expression, and the disposal expression is a code command; performing predetermined processing on the access control strategy to convert the access control strategy into a data format which can be identified by an executor of the access control strategy, and storing the access control strategy in the data format into an access control strategy list; and traversing the access control strategy list according to the received object information when the access is received so as to execute the operation corresponding to the handling expression or the default handling expression.
In some embodiments, the predicate expression is a logical expression consisting of a field portion, an operator portion, a constant portion, and combinations thereof; the treatment expression is a multi-line code command composed of an operation command and a predetermined symbol.
In some embodiments, subjecting the access control policy to a predetermined process to convert into a data format recognizable by an executor of the access control policy includes: converting the judgment expression into a judgment expression formed by an operator and a non-operator, and converting the converted judgment expression into an expression tree; the treatment expressions are converted into an operation linked list.
In some embodiments, traversing the access control policy list according to the received object information to perform an operation corresponding to the treatment expression or the default treatment expression upon receiving the access, including: when receiving access, extracting accessed object information, traversing an expression tree corresponding to a policy according to the object information to detect whether an access control policy matched with the object information exists in the access control policy list or not; under the condition that the matched access control strategy exists, traversing an expression tree corresponding to a rule to detect whether an access control rule matched with the object information exists in the access control rule list or not; under the condition that the matched access control rule exists, executing a command in an operation linked list corresponding to the rule; and executing the command in the operation linked list corresponding to the strategy under the condition that the matched access control rule does not exist.
In some embodiments, before performing the predetermined processing on the access control policy, the method further includes: detecting whether each judgment expression and each handling expression in the access control strategy have errors or not;
and sending prompt information when the error exists.
On the other hand, an embodiment of the present invention provides a processing apparatus for an access control policy, including: a definition module, configured to define object information participating in operation in an access control policy, where the object information at least includes: subject information, object information, action information and related attribute information thereof; a construction module, configured to construct an access control policy for the object information according to a predetermined construction rule, where the policy includes: the access control method comprises a policy declaration part, a policy judgment expression, an access control rule list and a policy disposal expression, wherein each access control rule in the access control rule list comprises a rule judgment expression and a rule disposal expression, the judgment expression is a logic expression, and the disposal expression is a code command; the preprocessing module is used for carrying out preset processing on the access control strategy so as to convert the access control strategy into a data format which can be identified by an executor of the access control strategy and storing the access control strategy in the data format into an access control strategy list; and the execution module is used for traversing the access control strategy list according to the received object information when receiving access so as to execute the operation corresponding to the handling expression or the default handling expression.
In some embodiments, the predicate expression is a logical expression consisting of a field portion, an operator portion, a constant portion, and combinations thereof; the treatment expression is a multi-line code command composed of an operation command and a predetermined symbol.
In some embodiments, the preprocessing module is specifically configured to: converting the judgment expression into a judgment expression formed by an operator and a non-operator, and converting the converted judgment expression into an expression tree; the treatment expressions are converted into an operation linked list.
In some embodiments, the execution module is specifically configured to: when receiving access, extracting accessed object information, traversing an expression tree corresponding to a policy according to the object information to detect whether an access control policy matched with the object information exists in the access control policy list or not; under the condition that the matched access control strategy exists, traversing an expression tree corresponding to a rule to detect whether an access control rule matched with the object information exists in the access control rule list or not; under the condition that the matched access control rule exists, executing a command in an operation linked list corresponding to the rule; and executing the command in the operation linked list corresponding to the strategy under the condition that the matched access control rule does not exist.
In some embodiments, further comprising: the error detection module is used for detecting whether errors exist in each judgment expression and each handling expression in the access control strategy; and sending prompt information when the error exists.
When the access control strategy is constructed, the access control strategy is redefined, a judgment expression and a disposal expression are added, the condition of the access control strategy is judged by the judgment expression, the code command corresponding to the judgment expression when the judgment expression is true is executed by the disposal expression, the access control strategy is enriched, the complex processing relation can be expressed, and the access can be realized even if the network environment is complex.
Drawings
Fig. 1 is a flowchart of a processing method of an access control policy according to a first embodiment of the present invention;
fig. 2 is a schematic structural diagram of a processing apparatus for access control policy according to a second embodiment of the present invention;
fig. 3 is a schematic diagram of an expression tree according to a third embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the drawings of the embodiments of the present invention. It is to be understood that the embodiments described are only a few embodiments of the present invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the described embodiments of the invention without any inventive step, are within the scope of protection of the invention.
