網(wǎng)絡(luò)與信息安全：10訪問控制10

訪問控制內(nèi)容訪問控制機制自主型訪問控制和強制型訪問控制BLP保密模型Biba完整性模型Clark-Wilson完整性模型ChineseWall模型訪問控制機制訪問控制是信息安全的一個核心技術(shù)，它提供了保密性和完整性保證：哪個主體可以以何種方式訪問哪個客體?依靠認(rèn)證機制提供主體身份的確認(rèn)依靠授權(quán)機制實施控制策略訪問方式可以是：讀、寫、修改、執(zhí)行等舉例文件擁有者可以讀寫本文件兩個網(wǎng)絡(luò)之間只能允許電子郵件連接上級領(lǐng)導(dǎo)可以檢查下級工作律師要么支持被告，要么支持原告訪問控制原則最小特權(quán)原則職責(zé)分離原則訪問控制層次網(wǎng)絡(luò)訪問控制 防火墻等操作系統(tǒng)訪問控制應(yīng)用訪問控制比如數(shù)據(jù)庫應(yīng)用訪問控制的加密實現(xiàn)數(shù)據(jù)、VPN等訪問控制類型自主型訪問控制強制型訪問控制基于角色的訪問控制

自主型和強制型訪問控制自主型訪問控制（DiscretionaryAccessControl,DAC）由客體擁有者決定哪個主體可以以何種方式訪問客體通常用訪問控制列表（ACL）來實現(xiàn)一般用于非層次化管理系統(tǒng)中，如電子商務(wù)等強制型訪問控制（MandatoryAccessControl,MAC）由第三方（如系統(tǒng)管理者）決定主體可以以何種方式訪問客體一般通過標(biāo)簽（Labeling）來實現(xiàn)一般用于上下級層次化管理體系中二者可以并存強制型訪問控制（MAC）主體(用戶、進程等)被分配安全標(biāo)簽客體(文件、數(shù)據(jù)）也被分配安全標(biāo)簽通過比較或檢查主體和客體的安全標(biāo)簽，確定主體是否可以以請求方式訪問客體舉例AnoperatingsystemenforcesaMACpolicyAwebserverexecutesat“confidential”clearanceIfcompromised,itcannotelevateitsprivilegesoraccessmoresensitive(“secret”,“topsecret”)data自主型訪問控制（DAC）EachSUBJECThasanameandcanbelongtoagroup(role)EachOBJECThasanaccesscontrollist,whichenumeratessubjects’accesspermissionsforthatobjectAccesscontrolisdonebycheckingtheuser’sidentityagainsttheaccesscontrollistoneveryaccess舉例ApersonalfirewallisanexampleofDAC-basedmechanismTheuserdetermineswhatconnectionsareallowedto/fromthePCSubjectsarelocalapplicationsObjectsareremotehostsandtheirapplications舉例訪問控制矩陣FilelFile2File3File4JohnOwnRWOwnRWAliceROwnRWWRBobRWROwnRWBell-LaPadula

保密模型第一個多級安全保密策略模型MACbased-dataisclassifiedwithlabels,usershaveclearances(unclassified,confidential,secret,topsecret)兩個性質(zhì)NoReadUp–nosubjectmayreaddataatahigherlevelNoWriteDown–nosubjectmaywritedatatoalowerlevelLabels(levels)generallydonotchangeduringsystemoperationBell-LaPadula

保密模型BLPenforces“noreadup”and“nowritedown”policiesI.rmationmayonlyflow“upward”Bell-LaPadula

保密模型SomemodernparallelstotheBLPmodelareAVPNprovidesaccesscontrol,solesstrusteduserscannotreadtransitdatawithahigherlevelofsensitivityAfirewallcouldprovideone-wayconnectivityonly格（Lattice）模型AnextensionofBLP,whichintroducescompartmentalization(multilateralsecurity)Controlsaccessacrosscompartments,notonlymultiplelevelsEachsubjectandobjectbelongtoacompartmentSubjects/objectsindifferentcompartmentsareincomparable,thereforenoinformationcanflowbetweenthemBiba

完整性模型第一個多級安全完整性策略模型MACbased-dataisclassifiedwithlabels,usershaveclearances(unclassified,confidential,secret,topsecret)兩個性質(zhì)NoReadDown–nosubjectmayreaddataatalowerlevel(preventscontaminationbyreadingfromuntrustedobjects)NoWriteUp–nosubjectmaywritedatatoahigherlevel(preventscontaminationbywritingtotrustedobjects)Biba

完整性模型Bibaenforces“noreaddown”and“nowriteup”policiesI.rmationmayonlyflow“downward”Biba

