权限系统建模
您将如何对处理在应用程序内执行某些操作的权限的系统进行建模?
How would you model a system that handles permissions for carrying out certain actions inside an application?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
安全模型是一个庞大(且开放)的研究领域。有大量模型可供选择,从简单的到:
Lampson 的访问控制矩阵 列出系统中的每个域对象和每个主体,以及允许主体对该对象执行的操作。它非常冗长,如果实际上以这种方式实现,会占用大量内存。
访问控制列表是 Lampson 矩阵的简化:将其视为类似于稀疏矩阵实现,列出对象和主体以及允许的操作,并且不会对 Lampson 矩阵中的所有“空”条目进行编码。为方便起见,访问控制列表可以包含“组”,并且列表可以通过对象或主体存储(有时通过程序,如 AppArmor 或 TOMOYO 或 LIDS)。
能力系统基于拥有指向对象的引用或指针的想法;进程可以访问一组初始功能,并且只有通过从系统上的其他对象接收这些功能才能获得更多功能。这听起来相当遥远,但想想 Unix 文件描述符:它们是对特定打开文件的不可伪造的引用,并且文件描述符可以传递给其他进程,也可以不传递给其他进程。如果将描述符提供给另一个进程,它将可以访问该文件。整个操作系统都是围绕这个想法编写的。 (最著名的可能是KeyKOS和EROS,但我确信这是一个有争议的
观点。 :)
...到更复杂的情况,其中为对象和主体分配了安全标签:
安全环,例如在 Multics 和 x86 CPU 等中实现,并提供安全陷阱或门以允许进程在环之间转换;每个环都有一组不同的权限和对象。
Denning's Lattice 是一个模型,允许主体与哪些安全标签进行交互以一种非常分层的方式。
Bell-LaPadula 与 Denning 格子类似,并提供了防止顶部泄漏的规则-非机密级别的秘密数据和通用扩展提供了进一步的划分和分类,以更好地提供军事风格的“需要知道”支持。
Biba 模型与 Bell-LaPadula 类似,但“完全不同” - - Bell-LaPadula 专注于机密性,但对完整性没有采取任何措施,Biba 专注于完整性,但对机密性没有采取任何措施。 (贝尔-拉帕杜拉阻止某人阅读《所有间谍名单》,但很乐意允许任何人在其中写入任何内容。Biba 很乐意允许任何人阅读《所有间谍名单》,但禁止几乎所有人向其中写入内容。)
类型强制(及其同级域类型强制)在主体和对象上提供标签,并指定允许的宾语-动词-主语(类)表。这就是熟悉的 SELinux 和 SMACK。
..还有一些融入了时间的流逝:
中国墙被开发出来在商业环境中,将向特定市场的竞争对手提供服务的组织内的员工分开:例如,一旦约翰逊开始使用埃克森美孚帐户,就不允许他访问英国石油公司帐户。如果约翰逊首先开始研究英国石油公司,他将无法访问埃克森美孚的数据。
LOMAC 和 high-watermark 是两种动态方法:LOMAC 在进程访问逐渐更高级别的数据时修改进程的权限,并禁止写入较低级别(进程迁移到“顶级安全”),并且高水位会在更高级别的进程访问数据时修改数据标签(数据迁移到“顶级安全”)。
Clark-Wilson 模型非常开放;它们包括不变量和规则,以确保每个状态转换都不会违反不变量。 (这可以像复式记账法一样简单,也可以像HIPPA。)考虑数据库事务和约束。
如果您想更深入地了解已发布的模型,马特·毕肖普 (Matt Bishop) 的“计算机安全:艺术与科学”绝对值得一读。
Security models are a large (and open) field of research. There's a huge array of models available to choose from, ranging from the simple:
Lampson's Access control matrix lists every domain object and every principal in the system with the actions that principal is allowed to perform on that object. It is very verbose and if actually implemented in this fashion, very memory intensive.
Access control lists are a simplification of Lampson's matrix: consider it to be something akin to a sparse-matrix implementation that lists objects and principals and allowed actions, and doesn't encode all the "null" entries from Lampson's matrix. Access control lists can include 'groups' as a convenience, and the lists can be stored via object or via principal (sometimes, via program, as in AppArmor or TOMOYO or LIDS).
Capability systems are based on the idea of having a reference or pointer to objects; a process has access to an initial set of capabilities, and can get more capabilities only by receiving them from other objects on the system. This sounds pretty far-out, but think of Unix file descriptors: they are an unforgeable reference to a specific open file, and the file descriptor can be handed to other processes or not. If you give the descriptor to another process, it will have access to that file. Entire operating systems were written around this idea. (The most famous are probably KeyKOS and EROS, but I'm sure this is a debatable
point. :)
... to the more complex, which have security labels assigned to objects and principals:
Security Rings, such as implemented in Multics and x86 CPUs, among others, and provide security traps or gates to allows processes to transition between the rings; each ring has a different set of privileges and objects.
Denning's Lattice is a model of which principals are allowed to interact with which security labels in a very hierarchical fashion.
Bell-LaPadula is similar to Denning's Lattice, and provides rules to prevent leaking top-secret data to unclassified levels and common extensions provide further compartmentalization and categorization to better provide military-style 'need to know' support.
The Biba Model is similar to Bell-LaPadula, but 'turned on its head' -- Bell-LaPadula is focused on confidentiality, but does nothing for integrity, and Biba is focused on integrity, but does nothing for confidentiality. (Bell-LaPadula prevents someone from reading The List Of All Spies, but would happily allow anyone to write anything into it. Biba would happily allow anyone to read The List Of All Spies, but forbid nearly everyone to write into it.)
Type Enforcement (and its sibling, Domain Type Enforcement) provides labels on principals and objects, and specifies the allowed object-verb-subject(class) tables. This is the familiar SELinux and SMACK.
.. and then there are some that incorporate the passage of time:
Chinese Wall was developed in business settings to separate employees within an organization that provides services to competitors in a given market: e.g., once Johnson has started working on the Exxon-Mobil account, he is not allowed access to the BP account. If Johnson had started working on BP first, he would be denied access to Exxon-Mobil's data.
LOMAC and high-watermark are two dynamic approaches: LOMAC modifies the privileges of processes as they access progressively-higher levels of data, and forbids writing to lower levels (processes migrate towards "top security"), and high-watermark modifies the labels on data as higher-levels of processes access it (data migrates towards "top security").
Clark-Wilson models are very open-ended; they include invariants and rules to ensure that every state transition does not violate the invariants. (This can be as simple as double-entry accounting or as complex as HIPPA.) Think database transactions and constraints.
Matt Bishop's "Computer security: art and science" is definitely worth reading if you'd like more depth on the published models.
我更喜欢 RBAC。虽然,您会发现它与ACL非常相似,但它们语义上不同。
I prefer RBAC. Although, you can find it very similar to ACL, but they differ semantically.
请访问以下链接:
Go through the following links: