訪問(wèn)控制和系統(tǒng)審計(jì)ppt課件

1、Access and Information Flow Controls第9章：訪問(wèn)控制和系統(tǒng)審計(jì).經(jīng)典平安模型的雛形.根本組成要素1明確定義的主體和客體；2描畫(huà)主體如何訪問(wèn)客體的一個(gè)授權(quán)數(shù)據(jù)庫(kù)；3約束主體對(duì)客體訪問(wèn)嘗試的參考監(jiān)視器；4識(shí)別和驗(yàn)證主體和客體的可信子系統(tǒng)；5審計(jì)參考監(jiān)視器活動(dòng)的可信子系統(tǒng)。 .三種平安機(jī)制的關(guān)系.計(jì)算機(jī)平安等級(jí)劃分為了加強(qiáng)計(jì)算機(jī)系統(tǒng)的信息平安，1985年美國(guó)國(guó)防部發(fā)表了縮寫(xiě)為T(mén)CSEC，它根據(jù)處置的信息等級(jí)采取的相應(yīng)對(duì)策，劃分了4類(lèi)7個(gè)平安等級(jí)。按照各類(lèi)、級(jí)的平安要求從低到高，依次是D、C1、C2、B1、B2、B3和A1級(jí) .計(jì)算機(jī)平安等級(jí)劃分D 級(jí)：Minima

2、l Protection最低平安維護(hù)。沒(méi)有任何平安性防護(hù)。C1級(jí)：Discretionary Security Protection自主平安維護(hù)。這一級(jí)的系統(tǒng)必需對(duì)一切的用戶進(jìn)展分組；對(duì)于每個(gè)用戶必需注冊(cè)后才干運(yùn)用；系統(tǒng)必需記錄每個(gè)用戶的注冊(cè)活動(dòng)；系統(tǒng)對(duì)能夠破壞本身的操作發(fā)出警告。 .計(jì)算機(jī)平安等級(jí)劃分C2級(jí)：Controled Access Protection可控訪問(wèn)維護(hù)。在C1級(jí)根底上，添加了以下要求：一切的客體都只需一個(gè)主體；對(duì)于每個(gè)試圖訪問(wèn)客體的操作，都必需檢驗(yàn)權(quán)限；有且僅有主體和主體指定的用戶可以更改權(quán)限；管理員可以獲得客體的一切權(quán)，但不能再歸還；系統(tǒng)必需保證本身不能被管理員以外的

3、用戶改動(dòng)； 系統(tǒng)必需有才干對(duì)一切的操作進(jìn)展記錄，并且只需管理員和由管理員指定的用戶可以訪問(wèn)該記錄。SCO UNIX 和 Windows NT 屬于 C2 級(jí).計(jì)算機(jī)平安等級(jí)劃分B1級(jí)：Labeled Security Protection標(biāo)識(shí)的平安維護(hù)。 添加：不同的組成員不能訪問(wèn)對(duì)方創(chuàng)建的客體，但管理員答應(yīng)的除外；管理員不能獲得客體的一切權(quán)。Windows NT的定制版本可以到達(dá) B1級(jí)。.計(jì)算機(jī)平安等級(jí)劃分B2級(jí)：Structured Protection構(gòu)造化維護(hù)。 添加：一切的用戶都被授予一個(gè)平安等級(jí)；平安等級(jí)較低的用戶不能訪問(wèn)高等級(jí)用戶創(chuàng)建的客體。銀行的金融系統(tǒng)通常到達(dá) B2 級(jí)。

4、.計(jì)算機(jī)平安等級(jí)劃分B3級(jí)：Security Domain平安域維護(hù)。 添加：系統(tǒng)有本人的執(zhí)行域，不受外界干擾或篡改。系統(tǒng)進(jìn)程運(yùn)轉(zhuǎn)在不同的地址空間從而實(shí)現(xiàn)隔離。.計(jì)算機(jī)平安等級(jí)劃分A1級(jí)：Verified Design可驗(yàn)證設(shè)計(jì)。在B3的根底上，添加：系統(tǒng)的整體平安戰(zhàn)略一經(jīng)建立便不能修正。 .Access Controlgiven system has identified a user determine what resources they can accessgeneral model is that of access matrix withsubject - active enti

5、ty (user, process) object - passive entity (file or resource) access right way object can be accessedcan decompose bycolumns as access control listsrows as capability tickets.Access Control MatrixObjectSubjectFile1File2File3File4File5printerdiskUser1ReadWriteReadWriteWriteUser2ReadWriteReadListWrite