Unless defined otherwise, technical or scientific terms used herein shall have the ordinary meaning as understood by one of ordinary skill in the art to which this invention belongs. The use of "first," "second," and similar terms in the present application do not denote any order, quantity, or importance, but rather the terms are used to distinguish one element from another. The word "comprising" or "comprises", and the like, means that the element or item listed before the word covers the element or item listed after the word and its equivalents, but does not exclude other elements or items. The terms "connected" or "coupled" and the like are not restricted to physical or mechanical connections, but may include electrical connections, whether direct or indirect. "upper", "lower", "left", "right", and the like are used merely to indicate relative positional relationships, and when the absolute position of the object being described is changed, the relative positional relationships may also be changed accordingly.
To maintain the following description of the embodiments of the present invention clear and concise, a detailed description of known functions and known components of the invention have been omitted.
A first embodiment of the present invention provides a method for processing an access control policy, where the flow of the method is shown in fig. 1, and the method includes steps S101 to S104:
s101, defining object information participating in operation in the access control strategy, wherein the object information at least comprises: subject information, object information, action information, and attribute information thereof.
In a specific implementation, the object information may further include more information according to needs.
S102, constructing an access control strategy for the object information according to a preset construction rule, wherein the strategy comprises the following steps: the policy management system comprises a policy declaration part, a policy judgment expression, an access control rule list and a policy handling expression, wherein each access control rule in the access control rule list comprises the rule judgment expression and the rule handling expression, the judgment expression is a logic expression, and the handling expression is a code command.
The above-mentioned decision expression is a logical expression composed of a field part, an operator part, and a constant part, and a combination thereof, for example, a >1, or, a >1& & B < 1; the above-described treatment expression is a multi-line code command composed of an operation command and a predetermined symbol.
The embodiment of the invention adds two parts of the judgment expression and the treatment expression when constructing the access control strategy, the judgment expression is a logic expression, different conditions can be judged, the treatment expression is a code command, and the treatment expression can be executed when the judgment result of the judgment expression is true.
In order to avoid the error rule of the constructed access control strategy, whether each judgment expression and each treatment expression in the access control strategy have errors or not can be detected; and sending a prompt message when the error exists, and carrying out subsequent processing if the error does not exist.
S103, performing predetermined processing on the access control policy to convert the access control policy into a data format that can be recognized by an executor of the access control policy, and storing the access control policy in the data format in an access control policy list.
The decision expression is a logical expression, the handle expression is a code command, and the subject of access control is usually a computer program, but both expressions are not data formats that can be recognized by a computer, and therefore, both expressions need to be subjected to predetermined processing to be converted into data formats that can be recognized by a computer.
Specifically, the determination expression may be converted into a determination expression formed by the operator and the non-operator, and the converted determination expression may be converted into an expression tree; the treatment expressions are converted into an operation linked list. Of course, the above is only a basic conversion, and in order to further optimize the processing procedure, the expression including the common attribute part may be advanced to further prioritize the judgment.
And S104, when the access is received, traversing the access control strategy list according to the received object information to execute the operation corresponding to the handling expression or the default handling expression.
During specific implementation, the accessed object information is extracted, and the expression tree corresponding to the strategy is traversed according to the object information to detect whether the access control strategy matched with the object information exists in the access control strategy list or not. Under the condition that the matched access control strategy exists, traversing an expression tree corresponding to the rule to detect whether the access control rule matched with the object information exists in the access control rule list or not; under the condition that the matched access control rule exists, executing a command in an operation linked list corresponding to the rule; and executing the command in the operation linked list corresponding to the strategy under the condition that the matched access control rule does not exist.
When the access control strategy is constructed, the access control strategy is redefined, a judgment expression and a disposal expression are added, the condition of the access control strategy is judged by the judgment expression, the code command corresponding to the judgment expression when the judgment expression is true is executed by the disposal expression, the access control strategy is enriched, the complex processing relation can be expressed, and the access can be realized even if the network environment is complex.
A second embodiment of the present invention provides an access control policy processing apparatus, a schematic structure of which is shown in fig. 2, including:
a defining module 10, configured to define object information participating in operation in an access control policy, where the object information at least includes: subject information, object information, action information and related attribute information; a building module 20, coupled to the defining module 10, configured to build an access control policy for the object information according to a predetermined building rule, where the policy includes: the method comprises the following steps that a policy declaration part, a policy judgment expression, an access control rule list and a policy disposal expression are included, each access control rule in the access control rule list comprises the rule judgment expression and the rule disposal expression, the judgment expression is a logic expression, and the disposal expression is a code command; a preprocessing module 30, coupled to the construction module 20, for performing predetermined processing on the access control policy to convert the access control policy into a data format that can be recognized by an executor of the access control policy, and storing the access control policy in the data format into an access control policy list; and the execution module 40 is coupled with the preprocessing module 30 and configured to traverse the access control policy list according to the received object information when receiving the access, so as to execute the operation corresponding to the handling expression or the default handling expression.
In a specific implementation, the object information may further include more information according to needs.
The above-mentioned decision expression is a logical expression composed of a field part, an operator part, and a constant part, and a combination thereof, for example, a >1, or, a >1& & B < 1; the treatment expression is a multi-line code command composed of an operation command and a predetermined symbol.
