Second talk about traditional access control
First, basic concept
The basic task of access control is to prevent illegal users from entering the system and legal users to illegally use the system resources, and it guarantees that the subject is authorized to all direct access to the object.
1. object:
It is an entity capable of receiving information from other main body or guests (files, directories, data blocks, records, programs, memory segments, network nodes, etc.), i.e., an entity that can be accessed and can be accessed.
2. main body
It is an entity that enables information to flow between objects (processes, jobs, or tasks (represents users), and users are also known as the body) or can access or use objects.
Usually, we also think of the subject is a guest. Because when a program is stored on a memory or hard disk, then it is used as a object as other data, it can be accessed, but when this program runs, it becomes the body, and you can go to the other object.
3. Access mode (access permission) refers to the specific access operations that the body can perform on the object, such as read (R), write (W readable can be written or modified), add (a), delete (d), run (E), etc. .
Two special access rights are control (C), with ownership (O).
c means that a subject has the ability to change access to other subjects to a certain object.
o If the main body S creates the object O, S pair O has ownership (each guest O only the only owner). The main body of the owned ownership must have control, but it is otherwise.
4. Autonomous access control
It means that a subject having ownership (or control power) can be automatically granted other subjects to other main bodies to the object, and reclaim them at any time.
Autonomous Access Control is an effective means that protecting computer system resources is not illegally visited, but it has a significant shortcoming: this control is autonomous, although this autonomy provides a lot of flexibility for users, It also has a serious security issue. To this end, it is aware of the stronger access control means, which is forced access control.
5. Forced access control
The system determines the access rights of the object based on the degree of trust of the body and the information contained in the information contained in the object, which can often be achieved by giving the main, passenger assignment by security tag.
Forced access control is generally used in combination with autonomous access control, on the basis of autonomous access control, add some stronger access restrictions. One subject only accesses a object after passing the autonomous and mandatory access control.
Users can use autonomous access control to prevent other users' attacks on their own objects, and forced access provides an insurmountable and stronger security layer.
Second, autonomous access control (Discretionary Access Control)
1. Matrix model of autonomous access control (1) system status uses a ordered three-way group to represent Q = (S, O, A),
Where S - main bodies
O - collection of objects
A - Access matrix, line corresponds to the body, column corresponding to the object. A (i, j) element element Aij is a collection that lists the access rights allowed by the main body Si on the object OJ.
Example: Sets S = {S1, S2}, O = {M1, M2, F1, F2, S1, S2, and} The current state is as follows:
M
1
M
2
fly
1
fly
2 S1 S2
Note: The "ownership" and "control rights" are different in some systems.
The monitoring program is set to monitor the subject's access to the object. When a main body Si is accessible to the object OJ, the monitor will check Aij to determine whether the SI can access OJ and what kind of access can be made, when Aij When there is no access to some access to the object OJ, the monitor will prohibit the corresponding access operations of the OJ when the main body Si is accessible to the object OJ. The monitor can be done by hardware, software or hardware and software. (2) The state of the system state is constantly changing, the change is caused by a series of operations of the user, and the corresponding access control matrix will change. The operation that caused state changes is basically as follows:
1. ENTER P INTO AIJ (OJ owner grants the main SI "P" access to OJ "P")
2. DELETE P from Aij (OJ owner cancels the main Si "P" access to OJ "P")
3. CREATE SUBJECT S '
4. CREATE OBJECT O '
5. Delete Subject S '
6. Delete Object O '
These operations will cause changes in the access control matrix, and the state is converted from Q = (S, O, A) to Q '= (S', O ', A')
2. Implementation method of autonomous access control
In order to achieve autonomous access control, the information provided by the access control matrix must be saved in some form in a computer system. It is actually stored in the system when the autonomous access control is realized, and the matrix is stored in the system, which is very efficient. Low, because this matrix is likely to be a sparse matrix that is empty, which is a great waste for storage space and query time.
In fact, the implementation method can be divided into the following categories:
(1) Row-based autonomous access control - power table
Each body Si has a corresponding power table, and the power table of Si is composed of all non-empty items in the row corresponding to Si in the access control matrix, which is a list of all objects that SI can access. Such as: in the upper example
O
P
M1
M2
F1
{r, w, e}
{r}
{C, R, W}
S1 power table
O
P
M1
M2
F1
{r, w, e}
{r}
{C, R, E}
S2 power table
Depending on the power table of each body Si, it can determine whether the body can access the object and which mode can be performed.
(2) Autonomous Access Control Based on Columns - Authorization Form (or Access Control Table)
The first object has a corresponding authorization form. The authorization table of the OJ is composed of all non-empty items in the columns corresponding to OJ in the access control matrix. It is a list of all subjects that can access OJ. In the above example
S
P
S1
S2
{r, w, e}
{r}
M1 authorization form
S
P
S2
{C, R, E}
F2 authorization form
Depending on the authorization form of each guest OJ can decide which main body can access the object and what kind of access.