完整性模型UsageexamplesWebservers,whichonlyservedata(nopostsallowed)Networkmanagement,whichonlyreadsSNMPstatistics,butcannotchangeconfigurationClarkWilson完整性模型主要用于銀行應(yīng)用，保證數(shù)據(jù)完整性Basedonallowingonlywell-formedtransactionsAsystemacceptsunconstraineddataitems(UDI)andconvertsthemtoconstraineddataitems(CDI)CDIscanonlybechangedbytransformationprocedures(TP)Atransformationprocedure(TP)maintainsaCDI’sintegrityEachCDIhasaintegrityverificationprocedure(IVP)Accesscontrolisdefinedbytriples(subject,TP,CDI)ClarkWilson完整性模型AClark-Wilsonpolicymightbeusedinane-commercesystemtoprovideintegrityofdataChineseWall模型Amultilateralsecuritymodeltoprovideconfidentialitybetweenconflict-of-interestareas(usedmostlyininvestmentbanking)TheuserchoosesaclientcompanytoworkwithTheuserisautomaticallydisallowedtoaccessanydataofthecompany’scompetitorsDACelements:TheuserfreelychoosestheareaMACelements:Oncechosen,thesystemforcestheusertostaywithinthatarea(aChineseWalliscreatedaroundthearea)ChineseWall模型舉例AserverinsideafirewallshouldnotbeusedtorelaydatafrominsidetooutsideInternetandinsidenetworkarein“conflictofinterest”Servercanonlytalktooneside,andnevertotheotherChineseWall模型舉例DonotallowsplittunnelinginaremoteaccessVPNAremoteusereithertalkstotheInternet,ortothecorporatenetworkDeparturefromclassicChineseWall:theseparationisnotpermanent,butisdecidedwitheachconnection基于角色的訪問控制（RBAC）用戶根據(jù)其被分配角色而獲得對客體的訪問權(quán)限角色依據(jù)工作職能定義權(quán)限依據(jù)工作權(quán)力和責(zé)任定義客體只關(guān)心用戶角色而不關(guān)心其本身基于角色的訪問控制（RBAC）個人角色客體Role1Role2Role3Server1Server3Server2User’schangefrequently,Rolesdon’t特權(quán) Rolesareengineeredbasedontheprincipleofleastprivileged .Arolecontainstheminimumamountofpermissionstoinstantiateanobject.Auserisassignedtoarolethatallowshimorhertoperformonlywhat’srequiredforthatrole.Nosingleroleisgivenmorepermissionthanthesameroleforanotheruser.基于角色的訪問控制（RABC）CoreComponentsConstrainingComponentsHierarchicalRBACGeneralLimitedSeparationofDutyRelationsStaticDynamicCoreComponentsDefines:USERSROLESOPERATIONS(ops)OBJECTS(obs)UserAssignments(ua)assigned_usersnotesCoreRABCRequiresthatusersbeassignedtoroles(jobfunctions),rolesbeassignedwithpermissions(approvaltoperformanoperationonanobject)andusersacquirepermissionsbybeingassignedtoroles.Auserestablishesasessionduringwhichheactivatesasubsetofrolesassignedtohim.Eachusercanactivatemultiplesessions;howevereachsessionisassociatedwithonlyoneuser.TheoperationthatausercanperforminasessiondependsontherolesactivatedinthatsessionandpermissionsassociatedwiththoserolesnotesStaticSeparationofDuty(SSD)relationsarenecessarytopreventconflictofintereststhatarisewhenausergainspermissionsassociatedwithconflictingroles(rolesthatcannotbeassignedtothesameuser).SSDrelationsarespecifiedforanypairofrolesthatconflict.TheSSDrelationplacesaconstraintontheassignmentofuserstoroles,thatis,assignmenttoarolethattakespartinanSSDrelationpreventstheuserfrombeingassignedtotherelatedconflictingrole.TheSSDrelationshipissymmetric,butitisneitherreflexivenortransitive.SSDmayexistintheabsenceofrolehierarchies(referredtoasSSDRBAC),orinthepresenceofrolehierarchies(referredtoashierarchicalSSDRBAC).ThepresenceofrolehierarchiescomplicatestheenforcementoftheSSDrelations:beforeassigninguserstorolesnotonlyshouldonecheckthedirectuserassignmentsbutalsotheindirectuserassignmentsthatoccurduetothepresenceoftherolehierarchies.DynamicSeparationofDuty(DSD)relationsaimtopreventconflictofinterestsaswell.TheDSDrelationsplaceconstraintsontherolesthatcanbeactivatedinauser’ssession.IfonerolethattakespartinaDSDrelationisactivated,theusercannotactivatetherelated(conflicting)roleinthesamesession.Role-BasedAccessControluser_sessions(RH)RoleHierarchysession_roles(UA)UserAssign-ment(PA)PermissionAssignmentUSERSOBSOPSSESSIONSROLESPRMSSSDDSDnotesFigurebackconsistsof:1)asetofusers(USERS)whereauserisanintelligentautonomousagent,2)asetofroles(ROLES)wherearoleisajobfunction,3)asetofob