The embodiment of the invention adds two parts of the judgment expression and the treatment expression when constructing the access control strategy, the judgment expression is a logic expression, different conditions can be judged, the treatment expression is a code command, and the treatment expression can be executed when the judgment result of the judgment expression is true.
The decision expression is a logical expression, the handle expression is a code command, and the subject of access control is usually a computer program, but both expressions are not data formats that can be recognized by a computer, and therefore, both expressions need to be subjected to predetermined processing to be converted into data formats that can be recognized by a computer. The preprocessing module may be specifically configured to convert the determination expression into a determination expression formed by an operator and a non-operator, and convert the converted determination expression into an expression tree; the treatment expressions are converted into an operation linked list. Of course, the above is only a basic conversion, and in order to further optimize the processing procedure, the expression including the common attribute part may be advanced to further prioritize the judgment.
The execution module may specifically be configured to: when receiving access, extracting the accessed object information, traversing an expression tree corresponding to the strategy according to the object information to detect whether an access control strategy matched with the object information exists in an access control strategy list or not; under the condition that the matched access control strategy exists, traversing an expression tree corresponding to the rule to detect whether the access control rule matched with the object information exists in the access control rule list or not; under the condition that the matched access control rule exists, executing a command in an operation linked list corresponding to the rule; and executing the command in the operation linked list corresponding to the strategy under the condition that the matched access control rule does not exist.
In order to avoid the error rule of the constructed access control policy, the apparatus may further include: the error detection module is used for detecting whether errors exist in each judgment expression and each handling expression in the access control strategy; and sending prompt information under the condition that an error exists, and triggering the preprocessing module to work under the condition that no error exists.
When the access control strategy is constructed, the access control strategy is redefined, a judgment expression and a disposal expression are added, the condition of the access control strategy is judged by the judgment expression, the code command corresponding to the judgment expression when the judgment expression is true is executed by the disposal expression, the access control strategy is enriched, the complex processing relation can be expressed, and the access can be realized even if the network environment is complex.
The third embodiment of the present invention provides a method for processing an access control policy, which describes the access control policy in an expression, and by applying the method, the dynamic attributes of a subject and an object can be introduced into decision calculation in the access control processing process, thereby meeting the requirements of accurately, efficiently and flexibly implementing an access control technology in a computer security system.
The existing methods for describing the access control rules have limitations, which are as follows:
in the access control application of the information security system, the definition range of the subject and the object is relatively wide, and unlike the conventional operating system, the conventional access control of the conventional operating system is mainly applied between the user and the object, such as a user- > file, however, in the information security system, the subject object may be a user, a process, a service, a network address, and the object may be a file, a configuration item, an account, a process, a thread, an equipment instance object, a network address, a table and a row in a database, an API, and all system objects which need to be protected. Such as process- > network address, network address- > network address, process- > process, etc.
In the information security system, when the access control rule is applied, the attribute of the subject is generally used as a determination condition, and the attribute may be dynamically changed, and it is difficult to describe the attribute of the subject in the access control rule by the above method. For example, for a process subject, the relatively stable attribute may include a process path, a process name, a session where the process subject is located, a start account, a parent process, and the like, the variable attribute may include a thread number, a CPU occupation, a memory occupation, an IO count, and the like, and the rule that the subject process is prohibited from accessing the target resource when the memory occupation number is greater than a specified threshold value cannot be described by using the conventional method.
In an information security system, the number of related objects is large, and the judgment of access control frequently occurs, so that the consumption of a description method of an access control rule of the information security system on a storage space is required to be as small as possible when the description method is applied, the execution efficiency of a judgment process is required to be as high as possible, and the conventional description methods cannot meet the requirements.
The existing description method has single judgment basis and is difficult to express complex logical relations (AND, OR, NOT).
When the embodiment of the invention constructs the access control strategy, each access control strategy mainly comprises the following four parts:
(1) the declaration section of the policy: and specifying information such as the identification of the strategy, the type of the applicable object, the priority and the like.
(2) Trigger decision expressions (i.e. decision expressions for policies): which is a logical expression that may include calculations of subject, object, action, and environmental parameters. And the subsequent judgment process is used for judging under what conditions, the strategy is applied.
(3) List of access rules: each rule in the list contains the following two parts:
the predicate expression (i.e., the predicate expression of a rule) is a logical expression that describes the treatment method under which the rule applies. The decision expression may include calculations for subject, object and environmental parameters.
A treatment expression (i.e., a regular treatment expression), consisting of one or more lines of commands. For specifying the disposition to be performed when the outcome of the calculation of the expression is determined to be true, where the disposition methods may include (but are not limited to) allowance/denial of access, auditing, and manipulation of a particular object.
In the access determination process, the determination expression and the treatment expression are processed in order.