3. Authorized management
The main body has two management methods in the system in the system: one is centralized management, one is decentralized management.
(1) centralized management
When a body Si creates a certain object OJ, the subject has obtained "c" right and all possible privileges for this object. "C" is tasteable to grant it to any other main break in the system (except "C" rights), or other access rights to OJ in the system can also be revoked. Other subjects do not have "C" right for OJ, even if they have certain access rights to OJ, they have no need to transfer these privileges to other subjects, or withdraw any access to OJ, any access rights - - In this management mode, for any guest OJ, which subject can access it, what kind of access can be made, completely determined by the owner of OJ. (In this management mode, "ownership" and "control" are consistent.)
(2) Decentralized management
In this management mode, the owner of the object OJ can not only grant all other access rights to OJ, but also grant them to the grant of certain access to OJ, so for a guest OJ Access rights, not only OJ owners can be authorized, other subjects may also get all or part of grant. For example: The following figure shows the authorization of a relational X in the database:
In the figure: A, B, C, and D represent four main bodies, indicating that a pair B authorization. 10, 15, 20, 30 indicate the level of authorization, R (Y) means that the authority R (Y) can be transferred again, R (n) means the authority granted.
Di
C
A
B
10
R (y), i (y)
20
R (y), i (y)
30
R (y), i (n)
15
R (n)
A
B
limit
R
Do not allow re-transfer to other subjects.
As can be seen from the figure: 1 For a period of time at time 15 - time 30, D is obtained to the R (READ) access to the point X, but he cannot give this weight to other main body. 2 After the time 30, the C grasted the R and I of D, and the R permission can only grant other main body.
In this management mode, when the body must revoke all the authorizations caused by this authorization in revocation, the status of the system should be as if the main body has never been This permission is granted.
For example, in the above example, if a time A after the time 40 is revoked the R right of the relational X granted to B, the inclusion B is lost at this time, and the R weight to X is lost, and thereby causing C to X R power, D pars of X is revoked, at this time, although D retains R power from A, D cannot transfer this right.
Although the mode of authorization to propose a decentralized management, the defective defects of the decentralized management are that once the owner of OJ will grant the authority of the OJ's access to the system, he cannot control which main body can Access to OJ and which subjects cannot be accessed, which subjects have the right to grant the OJ, which subject does not have grant rights to OJ. For example, D, A is not allowed to have R's grant, but C will give him R's award. Therefore, some people have proposed a method of issuing a "black token", that is, the main body of the OJ may issue a black token for the body that is not allowed to access OJ. These subjects that have been issued, other subjects shall not be authorized to him. (Of course, you can access some kind of visit)
In this management mode, "ownership" and "control" are inconsistent.
Third, safety strategies and security models
First, security strategy
1. Concept of security strategy
The security policy of the computer system is a complete set of rigorous rules that make constraints to user behavior to describe the security needs of the system. These rules specify all licensed access in the system, which is the basis for implementing access control.
A computer system's security policy should be able to explain the system in various situations, which subjects are allowed to access, what kind of access is not allowed.
The security policy is abstract, guided principles relative to the system of implementing security policies, but the security policy has a strong actual background.
2. Example of safety strategy
Take this concept as an example for military security strategies and commercial security strategies. The security of the military department is mainly concerned about the confidentiality of the data, and the safety of the business sector is mainly concerned about the integrity of the data. Due to this point of origination, their security strategy is also very different.
(1) Military security strategy:
Divided into two parts: self-security strategy (Discretionary) and mandatory security strategy (Mandatory)
· Self-security strategy: Access to any one of the subjects must be authorized by the owner of the object.
Review Mathematical Concept:
1. Cartesian: a × b2. Power Set of Collection A: p (a) =
2
A
= {s | s
A}
3. The partial sequence relationship on the collection A: the relationship on the collection A, the definition, opposition, and can be transmitted, sequence diagram, bias sequence, full order.
4. Useful conclusion:
Set
· Force safety strategy
1. Each body and each object have security tags
The security level of the object represents the sensitivity or confidentiality of the information contained in the object;
The security level of the body indicates the level of the main trusted or access information.
2. Safety tag consists of two parts (single, department set)
1 Mipples are generally defined as four levels: General (U), Secret (C), Secret (S) and Top Secret (TS).
Describe the full order: general ≤ secret ≤ confidential ≤ top secret.
