Separation of duty in privileged operating systems

CORC > 北京大学 > 软件与微电子学院

	Separation of duty in privileged operating systems
	Cai, Jiayong ; Qing, Sihan ; Liu, Wei
刊名	jisuanji yanjiu yu fazhancomputer research and development
	2008
英文摘要	In operating systems, privilege is used to control the most important resources and functions, so administrators must enforce separation of duty (SoD) to ensure privilege safety. In this paper, how privilege would support SoD is studied by analyzing the issue of implicit authorization. The source of privilege is first discussed, and the definition of privilege is decomposed into restriction rules and execution rules. The execution rules explain the effects of privilege precisely, which are ignored by most access control models. Then by logically deducing rules, authorization is further deduced, which indicates that there is implicit authorization in privilege mechanisms. Implicit authorization may cause violation of SoD constraints, so all implicit authorizations are displayed in an authorization deduction graph. By exploring the properties and the mechanism requirements of SoD, the consistency between SoD constraints and the privilege mechanism can be ensured. Finally, the POSIX capability mechanism is taken as an example, and formalized into the BMPS model. Its deficiencies in supporting SoD are found and corrected, and a feasible security policy consistent with the SoD requirements is provided.; EI; 0; 4; 666-676; 45
语种	英语
内容类型	期刊论文
源URL	[http://ir.pku.edu.cn/handle/20.500.11897/408772]
专题	软件与微电子学院
推荐引用方式 GB/T 7714	Cai, Jiayong,Qing, Sihan,Liu, Wei. Separation of duty in privileged operating systems[J]. jisuanji yanjiu yu fazhancomputer research and development,2008.
APA	Cai, Jiayong,Qing, Sihan,&Liu, Wei.(2008).Separation of duty in privileged operating systems.jisuanji yanjiu yu fazhancomputer research and development.
MLA	Cai, Jiayong,et al."Separation of duty in privileged operating systems".jisuanji yanjiu yu fazhancomputer research and development (2008).