(4) The default treatment expression (i.e., the treatment expression for a policy), which consists of one or more lines of commands, may also be null. A default handling method for specifying an access when the above-described access rule is not hit.
Among them, the judgment expressions are:
1) a logical expression, i.e., whether its computed result is true or false.
2) The predicate expressions may be combined by a number of components, between which logical operators such as and, or, and not may be applied.
3) For each component, it consists of < field > + < operator > + < constant >, in particular:
field: may be a predefined subject attribute identification, object attribute identification, other identification representing a particular environmental variable, or a predefined function. The value of each field is of a distinct type (e.g., integer, string, binary data, etc.).
Operator: in addition to conventional comparison operators (equal to, greater than, less than, equal to, not equal to), extended operators may be defined, such as "include", "match".
Constants are: can be integers, character strings, binary data.
Wherein the types of the field and the constant need to be matched; the availability of operators is also dependent on type, e.g., for non-numeric types of fields or constants, the size comparison operator is not applicable.
4) An expression may be bracketed as a component in another expression.
With regard to the treatment expression, then:
1) the contents of the treatment expression may consist of multiple lines of operation commands, which may be separated by a particular symbol (e.g., a western semicolon).
2) The commands handling an expression may be the following three:
and (3) access control operation: and blocking and releasing relevant operation commands, such as "deny" and "permit".
And (4) auditing operation: the command specifying the generation of the audit event is made up of a command line form, such as: audio ('process', subject.name, action, object.type, object.name).
And operation commands to the related objects. It may include: the subject operation, for example: set _ trust _ flag (); guest operations, such as: delete (); operation of environmental parameters, such as: inc ().
The access control strategy of the embodiment of the invention mainly comprises the following steps in the specific implementation process:
and (I) defining objects (subjects, objects and relevant attributes and operations thereof), actions and environment parameters which can participate in operation in the access control strategy executor. It is necessary to establish a textual identification of the object and its associated properties, operations, and a constant identification recognizable inside the performer (which can be typically represented by an enumerated value). The method specifically comprises the following steps:
all possible operators involved in the operation are defined, including logical operators (and, or, not), comparison operators and their applicable data types.
And defining classification identification of the subject, the action and the object.
Text identification and constant identification of each object type (e.g., process, "proc", 1).
The textual identification and the constant identification of the generic property of the object (e.g., "name", "time").
Text identification, constant identification and type identification of each attribute of the object.
Text identification and constant identification of each operation of the object, and parameter value types related to the operation.
And secondly, before the access control strategy described by the method of the invention is issued to an executor, the conversion from text to binary is required. The method specifically comprises the following steps:
(1) the judgment expression in the strategy is converted into an expression tree which can be analyzed by an executor, and the judgment expression tree specifically comprises the following steps:
the expression tree is a binary tree.
Each non-leaf node in the expression tree is a constant identifier corresponding to an operator.
And each left-leaf node on the expression tree stores constant identifiers of the fields.
And each right leaf node on the expression tree is stored with a constant.
The expression tree may be converted to a binary data storage format.
(2) In order to improve the calculation efficiency of the executor on the expression, the following optimization processing can be performed on the judgment expression:
the expression can be converted into a NAND expression, namely, the OR operator in the expression is removed and the expression is converted into an equivalent NAND expression.
In the expressions participating in the and-relation operation, expressions small in calculation scale are preceded.
(3) The treatment expression in the strategy should be converted into an operation linked list which can be resolved by an executor, namely, each operation is converted from a description text into a predefined data structure used for storing a constant identifier and an operation parameter of the operation, and the operation is stored into a binary array in sequence.
And (III) for the access policy executor, the general processing flow comprises the following steps:
(1) strategy processing: after receiving the strategy in the binary format converted by the upper layer, analyzing the strategy and organizing the strategy into a strategy list according to the priority level of the strategy.
(2) And (3) access control processing: when access occurs, extracting information of a subject, an object and an action, traversing a policy list, and processing according to each policy as follows:
a. and triggering judgment, namely judging the expression tree according to the triggering of the strategy, performing traversal calculation on the expression tree according to the depth priority, continuously processing under the condition that a return value is true, ignoring the current strategy when the return value is false, and continuously traversing the next strategy.
b. In case of a trigger decision hit, the access control rule list is traversed in order:
1. and judging, performing traversal calculation on a judgment expression tree in the access control rule according to depth priority, if the return value is true, performing the treatment of the rule, and if the return value is false, ignoring the current rule and continuously traversing the next rule.
2. Processing, after judging that the access control rule is hit, executing commands in a processing operation list one by one, and if the processing contains clear blocking or releasing operation, finishing the access control processing; otherwise, continuing the subsequent access control rule processing and the subsequent policy processing of the policy.
c. Default handling, namely executing the operation in the default handling operation list when the access control rule list of any policy is not hit, and similarly, if the access control rule list contains an explicit blocking or releasing action in the handling, finishing the access control processing; otherwise, continuing the processing of the subsequent strategy.
