访问控制和系统审计ppt课件

1、Access and Information Flow Controls第9章：访问控制和系统审计.经典平安模型的雏形.根本组成要素1明确定义的主体和客体；2描画主体如何访问客体的一个授权数据库；3约束主体对客体访问尝试的参考监视器；4识别和验证主体和客体的可信子系统；5审计参考监视器活动的可信子系统。 .三种平安机制的关系.计算机平安等级划分为了加强计算机系统的信息平安，1985年美国国防部发表了缩写为TCSEC，它根据处置的信息等级采取的相应对策，划分了4类7个平安等级。按照各类、级的平安要求从低到高，依次是D、C1、C2、B1、B2、B3和A1级 .计算机平安等级划分D 级：Minima

2、l Protection最低平安维护。没有任何平安性防护。C1级：Discretionary Security Protection自主平安维护。这一级的系统必需对一切的用户进展分组；对于每个用户必需注册后才干运用；系统必需记录每个用户的注册活动；系统对能够破坏本身的操作发出警告。 .计算机平安等级划分C2级：Controled Access Protection可控访问维护。在C1级根底上，添加了以下要求：一切的客体都只需一个主体；对于每个试图访问客体的操作，都必需检验权限；有且仅有主体和主体指定的用户可以更改权限；管理员可以获得客体的一切权，但不能再归还；系统必需保证本身不能被管理员以外的

3、用户改动； 系统必需有才干对一切的操作进展记录，并且只需管理员和由管理员指定的用户可以访问该记录。SCO UNIX 和 Windows NT 属于 C2 级.计算机平安等级划分B1级：Labeled Security Protection标识的平安维护。 添加：不同的组成员不能访问对方创建的客体，但管理员答应的除外；管理员不能获得客体的一切权。Windows NT的定制版本可以到达 B1级。.计算机平安等级划分B2级：Structured Protection构造化维护。 添加：一切的用户都被授予一个平安等级；平安等级较低的用户不能访问高等级用户创建的客体。银行的金融系统通常到达 B2 级。

4、.计算机平安等级划分B3级：Security Domain平安域维护。 添加：系统有本人的执行域，不受外界干扰或篡改。系统进程运转在不同的地址空间从而实现隔离。.计算机平安等级划分A1级：Verified Design可验证设计。在B3的根底上，添加：系统的整体平安战略一经建立便不能修正。 .Access Controlgiven system has identified a user determine what resources they can accessgeneral model is that of access matrix withsubject - active enti

5、ty (user, process) object - passive entity (file or resource) access right way object can be accessedcan decompose bycolumns as access control listsrows as capability tickets.Access Control MatrixObjectSubjectFile1File2File3File4File5printerdiskUser1ReadWriteReadWriteWriteUser2ReadWriteReadListWrite

6、User3ReadWriteExecuteWriteReadWrite.Access ModesReadallows the user to read the file or view the file attributes.Writeallows the user to write to the file,which may include creating,modifying,or appending onto the file.Executethe user may load the file and execute it.Deletethe user may remove this f

7、ile from the system.Listallows the user to view the files attributes.Access Control TechniquesFile PasswordsDiscretionary Access ControlsMandatory Access ControlsRole-Based Access Controls.File PasswordsIn order to gain access to a file,the user must present the system with the files password.Differ

8、ent to password used to gain access to the system.Each file is assigned a(multiple) password(s).Assignment system manager or the owner of the file.For example: one for reading, one for writing.File PasswordsEasy to implement and understand.Problem:1:passwords themselves, a large number of passwords

9、to remember.2:no easy way to keep track of who has access to a file.3:a file requires access to other files.Embed the passwordsSpecify all file passwords up frontSupply the password for each additional file.Discretionary Access Controls自主访问控制恣意访问控制：根据主体身份或者主体所属组的身份或者二者的结合, 对客体访问进展限制的一种方法。最常用的一种方法，这种

10、方法允许用户自主地在系统中规定谁可以存取它的资源实体，即用户包括用户程序和用户进程可选择同其他用户一同共享某个文件。自主：指具有授与某种访问权益的主体可以本人决议能否将访问权限授予其他的主体。平安操作系统需求具备的特征之一就是自主访问控制，它基于对主体或主体所属的主体组的识别来限制对客体的存取。客体：文件，邮箱、通讯信道、终端设备等。 .File permissions.方法1：Directory list为每一个欲实施访问操作的主体，建立一个能被其访问的“客体目录表文件目录表 .Discretionary Access Controls:Access Control ListsObjectS

