网络与信息安全：10访问控制10

访问控制内容访问控制机制自主型访问控制和强制型访问控制BLP保密模型Biba完整性模型Clark-Wilson完整性模型ChineseWall模型访问控制机制访问控制是信息安全的一个核心技术，它提供了保密性和完整性保证：哪个主体可以以何种方式访问哪个客体?依靠认证机制提供主体身份的确认依靠授权机制实施控制策略访问方式可以是：读、写、修改、执行等举例文件拥有者可以读写本文件两个网络之间只能允许电子邮件连接上级领导可以检查下级工作律师要么支持被告，要么支持原告访问控制原则最小特权原则职责分离原则访问控制层次网络访问控制 防火墙等操作系统访问控制应用访问控制比如数据库应用访问控制的加密实现数据、VPN等访问控制类型自主型访问控制强制型访问控制基于角色的访问控制

自主型和强制型访问控制自主型访问控制（DiscretionaryAccessControl,DAC）由客体拥有者决定哪个主体可以以何种方式访问客体通常用访问控制列表（ACL）来实现一般用于非层次化管理系统中，如电子商务等强制型访问控制（MandatoryAccessControl,MAC）由第三方（如系统管理者）决定主体可以以何种方式访问客体一般通过标签（Labeling）来实现一般用于上下级层次化管理体系中二者可以并存强制型访问控制（MAC）主体(用户、进程等)被分配安全标签客体(文件、数据）也被分配安全标签通过比较或检查主体和客体的安全标签，确定主体是否可以以请求方式访问客体举例AnoperatingsystemenforcesaMACpolicyAwebserverexecutesat“confidential”clearanceIfcompromised,itcannotelevateitsprivilegesoraccessmoresensitive(“secret”,“topsecret”)data自主型访问控制（DAC）EachSUBJECThasanameandcanbelongtoagroup(role)EachOBJECThasanaccesscontrollist,whichenumeratessubjects’accesspermissionsforthatobjectAccesscontrolisdonebycheckingtheuser’sidentityagainsttheaccesscontrollistoneveryaccess举例ApersonalfirewallisanexampleofDAC-basedmechanismTheuserdetermineswhatconnectionsareallowedto/fromthePCSubjectsarelocalapplicationsObjectsareremotehostsandtheirapplications举例访问控制矩阵FilelFile2File3File4JohnOwnRWOwnRWAliceROwnRWWRBobRWROwnRWBell-LaPadula

保密模型第一个多级安全保密策略模型MACbased-dataisclassifiedwithlabels,usershaveclearances(unclassified,confidential,secret,topsecret)两个性质NoReadUp–nosubjectmayreaddataatahigherlevelNoWriteDown–nosubjectmaywritedatatoalowerlevelLabels(levels)generallydonotchangeduringsystemoperationBell-LaPadula

保密模型BLPenforces“noreadup”and“nowritedown”policiesI.rmationmayonlyflow“upward”Bell-LaPadula

保密模型SomemodernparallelstotheBLPmodelareAVPNprovidesaccesscontrol,solesstrusteduserscannotreadtransitdatawithahigherlevelofsensitivityAfirewallcouldprovideone-wayconnectivityonly格（Lattice）模型AnextensionofBLP,whichintroducescompartmentalization(multilateralsecurity)Controlsaccessacrosscompartments,notonlymultiplelevelsEachsubjectandobjectbelongtoacompartmentSubjects/objectsindifferentcompartmentsareincomparable,thereforenoinformationcanflowbetweenthemBiba

完整性模型第一个多级安全完整性策略模型MACbased-dataisclassifiedwithlabels,usershaveclearances(unclassified,confidential,secret,topsecret)两个性质NoReadDown–nosubjectmayreaddataatalowerlevel(preventscontaminationbyreadingfromuntrustedobjects)NoWriteUp–nosubjectmaywritedatatoahigherlevel(preventscontaminationbywritingtotrustedobjects)Biba

完整性模型Bibaenforces“noreaddown”and“nowriteup”policiesI.rmationmayonlyflow“downward”Biba