The following describes the above process of the embodiment of the present invention in detail with reference to a specific example, which is a network access control implementation of Windows.
The new Windows Filter Platform (WFP) component of the operating system behind Windows Vista provides network Filtering support, and besides the conventional host firewall implementation, WFP also supports a developer to perform more complex Filtering operation on network traffic in a way of writing a WFP Call driver.
The present embodiment sets forth a method and steps for constructing a network access control system for TCP protocol by using the access control policy description method proposed in the present invention based on WFP.
The system consists of a user program and a WFP Callout driver (called Callout driver for short). Wherein:
1. the user program is mainly responsible for:
and analyzing the access control strategy text input by the user, including the correctness of the related expression grammar.
The access control policy is converted into a binary format required by the Callout driver.
And (4) creating a WFP filter and issuing the filter rule to Callout drive.
2. The Callout driver, working in the kernel layer of Windows, is an access control policy executor in this embodiment, and is specifically responsible for:
a) filter instances are created at specified network hierarchical locations. The filter rule of the embodiment works on an Application Layer implementation (ALE) Layer defined in the WFP, and a filter at the ALE Layer can capture network traffic such as monitoring, connection, data transmission, etc. in the TCP/IP protocol, including process information related to operation.
b) And receiving the access control strategy in the binary format issued by the user program, and maintaining an access control strategy list.
c) The calculation of the decision expression tree and the handling expression mainly replaces the corresponding operator and command with the corresponding function pointer in the driver.
d) And when the filter intercepts the network traffic, traversing the access control policy list, judging whether the policy and the relevant rules are hit or not, and carrying out relevant treatment.
The specific method of this example is as follows:
firstly, according to the method in the detailed description of the present invention, the present embodiment defines related objects, related attributes, and operations (related constant value definitions are not explicitly specified in the present embodiment, and are not repeated in principle):
(1) an operator:
the logical operators include: and (& &), (|).
The comparison operator includes:
greater than (>), less than (>), greater than or equal to (> ═), less than or equal to (< ═), these operators are only applicable to integer comparisons;
equal (═), not equal (| -), apply to data of integer, string, and binary types;
matching (i ═ match), this operator is suitable for fuzzy matching of strings, and the operand on the right side thereof may be a string containing wildcards;
contains (@), this operator applies to binary data, the operand to the right of which is binary data represented by Base16 or Base 64.
(2) Classification and identification of subjects, objects and actions:
a main body: subject. The types of objects that can be used as subjects are: and (4) process: proc; remote network address: remote _ addr; local network address: local _ addr.
Object: object is obtained. The types of objects that can be used as objects are: remote network address: remote _ addr;
local network address: local _ addr; data: and data.
The actions are as follows: action. The action types specifically defined are: monitoring: listen; connecting: connect; disconnecting: disconnect; and (3) sending: send; receiving: receive.
(3) Generic properties of objects.
Name: name.
(4) The properties of the object.
The attributes of the process object include: the full path of the process: (iii) proc. path; ID of the process: id.
The attributes of the remote network address include: IP address: ip, remote _ addr; port: port.
The attributes of the local network address include: IP address: ip _ local _ addr; port: port.
The attributes of the data include: length: length.
The operation of the object includes:
blocking: block ();
releasing: permit ();
auditing: audio (desc, …), where parameter 1 is the text entered by the user, may be followed by any fields, such as: a subject type, a subject name, an action, an object type, an object name, etc.;
the operation of the process object includes: marking the process as non-communicable: set _ blocked ().
The operation of the data object includes:
extracting the specified data from the data: get (offset, length), whose parameters are integers, the return value is binary data;
content in the replacement data: place (data0, data1), whose parameters are binary data expressed in Base16 or Base64, and the return value is binary data.
Secondly, in the user program, the main processes are as follows:
(1) responding to user input of a policy through a command line or a graphical interface, including:
a. ID of policy, priority.
b. The trigger decision expression of the policy, for example:
type ═ proc & & action ═ list ", i.e. when the process starts listening for a network connection, it enters the decision flow.
c. List of access control rules for a policy, for example:
judging an expression: port 8010& & proc.name ═ myapp.exe;
the treatment expression is as follows: block (); audio ("disable open 8010 port", subject.
The meaning of this rule is: exe process blocks this operation and sends a corresponding alarm when it tries to listen to the TCP connection of 8010 port.
d. Default handling operation: for example, audio ("open 8010 port", subject. name); the meaning is to generate an audit message and continue the subsequent policy matching.
(2) Analyzing each expression input by a user, and giving a corresponding prompt if the input has errors, wherein the possible errors are as follows:
erroneous fields, erroneous operators, erroneous constant entries, mismatched data types, erroneous parenthesis nesting, etc.