6、User3ReadWriteExecuteWriteReadWrite.Access ModesReadallows the user to read the file or view the file attributes.Writeallows the user to write to the file,which may include creating,modifying,or appending onto the file.Executethe user may load the file and execute it.Deletethe user may remove this f

7、ile from the system.Listallows the user to view the files attributes.Access Control TechniquesFile PasswordsDiscretionary Access ControlsMandatory Access ControlsRole-Based Access Controls.File PasswordsIn order to gain access to a file,the user must present the system with the files password.Differ

8、ent to password used to gain access to the system.Each file is assigned a(multiple) password(s).Assignment system manager or the owner of the file.For example: one for reading, one for writing.File PasswordsEasy to implement and understand.Problem:1:passwords themselves, a large number of passwords

9、to remember.2:no easy way to keep track of who has access to a file.3:a file requires access to other files.Embed the passwordsSpecify all file passwords up frontSupply the password for each additional file.Discretionary Access Controls自主訪問(wèn)控制恣意訪問(wèn)控制：根據(jù)主體身份或者主體所屬組的身份或者二者的結(jié)合, 對(duì)客體訪問(wèn)進(jìn)展限制的一種方法。最常用的一種方法，這種

10、方法允許用戶自主地在系統(tǒng)中規(guī)定誰(shuí)可以存取它的資源實(shí)體，即用戶包括用戶程序和用戶進(jìn)程可選擇同其他用戶一同共享某個(gè)文件。自主：指具有授與某種訪問(wèn)權(quán)益的主體可以本人決議能否將訪問(wèn)權(quán)限授予其他的主體。平安操作系統(tǒng)需求具備的特征之一就是自主訪問(wèn)控制，它基于對(duì)主體或主體所屬的主體組的識(shí)別來(lái)限制對(duì)客體的存取?？腕w：文件，郵箱、通訊信道、終端設(shè)備等。 .File permissions.方法1：Directory list為每一個(gè)欲實(shí)施訪問(wèn)操作的主體，建立一個(gè)能被其訪問(wèn)的“客體目錄表文件目錄表 .Discretionary Access Controls:Access Control ListsObjectS

11、ubjectFile1File2File3File4File5printerdiskUser1ReadWriteReadWriteWriteUser2ReadWriteReadListWriteUser3ReadWriteExecuteWriteReadWrite.Access Control Lists.Discretionary Access Controls:Access Control Lists.Discretionary Access Controls:Access Control ListsIt is easy to determine a list of all subject

12、s granted access to a specific object.The ease with which access can be revoked.Storage space is saved.Implement fine granularity:time,locationDifficulty in listing all objects a specific subject has access to.Discretionary Access Controls:Capabilities BasedObjectSubjectFile1File2File3File4File5prin

13、terdiskUser1ReadWriteReadWriteWriteUser2ReadWriteReadListWriteUser3ReadWriteExecuteWriteReadWrite.Discretionary Access Controls: Capabilities Based(Ticket)Ticket possessed by the subject which will grant a specified mode of access for a specific object.The system maintains a list of these tickets fo

14、r each subject.Passing copies of the ticket=give access to an object to another user.Revoke access to files by recalling the tickets.Mandatory Access Controls根據(jù)客體中信息的敏感標(biāo)志和訪問(wèn)敏感信息的主體的訪問(wèn)級(jí)對(duì)客體訪問(wèn)實(shí)行限制 用戶的權(quán)限和客體的平安屬性都是固定的 所謂“強(qiáng)迫就是平安屬性由系統(tǒng)管理員人為設(shè)置，或由操作系統(tǒng)自動(dòng)地按照嚴(yán)厲的平安戰(zhàn)略與規(guī)那么進(jìn)展設(shè)置，用戶和他們的進(jìn)程不能修正這些屬性。所謂“強(qiáng)迫訪問(wèn)控制是指訪問(wèn)發(fā)生前，系統(tǒng)經(jīng)過(guò)