完整性模型UsageexamplesWebservers,whichonlyservedata(nopostsallowed)Networkmanagement,whichonlyreadsSNMPstatistics,butcannotchangeconfigurationClarkWilson完整性模型主要用于银行应用，保证数据完整性Basedonallowingonlywell-formedtransactionsAsystemacceptsunconstraineddataitems(UDI)andconvertsthemtoconstraineddataitems(CDI)CDIscanonlybechangedbytransformationprocedures(TP)Atransformationprocedure(TP)maintainsaCDI’sintegrityEachCDIhasaintegrityverificationprocedure(IVP)Accesscontrolisdefinedbytriples(subject,TP,CDI)ClarkWilson完整性模型AClark-Wilsonpolicymightbeusedinane-commercesystemtoprovideintegrityofdataChineseWall模型Amultilateralsecuritymodeltoprovideconfidentialitybetweenconflict-of-interestareas(usedmostlyininvestmentbanking)TheuserchoosesaclientcompanytoworkwithTheuserisautomaticallydisallowedtoaccessanydataofthecompany’scompetitorsDACelements:TheuserfreelychoosestheareaMACelements:Oncechosen,thesystemforcestheusertostaywithinthatarea(aChineseWalliscreatedaroundthearea)ChineseWall模型举例AserverinsideafirewallshouldnotbeusedtorelaydatafrominsidetooutsideInternetandinsidenetworkarein“conflictofinterest”Servercanonlytalktooneside,andnevertotheotherChineseWall模型举例DonotallowsplittunnelinginaremoteaccessVPNAremoteusereithertalkstotheInternet,ortothecorporatenetworkDeparturefromclassicChineseWall:theseparationisnotpermanent,butisdecidedwitheachconnection基于角色的访问控制（RBAC）用户根据其被分配角色而获得对客体的访问权限角色依据工作职能定义权限依据工作权力和责任定义客体只关心用户角色而不关心其本身基于角色的访问控制（RBAC）个人角色客体Role1Role2Role3Server1Server3Server2User’schangefrequently,Rolesdon’t特权 Rolesareengineeredbasedontheprincipleofleastprivileged .Arolecontainstheminimumamountofpermissionstoinstantiateanobject.Auserisassignedtoarolethatallowshimorhertoperformonlywhat’srequiredforthatrole.Nosingleroleisgivenmorepermissionthanthesameroleforanotheruser.基于角色的访问控制（RABC）CoreComponentsConstrainingComponentsHierarchicalRBACGeneralLimitedSeparationofDutyRelationsStaticDynamicCoreComponentsDefines:USERSROLESOPERATIONS(ops)OBJECTS(obs)UserAssignments(ua)assigned_usersnotesCoreRABCRequiresthatusersbeassignedtoroles(jobfunctions),rolesbeassignedwithpermissions(approvaltoperformanoperationonanobject)andusersacquirepermissionsbybeingassignedtoroles.Auserestablishesasessionduringwhichheactivatesasubsetofrolesassignedtohim.Eachusercanactivatemultiplesessions;howevereachsessionisassociatedwithonlyoneuser.TheoperationthatausercanperforminasessiondependsontherolesactivatedinthatsessionandpermissionsassociatedwiththoserolesnotesStaticSeparationofDuty(SSD)relationsarenecessarytopreventconflictofintereststhatarisewhenausergainspermissionsassociatedwithconflictingroles(rolesthatcannotbeassignedtothesameuser).SSDrelationsarespecifiedforanypairofrolesthatconflict.TheSSDrelationplacesaconstraintontheassignmentofuserstoroles,thatis,assignmenttoarolethattakespartinanSSDrelationpreventstheuserfrombeingassignedtotherelatedconflictingrole.TheSSDrelationshipissymmetric,butitisneitherreflexivenortransitive.SSDmayexistintheabsenceofrolehierarchies(referredtoasSSDRBAC),orinthepresenceofrolehierarchies(referredtoashierarchicalSSDRBAC).ThepresenceofrolehierarchiescomplicatestheenforcementoftheSSDrelations:beforeassigninguserstorolesnotonlyshouldonecheckthedirectuserassignmentsbutalsotheindirectuserassignmentsthatoccurduetothepresenceoftherolehierarchies.DynamicSeparationofDuty(DSD)relationsaimtopreventconflictofinterestsaswell.TheDSDrelationsplaceconstraintsontherolesthatcanbeactivatedinauser’ssession.IfonerolethattakespartinaDSDrelationisactivated,theusercannotactivatetherelated(conflicting)roleinthesamesession.Role-BasedAccessControluser_sessions(RH)RoleHierarchysession_roles(UA)UserAssign-ment(PA)PermissionAssignmentUSERSOBSOPSSESSIONSROLESPRMSSSDDSDnotesFigurebackconsistsof:1)asetofusers(USERS)whereauserisanintelligentautonomousagent,2)asetofroles(ROLES)wherearoleisajobfunction,3)asetofob