Converting the policy into a binary format specifically includes:
a. converting the predicate expression into an expression tree, for example, for: port 8010& & proc. name ═ myapp.exe ", a representation of its expression tree is shown in fig. 3.
b. The treatment expression can be optimized to improve the judgment efficiency, and the method specifically comprises the following steps:
conversion to nand: i.e., converting an and, or, non-constituent logical expression into an equivalent expression containing only and, non-operators.
For example: name ═ myapp.exe | | proc.name ═ ieapp.exe & & & & & _ addr ═ 8010 may convert to | |. (proc.name | = "myapp.exe" & & proc.name | - "ieapp.exe") & & local _ addr. port ═ 8010.
And advancing the expression component containing the common attributes, and preferentially judging. For example, the expression of the above example may be converted to local _ addr. port & & |. (proc.name | = "myapp.exe" & & proc.name | - "ieapp.exe") (because the digital comparison of ports is more efficient than string matching of process names).
c. The treatment expressions are converted into an operation linked list.
d. And converting the corresponding numerical value, expression tree and linked list into strategy data in binary data format.
And (4) taking the strategy data as the parameters of the filter, issuing the parameters to a WPF engine at the bottom layer through an API (FwpmFilterAdd and the like) related to the WPF, and further performing Callout driving.
Third, Callout drives and is the executor of the access control tactics in this system, its main procedure has:
(1) callout for the various operations (snoop, connect, data transfer, etc.) at the ALE level is registered using the FwpsCalloutRegister API, specifying the associated tier ID, notify callback functions, and filter callback functions.
(2) In the notification callback function, in response to the notification of the newly-built filter of the upper layer API, the strategy data is extracted from the parameters and converted into the data structure in the driver. The method specifically comprises the following steps:
and replacing the operator nodes in the strategy expression tree with corresponding function pointers. For example, the equal sign operator (═) is replaced with a function pointer to a type of pool match (expr op1, expr op 2).
The relevant treatment operation is converted into a corresponding function pointer. For example, a Block () operation converts to a function pointer that points to a pool Block (void × context) type.
The converted data structure is placed into the context of a filter for use in filtering callback functions.
(3) In each filter callback function of the ALE layer.
And extracting attribute values needing to participate in expression calculation in the subject and the object.
Calculating a trigger judgment expression, and continuing the subsequent access control rule matching when the result is true; otherwise, returning.
Matching the access control rules, executing corresponding treatment operation under the condition that the return value calculated by the judgment expression of the access control rules is true, and returning a filtering result if the treatment operation contains explicit blocking or releasing operation; otherwise, continuing the subsequent access control rule matching processing.
After no access control rule is hit, a default handling operation is performed.
By applying the access control description method provided by the invention, a flexible and efficient access control system can be constructed. The method specifically comprises the following steps:
the complex logic expression is applicable: the application of logical expressions to the determination can handle a variety of complex access control requirements relative to conventional access control lists. High efficiency: in the calculation process of the expression, the calculation scale of the traversal of the expression tree is higher than that of the sequential matching calculation of a general access control list. Low resource occupation: using decision conditions described by expressions, only the relevant inputs can be referenced, and the memory space usage is low compared to conventional methods that use fixed-length data structures to describe access control rules.
Moreover, although exemplary embodiments have been described herein, the scope thereof includes any and all embodiments based on the present invention with equivalent elements, modifications, omissions, combinations (e.g., of various embodiments across), adaptations or alterations. The elements of the claims are to be interpreted broadly based on the language employed in the claims and not limited to examples described in the present specification or during the prosecution of the application, which examples are to be construed as non-exclusive. It is intended, therefore, that the specification and examples be considered as exemplary only, with a true scope and spirit being indicated by the following claims and their full scope of equivalents.
The above description is intended to be illustrative and not restrictive. For example, the above-described examples (or one or more versions thereof) may be used in combination with each other. For example, other embodiments may be used by those of ordinary skill in the art upon reading the above description. In addition, in the above-described embodiments, various features may be grouped together to streamline the disclosure. This should not be interpreted as an intention that a disclosed feature not claimed is essential to any claim. Rather, inventive subject matter may lie in less than all features of a particular disclosed embodiment. Thus, the following claims are hereby incorporated into the detailed description as examples or embodiments, with each claim standing on its own as a separate embodiment, and it is contemplated that these embodiments may be combined with each other in various combinations or permutations. The scope of the invention should be determined with reference to the appended claims, along with the full scope of equivalents to which such claims are entitled.
While the embodiments of the present invention have been described in detail, the present invention is not limited to these specific embodiments, and those skilled in the art can make various modifications and modifications of the embodiments based on the concept of the present invention, which fall within the scope of the present invention as claimed.