11、ubjectFile1File2File3File4File5printerdiskUser1ReadWriteReadWriteWriteUser2ReadWriteReadListWriteUser3ReadWriteExecuteWriteReadWrite.Access Control Lists.Discretionary Access Controls:Access Control Lists.Discretionary Access Controls:Access Control ListsIt is easy to determine a list of all subject

12、s granted access to a specific object.The ease with which access can be revoked.Storage space is saved.Implement fine granularity:time,locationDifficulty in listing all objects a specific subject has access to.Discretionary Access Controls:Capabilities BasedObjectSubjectFile1File2File3File4File5prin

13、terdiskUser1ReadWriteReadWriteWriteUser2ReadWriteReadListWriteUser3ReadWriteExecuteWriteReadWrite.Discretionary Access Controls: Capabilities Based(Ticket)Ticket possessed by the subject which will grant a specified mode of access for a specific object.The system maintains a list of these tickets fo

14、r each subject.Passing copies of the ticket=give access to an object to another user.Revoke access to files by recalling the tickets.Mandatory Access Controls根据客体中信息的敏感标志和访问敏感信息的主体的访问级对客体访问实行限制 用户的权限和客体的平安属性都是固定的 所谓“强迫就是平安属性由系统管理员人为设置，或由操作系统自动地按照严厉的平安战略与规那么进展设置，用户和他们的进程不能修正这些属性。所谓“强迫访问控制是指访问发生前，系统经过

15、比较主体和客体的平安属性来决议主体能否以他所希望的方式访问一个客体。 .Sensitivity LabelSECRET VENUS , TANK , ALPHA Classification categories.Mandatory Access Controls在强迫访问控制中，它将每个用户及文件赋于一个访问级别，如：绝密级Top Secret、级Secret、级Confidential及普通级Unclassified。其级别为T，实现四种访问控制读写关系：下读(read down)：用户级别大于文件级别的读操作；上写(Write up)：用户级别低于文件级别的写操作；下写(Write do

16、wn)：用户级别大于文件级别的写操作；上读(read up)：用户级别低于文件级别的读操作；.Rules 三个要素主体的标签，即他的平安答应TOP SECRET VENUS TANK ALPHA客体的标签，例如文件LOGISTIC的敏感标签如下：SECRET VENUS ALPHA 访问恳求，例如他试图读该文件.examples.Role-Based Access Controls授权给用户的访问权限，通常由用户在一个组织中担当的角色来确定。“角色指一个或一群用户在组织内可执行的操作的集合。角色就充任着主体用户和客体之间的关联的桥梁。这是与传统的访问控制战略的最大的区别所在。 主体角色客体.F

17、EATURES:以角色作为访问控制的主体用户以什么样的角色对资源进展访问，决议了用户拥有的权限以及可执行何种操作。 角色承继 最小权限原那么 一方面给予主体“必不可少的特权；另一方面，它只给予主体“必不可少的特权。.FEATURES职责分别 ?对于某些特定的操作集，某一个角色或用户不能够同时独立地完成一切这些操作。“职责分别可以有静态和动态两种实现方式。静态职责分别：只需当一个角色与用户所属的其它角色彼此不互斥时，这个角色才干授权给该用户。动态职责分别：只需当一个角色与一主体的任何一个当前活泼角色都不互斥时，该角色才干成为该主体的另一个活泼角色。角色容量在创建新的角色时，要指定角色的容量。在一

18、个特定的时间段内，有一些角色只能由一定人数的用户占用。.系统审计.Trusted Computer Systemsinformation security is increasingly important have varying degrees of sensitivity of informationcf military info classifications: confidential, secret etc subjects (people or programs) have varying rights of access to objects (information)wan

19、t to consider ways of increasing confidence in systems to enforce these rightsknown as multilevel securitysubjects have maximum & current security level objects have a fixed security level classification 可信计算机系统.Bell LaPadula (BLP) Modelone of the most famous security modelsimplemented as mandatory

20、policies on system has two key policies: no read up (simple security property)a subject can only read/write an object if the current security level of the subject dominates (=) the classification of the objectno write down (*-property)a subject can only append/write to an object if the current secur

21、ity level of the subject is dominated by (=) the classification of the object.Reference MonitorComplete mediationIsolationVerifiability.The Concept ofTrusted SystemsReference MonitorControlling element in the hardware and operating system of a computer that regulates the access of subjects to object

22、s on basis of security parametersThe monitor has access to a file (security kernel database)The monitor enforces the security rules (no read up, no write down).The Concept ofTrusted SystemsProperties of the Reference MonitorComplete mediation: Security rules are enforced on every accessIsolation: The reference monitor and database are protected from unauthorized modificationVerifiability: The reference monitors correctness must be provable (mathematically).The Concept ofTrusted SystemsA system that can provide such verifications (properties) is referred to as a trusted systemThat is