| 题名 | 安全操作系统最小特权关键技术研究 |
| 作者 | 蔡嘉勇 |
| 学位类别 | 博士 |
| 答辩日期 | 2008-05-30 |
| 授予单位 | 中国科学院研究生院 |
| 授予地点 | 中国科学院软件研究所 |
| 导师 | 卿斯汉 |
| 关键词 | 最小特权 安全模型 隐式授权 职责隔离 聚合 安全操作系统 |
| 其他题名 | Research on Key Technologies of Least Privilege in Secure Operating Systems |
| 学位专业 | 计算机应用技术 |
| 中文摘要 | 随着安全操作系统面临的安全威胁种类越来越多,最小特权原则的有效实施成为降低系统安全风险的必要安全保障。然而从现有研究的成果来看,还存在一些不足:如对最小特权原则研究的权限对象认识比较混乱、缺乏对安全策略或者机制最小特权原则实施能力的分析与比较等等。为此,本论文针对安全操作系统最小特权原则的关键技术展开研究,取得了以下五方面的研究成果:第一、通过分析已有研究,指明了最小特权原则研究的两类权限对象:访问权限与特殊权限。在此基础上,总结了两类最小特权原则研究的一般方法与基本规律,也指出其不足,从而明确了最小特权原则的研究目标,有助于按照权限对象的安全特性,提出适合的研究思路与方案。第二、提出特殊权限的改进建模技术,以正确反映权限对象的安全特性。分析系统的授权空间,可以发现系统可用性是特殊权限的根源,而系统实施的安全策略则是特殊权限产生的基础。通过增加对其他安全策略的描述、灵活的约束规则定义、以及引入执行规则,提出特殊权限的改进建模技术。结合RBAC策略与POSIX权能机制,给出PRIM-CAP模型的定义,并将其实现为RBAC-CAP原型系统,奠定了特殊权限安全性分析的理论与实践基础。第三、提出特殊权限隐式授权的分析与改进技术。特殊权限拥有修改系统安全状态的特殊能力,因而存在隐式授权的可能。利用授权推导分析,以及授权推导关系图构造,给出了快速而全面地搜索所有特殊权限隐式授权的方法。针对PRIM-CAP模型中权能隐式授权可能造成的滥用威胁,给出相应的安全对策,确保特殊权限安全机制对最小特权原则的有效实施。第四、在隐式授权分析的基础上,进一步考察了特殊权限实施职责隔离原则的可行性与可靠性问题。在特殊权限安全环境下,给出职责与职责隔离的解释,并从特殊权限的职责隔离安全属性,与职责隔离对特殊权限安全机制的要求两方面,为安全机制设计与安全策略配置提供指导,以保持底层授权机制与上层安全目标的一致性。第五、针对访问权限的最小特权实施程度问题,提出安全策略的聚合性评估方法。指出所有安全策略的授权粒度参考系——Lampson访问矩阵模型,从而定义了基于聚合的描述性框架GroSeLa,框架基本组件用于解析安全策略因聚合访问矩阵而产生的结构变化,框架扩展则阐明了实现全面动态策略支持安全策略必须实现的七类管理性需求。在此基础上提出的聚合性评估指标,为系统管理员从描述能力、可用性与最小特权原则实施程度三方面分析安全策略提供了重要参考。总而言之,本论文的研究成果解决了安全操作系统最小特权原则实施与分析的一些关键技术,为安全机制建模技术改进、安全机制的设计与安全策略配置、安全策略的动态策略支持与最小特权原则实施改进等进一步研究奠定了理论与实践基础,为高等级安全操作系统的设计与实现提供了丰富而重要的参考。 |
| 英文摘要 | Being challenged by so many threat kinds, secure operating systems need to enforce the Principle of Least Privilege(PoLP) to reduce risks and ensure safety. However, present researches still exist some deficiencies, such as obscure understanding on permissions studied by PoLP, lack of analysis and comparation on PoLP enforcement in security policies and mechanisms, and so on. In this dissertation, research on the key technologies of PoLP in secure operating systems is conducted, and as a result, five principal achievements have been achieved: Firstly, two permission kinds studied in PoLP are identified, namely access permission and exceptive permission. Then present researches are collected and further classified into two categories. By summarizing these researches’ method and technologies, as well as their deficiencies, the goal of PoLP is clarified, which helps to carry out our studies according to the features of permission kinds. Secondly, modeling technologies for exceptive permissions are improved. By analyzing system’s authorization space, we reveal that system’s usability is the source of exceptive permissions, and the dependency between security policies and exceptive permissions. Thus an new modeling scheme is proposed by adding specification on other security policies, flexible constraint rules definition, and introducing execution rules. The PRIM-CAP model for exceptive permissions is defined by combining both RBAC and POSIX Capability mechanism, which is further implemented as a RBAC-CAP security module in NFS-ARK secure operating system. Thus lay a theoretical and practical foundations for safety analysis on exceptive permissions. Thirdly, technologies for analyzing and improving implicit authorizations in exceptive permission is proposed. Due to the specialty of changing security states of a system, exceptive permissions may have implicit authorizations. A scheme for finding out all implicit authorizations in exceptive permissions is proposed basing on authorization deduction. The countermeasures to avoid implicit authorization abusing are also provided. Fourthly, the feasibility and dependability of enforcing Separation of Duty(SoD) in exceptive permissions are analyzed. Duty and SoD to exceptive permissions are explained, then the SoD safety properties of exceptive permissions and mechanism requirements from SoD to exceptive permissions are discussed, so as to guide the job of mechanism design and policy configuration, which helps to maintain consistency between security authorization mechanism and safety goals. Finally, for the issue on how PoLP would be enforced in access permissions, a method for evaluating security policies is proposed. By taking Lampson’s access matrix as the granularity reference to all security policies, a descriptive framework on Groupability by Security Labels(GroSeLa) is defined. Its fundamental components decompose the structure of security policies, and its extension clarifies all seven administrative requirements for completing dynamic policy support. The proposed groupability evaluation dimensions help administrators understand security policies from aspects of descriptiveness, usability and PoLP enforcement. In general, the proposed achievements of this dissertation solve the issue of analyzing and enforcing PoLP in secure operating systems. It is helpful to the further exploration of modeling technologies, security mechanism design, security policies configuration, dynamic policy supporting and PoLP enforcement in both theory and practice, and is useful as a reference for the future development of a high-level secure operating system. |
| 公开日期 | 2011-03-17 |
| 内容类型 | 学位论文 |
| 源URL | [http://124.16.136.157/handle/311060/6390]  |
| 专题 | 软件研究所_基础软件国家工程研究中心_学位论文 |
| 推荐引用方式 GB/T 7714 | 蔡嘉勇. 安全操作系统最小特权关键技术研究[D]. 中国科学院软件研究所. 中国科学院研究生院. 2008. |
| 个性服务 |
| 查看访问统计 |
| 相关权益政策 |
| 暂无数据 |
| 收藏/分享 |
除非特别说明,本系统中所有内容都受版权保护,并保留所有权利。
修改评论