Claims (6)
1. A processing method of an access control policy is characterized by comprising the following steps:
defining object information participating in operation in an access control policy, wherein the object information at least comprises: subject information, object information, action information and related attribute information;
and constructing an access control strategy for the object information according to a preset construction rule, wherein the strategy comprises the following steps: the access control method comprises a policy declaration part, a policy judgment expression, an access control rule list and a policy disposal expression, wherein each access control rule in the access control rule list comprises a rule judgment expression and a rule disposal expression, the judgment expression is a logic expression, and the disposal expression is a code command;
performing predetermined processing on the access control strategy to convert the access control strategy into a data format which can be identified by an executor of the access control strategy, and storing the access control strategy in the data format into an access control strategy list;
when receiving access, traversing the access control strategy list according to the received object information to execute the operation corresponding to the disposal expression or the default disposal expression;
wherein the performing of the predetermined processing on the access control policy to convert into a data format recognizable by an executor of the access control policy includes: converting the judgment expression into a judgment expression formed by an operator and a non-operator, and converting the converted judgment expression into an expression tree; converting the treatment expression into an operation linked list;
traversing the access control policy list according to the received object information to execute an operation corresponding to the handling expression or the default handling expression, including: when receiving access, extracting accessed object information, traversing an expression tree corresponding to a policy according to the object information to detect whether an access control policy matched with the object information exists in the access control policy list or not; under the condition that the matched access control strategy exists, traversing an expression tree corresponding to a rule to detect whether an access control rule matched with the object information exists in the access control rule list or not; under the condition that the matched access control rule exists, executing a command in an operation linked list corresponding to the rule; and executing the command in the operation linked list corresponding to the strategy under the condition that the matched access control rule does not exist.
2. The process of claim 1, wherein a predicate expression is a logical expression consisting of a field part, an operator part, a constant part, and combinations thereof; the treatment expression is a multi-line code command composed of an operation command and a predetermined symbol.
3. The processing method according to claim 1 or 2, wherein before subjecting the access control policy to predetermined processing, further comprising:
detecting whether each judgment expression and each handling expression in the access control strategy have errors or not;
and sending prompt information when the error exists.
4. An apparatus for processing an access control policy, comprising:
a definition module, configured to define object information participating in operation in an access control policy, where the object information at least includes: subject information, object information, action information and related attribute information;
a construction module, configured to construct an access control policy for the object information according to a predetermined construction rule, where the policy includes: the access control method comprises a policy declaration part, a policy judgment expression, an access control rule list and a policy disposal expression, wherein each access control rule in the access control rule list comprises a rule judgment expression and a rule disposal expression, the judgment expression is a logic expression, and the disposal expression is a code command;
the preprocessing module is used for carrying out preset processing on the access control strategy so as to convert the access control strategy into a data format which can be identified by an executor of the access control strategy and storing the access control strategy in the data format into an access control strategy list;
the execution module is used for traversing the access control strategy list according to the received object information when receiving access so as to execute the operation corresponding to the handling expression or the default handling expression;
the preprocessing module is specifically configured to: converting the judgment expression into a judgment expression formed by an operator and a non-operator, and converting the converted judgment expression into an expression tree; converting the treatment expression into an operation linked list;
the execution module is specifically configured to: when receiving access, extracting accessed object information, traversing an expression tree corresponding to a policy according to the object information to detect whether an access control policy matched with the object information exists in the access control policy list or not; under the condition that the matched access control strategy exists, traversing an expression tree corresponding to a rule to detect whether an access control rule matched with the object information exists in the access control rule list or not; under the condition that the matched access control rule exists, executing a command in an operation linked list corresponding to the rule; and executing the command in the operation linked list corresponding to the strategy under the condition that the matched access control rule does not exist.
5. The processing apparatus according to claim 4, wherein the predicate expression is a logical expression composed of a field part, an operator part, a constant part, and combinations thereof; the treatment expression is a multi-line code command composed of an operation command and a predetermined symbol.