15、比較主體和客體的平安屬性來(lái)決議主體能否以他所希望的方式訪問(wèn)一個(gè)客體。 .Sensitivity LabelSECRET VENUS , TANK , ALPHA Classification categories.Mandatory Access Controls在強(qiáng)迫訪問(wèn)控制中，它將每個(gè)用戶及文件賦于一個(gè)訪問(wèn)級(jí)別，如：絕密級(jí)Top Secret、級(jí)Secret、級(jí)Confidential及普通級(jí)Unclassified。其級(jí)別為T(mén)，實(shí)現(xiàn)四種訪問(wèn)控制讀寫(xiě)關(guān)系：下讀(read down)：用戶級(jí)別大于文件級(jí)別的讀操作；上寫(xiě)(Write up)：用戶級(jí)別低于文件級(jí)別的寫(xiě)操作；下寫(xiě)(Write do

16、wn)：用戶級(jí)別大于文件級(jí)別的寫(xiě)操作；上讀(read up)：用戶級(jí)別低于文件級(jí)別的讀操作；.Rules 三個(gè)要素主體的標(biāo)簽，即他的平安答應(yīng)TOP SECRET VENUS TANK ALPHA客體的標(biāo)簽，例如文件LOGISTIC的敏感標(biāo)簽如下：SECRET VENUS ALPHA 訪問(wèn)懇求，例如他試圖讀該文件.examples.Role-Based Access Controls授權(quán)給用戶的訪問(wèn)權(quán)限，通常由用戶在一個(gè)組織中擔(dān)當(dāng)?shù)慕巧珌?lái)確定?！敖巧敢粋€(gè)或一群用戶在組織內(nèi)可執(zhí)行的操作的集合。角色就充任著主體用戶和客體之間的關(guān)聯(lián)的橋梁。這是與傳統(tǒng)的訪問(wèn)控制戰(zhàn)略的最大的區(qū)別所在。 主體角色客體.F

17、EATURES:以角色作為訪問(wèn)控制的主體用戶以什么樣的角色對(duì)資源進(jìn)展訪問(wèn)，決議了用戶擁有的權(quán)限以及可執(zhí)行何種操作。 角色承繼 最小權(quán)限原那么 一方面給予主體“必不可少的特權(quán)；另一方面，它只給予主體“必不可少的特權(quán)。.FEATURES職責(zé)分別 ?對(duì)于某些特定的操作集，某一個(gè)角色或用戶不能夠同時(shí)獨(dú)立地完成一切這些操作?！奥氊?zé)分別可以有靜態(tài)和動(dòng)態(tài)兩種實(shí)現(xiàn)方式。靜態(tài)職責(zé)分別：只需當(dāng)一個(gè)角色與用戶所屬的其它角色彼此不互斥時(shí)，這個(gè)角色才干授權(quán)給該用戶。動(dòng)態(tài)職責(zé)分別：只需當(dāng)一個(gè)角色與一主體的任何一個(gè)當(dāng)前活潑角色都不互斥時(shí)，該角色才干成為該主體的另一個(gè)活潑角色。角色容量在創(chuàng)建新的角色時(shí)，要指定角色的容量。在一

18、個(gè)特定的時(shí)間段內(nèi)，有一些角色只能由一定人數(shù)的用戶占用。.系統(tǒng)審計(jì).Trusted Computer Systemsinformation security is increasingly important have varying degrees of sensitivity of informationcf military info classifications: confidential, secret etc subjects (people or programs) have varying rights of access to objects (information)wan

19、t to consider ways of increasing confidence in systems to enforce these rightsknown as multilevel securitysubjects have maximum & current security level objects have a fixed security level classification 可信計(jì)算機(jī)系統(tǒng).Bell LaPadula (BLP) Modelone of the most famous security modelsimplemented as mandatory

20、policies on system has two key policies: no read up (simple security property)a subject can only read/write an object if the current security level of the subject dominates (=) the classification of the objectno write down (*-property)a subject can only append/write to an object if the current secur

21、ity level of the subject is dominated by (=) the classification of the object.Reference MonitorComplete mediationIsolationVerifiability.The Concept ofTrusted SystemsReference MonitorControlling element in the hardware and operating system of a computer that regulates the access of subjects to object

22、s on basis of security parametersThe monitor has access to a file (security kernel database)The monitor enforces the security rules (no read up, no write down).The Concept ofTrusted SystemsProperties of the Reference MonitorComplete mediation: Security rules are enforced on every accessIsolation: The reference monitor and database are protected from unauthorized modificationVerifiability: The reference monitors correctness must be provable (mathematically).The Concept ofTrusted SystemsA system that can provide such verifications (properties) is referred to as a trusted systemThat is