Let A = {U, C, S, TS}, the
2 The department sets of a unit is as follows: {Science and Technology Department, Cadres, Production Department, Information Office}
Let B = {Science and Technology Department, Cadres, Production Department, Information Office}, PB = 2B = {S | s
B} is the subset of B, such as the {Science and Technology Department, Cadres} ∈PB, {Science and Technology Department, Production Department, Information Office} }PB and > Is also a bias set. 3 Define Carteskali A × Pb = {(a, h) | a∈A, h∈PB} For example: (c, {technology office}) = Class (O1) (readable) (S, {Science and Technology Department, Cadres}) = Class (U) (TS, {Science and Technology Department, Information Office, Cadre:}) = Class (O2) (writable) (C, {情报}) = Class (O3) (not reading, do not write) OI write U read OJ All A × PB The elements of the medium, the system is mainly, the security level of the object is defined by these binary groups. 3. Control principles of access (ie, security policies) A body can only read the security stage than the low or equally equally heated, ie "Read". A body can only write a security stage than herself or equal object, ie "write up". 4. How is the security level be relatively low? > Is also a bias set. Defined on the collection a × PB ≤: For (A1, H1), (A2, H2) ∈ × Pb, (A1, H1) ≤ (A2, H2) When and only when A1 ≤ A2, H1 H2, it can be proved that ≤ is a bias relationship on the A × Pb, ie also constitutes a bias set. Here, if (A1, H1) ≤ (A2, H2) is called (A1, H1) below (A2, H2). E.g: (C, {Science and Technology Office}) ≤ (S, {Science and Technology Department, Cadre); (S, {Science and Technology Department, Cadre}) ≤ (TS, {Science and Technology Department, Intelligence Office, Cadre). Therefore, (C, {Science and Technology Office}) ≤ (TS, {Science and Technology Department, Intelligence Office, Cadre); However, (C, {Information Office}) and (C, {Science and Technology Office}) are not comparable, (c, {information}) and (s, {technology, cadres}) is not comparable. For the above control principle, it is particularized: if the main body U and the security level of the object O satisfy If Class (U) ≤ Class (O), then U can "write" O, If Class (O) ≤ Class (U), then U can "read" O. So the above U readable O1, U can be written O2, u can not read, and cannot be written, and as Class (O4) = (TS, {Science and Technology Office}), then u cannot be read or written. (2) Business safety strategy The main purpose is to prevent fraud, anti-error, tamper-proof, and protection of information. Although it also prevents unauthorized leaks, there is no need to complicate as required in military security, and its security strategy is mainly reflected in the following two aspects: 1 Good-formed transaction The user can not be arbitrarily performed on the manipulation of the data, but should be performed in accordance with the controlled manner that can guarantee data integrity, that is, the data should be processed according to the defined constraint. Example: Save record (including the front and rear record of modifying the data) Double entry rules, keep your book balance. 2 Responsibilities Duty (Separation Duty) Divide an operation into several sub-operations, different sub-operations are executed by different users, making any staff without all permissions to complete the task, minimizing chances of fraud and errors. Of course, fraudulent behavior does not necessarily eliminate this, but it will become apparent from the cooperative behavior of many staff. For example, the process of purchasing raw materials, purchase and payment can be broken down to the following operations: Purchase Order - Record the goods - Record the invoice - Payment The last step is only performed after the first three steps are completed. (3) Comparison of military security strategies and commercial safety strategies the difference: 1. Military security strategy - mainly concerned about data confidentiality Commercial security strategy - main concern is the integrity of data 2. Military Safety Policy - Contacts the data with a security level to control the user's access to the data through the security level. Business Safety Policy - Connect the data to a program that allows you to operate it, and controls the user's access to the data through this group. 3. Military security strategy - users are authorized to read or write data. Business Safety Policy - Users are authorized to perform programs related to a data. 4. Military Security Policy - User as long as the corresponding access is obtained, he can read or write to the data arbitrarily. Commercial security strategy - the user reads the data, written is not arbitrary, but is implied in those executed procedures. This makes the former more susceptible to viruses or Trojan. Same: 1. There must be a mechanism in the computer system to ensure that the system has implemented corresponding security strategies; 2. The security mechanism in the system must prevent damage to prevent unauthorized modifications. Second, security model 1. Security model The security model is a description of the security demand expressed by the security policy, abstraction, and unambiguous. It provides guidance for the design of the security system. The security model should have some features: 1 It is precise, no meaning; 2 It is simple, abstract, and it is also easy to understand; 3 It involves only safety, not even restricting the function and implementation of the system; 4 It is a clear expression of a security policy. Divided into: Non-formal security model: Describe the security of the system with natural language. Its advantages are intuitive, easy to understand, but not rigorous, often have an unity, and express is not simple. Formal security model: Use mathematical language to accurately describe the system's security or rules. The advantages are simple, accurate, rigorous, can be strictly proof in theory; the disadvantage is abstract, difficult to understand. According to TCSEC, the B1 level requires both autonomous access control to have forced access control. This is to require it to develop security policies, ie an informal security model, how to conduct the above two access controls; B2 Level computer system requires a formal security model, A1 and requires formal proof of security models. As can be seen, if designing development has a secure computer system with Class B and or more must have a security model for guidance, the high security level computer system, the formal security model is an indispensable condition.