6. The processing apparatus as in claim 4 or further comprising:
the error detection module is used for detecting whether errors exist in each judgment expression and each handling expression in the access control strategy; and sending prompt information when the error exists.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811653828.1A CN109753819B (en) | 2018-12-26 | 2018-12-26 | Method and device for processing access control policy |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811653828.1A CN109753819B (en) | 2018-12-26 | 2018-12-26 | Method and device for processing access control policy |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109753819A CN109753819A (en) | 2019-05-14 |
| CN109753819B true CN109753819B (en) | 2021-08-24 |
Family
ID=66405043
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811653828.1A Active CN109753819B (en) | 2018-12-26 | 2018-12-26 | Method and device for processing access control policy |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109753819B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111063230B (en) * | 2019-12-13 | 2021-09-10 | 中国人民解放军空军工程大学 | Motion filter of simulation training simulation system |
| CN113949664B (en) * | 2020-07-15 | 2023-04-07 | 瑞昱半导体股份有限公司 | Circuit for network device and packet processing method |
| CN111913594B (en) * | 2020-08-19 | 2023-09-29 | 成都锋卫科技有限公司 | Intelligent prompting and completing method for flow analysis expression |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101778109A (en) * | 2010-01-13 | 2010-07-14 | 苏州国华科技有限公司 | Construction method for access control policy and system thereof |
| CN102307185A (en) * | 2011-06-27 | 2012-01-04 | 北京大学 | Data isolation method used in storage cloud |
| CN102341808A (en) * | 2009-03-04 | 2012-02-01 | 皇家飞利浦电子股份有限公司 | Specifying an access control policy |
| CN102932328A (en) * | 2012-09-26 | 2013-02-13 | 上海交通大学 | Access control policy synthesis method based on BSset (binary string set) |
| CN103853986A (en) * | 2014-01-03 | 2014-06-11 | 李凤华 | Access control method and device |
| CN104506514A (en) * | 2014-12-18 | 2015-04-08 | 华东师范大学 | Cloud storage access control method based on HDFS (Hadoop Distributed File System) |
| CN104683348A (en) * | 2015-03-13 | 2015-06-03 | 河南理工大学 | Access control strategy composition method based on attribute |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8966576B2 (en) * | 2012-02-27 | 2015-02-24 | Axiomatics Ab | Provisioning access control using SDDL on the basis of a XACML policy |
| US10609044B2 (en) * | 2017-06-12 | 2020-03-31 | International Business Machines Corporation | Enforcing access control in trigger-action programming using taint analysis |
-
2018
- 2018-12-26 CN CN201811653828.1A patent/CN109753819B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102341808A (en) * | 2009-03-04 | 2012-02-01 | 皇家飞利浦电子股份有限公司 | Specifying an access control policy |
| CN101778109A (en) * | 2010-01-13 | 2010-07-14 | 苏州国华科技有限公司 | Construction method for access control policy and system thereof |
| CN102307185A (en) * | 2011-06-27 | 2012-01-04 | 北京大学 | Data isolation method used in storage cloud |
| CN102932328A (en) * | 2012-09-26 | 2013-02-13 | 上海交通大学 | Access control policy synthesis method based on BSset (binary string set) |
| CN103853986A (en) * | 2014-01-03 | 2014-06-11 | 李凤华 | Access control method and device |
| CN104506514A (en) * | 2014-12-18 | 2015-04-08 | 华东师范大学 | Cloud storage access control method based on HDFS (Hadoop Distributed File System) |
| CN104683348A (en) * | 2015-03-13 | 2015-06-03 | 河南理工大学 | Access control strategy composition method based on attribute |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109753819A (en) | 2019-05-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109753819B (en) | Method and device for processing access control policy | |
| CN104750469B (en) | Source code statistical analysis technique and system | |
| CN112564988B (en) | Alarm processing method and device and electronic equipment | |
| US20210385251A1 (en) | System and methods for integrating datasets and automating transformation workflows using a distributed computational graph | |
| JP7120350B2 (en) | SECURITY INFORMATION ANALYSIS METHOD, SECURITY INFORMATION ANALYSIS SYSTEM AND PROGRAM | |
| CN106936812B (en) | File privacy disclosure detection method based on Petri network in cloud environment | |
| US8966576B2 (en) | Provisioning access control using SDDL on the basis of a XACML policy | |
| CN108064379A (en) | The query engine fetched for remote endpoint information | |
| WO2020024424A1 (en) | Dynamic library information acquisition method and apparatus for application program | |
| EP2107484A2 (en) | A method and device for code audit | |
| CN115514558A (en) | Intrusion detection method, device, equipment and medium | |
| CN103279414A (en) | Covert channel detection method suitable for Xen virtualization platform | |
| Zhu et al. | Detecting privilege escalation attacks through instrumenting web application source code | |
| JP4363214B2 (en) | Access policy generation system, access policy generation method, and access policy generation program | |
| CN113127862B (en) | XXE attack detection method and device, electronic equipment and storage medium | |
| CN106020923B (en) | SELinux strategy compiling method and system | |
| CN101562603A (en) | Method and system for parsing telnet protocol by echoing | |
| CN115470489A (en) | Detection model training method, detection method, device and computer readable medium | |
| CN114221780A (en) | Industrial control system network security guarantee method, device and computer storage medium | |
| CN112989403B (en) | Database damage detection method, device, equipment and storage medium | |
| CN114328119A (en) | Database monitoring method, system and server | |
| CN113079148A (en) | Industrial Internet safety monitoring method, device, equipment and storage medium | |
| CN113472756A (en) | Policy conflict detection method and device and storage medium | |
| CN113407495A (en) | SIMHASH-based file similarity determination method and system | |
| CN114844691B (en) | Data processing method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |