权限系统建模

发布于 2024-09-07 20:07:46 字数 37 浏览 8 评论 0原文

您将如何对处理在应用程序内执行某些操作的权限的系统进行建模?

How would you model a system that handles permissions for carrying out certain actions inside an application?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

静待花开 2024-09-14 20:07:46

安全模型是一个庞大(且开放)的研究领域。有大量模型可供选择,从简单的到:

...到更复杂的情况,其中为对象和主体分配了安全标签:

  • 安全环,例如在 Multics 和 x86 CPU 等中实现,并提供安全陷阱或门以允许进程在环之间转换;每个环都有一组不同的权限和对象。

  • Denning's Lattice 是一个模型,允许主体与哪些安全标签进行交互以一种非常分层的方式。

  • Bell-LaPadula 与 Denning 格子类似,并提供了防止顶部泄漏的规则-非机密级别的秘密数据和通用扩展提供了进一步的划分和分类,以更好地提供军事风格的“需要知道”支持。

  • Biba 模型与 Bell-LaPadula 类似,但“完全不同” - - Bell-LaPadula 专注于机密性,但对完整性没有采取任何措施,Biba 专注于完整性,但对机密性没有采取任何措施。 (贝尔-拉帕杜拉阻止某人阅读《所有间谍名单》,但很乐意允许任何人在其中写入任何内容。Biba 很乐意允许任何人阅读《所有间谍名单》,但禁止几乎所有人向其中写入内容。)

  • 类型强制(及其同级域类型强制)在主体和对象上提供标签,并指定允许的宾语-动词-主语(类)表。这就是熟悉的 SELinux 和 SMACK。

..还有一些融入了时间的流逝:

  • 中国墙被开发出来在商业环境中,将向特定市场的竞争对手提供服务的组织内的员工分开:例如,一旦约翰逊开始使用埃克森美孚帐户,就不允许他访问英国石油公司帐户。如果约翰逊首先开始研究英国石油公司,他将无法访问埃克森美孚的数据。

  • LOMAChigh-watermark 是两种动态方法:LOMAC 在进程访问逐渐更高级别的数据时修改进程的权限,并禁止写入较低级别(进程迁移到“顶级安全”),并且高水位会在更高级别的进程访问数据时修改数据标签(数据迁移到“顶级安全”)。

  • Clark-Wilson 模型非常开放;它们包括不变量和规则,以确保每个状态转换都不会违反不变量。 (这可以像复式记账法一样简单,也可以像HIPPA。)考虑数据库事务和约束。

如果您想更深入地了解已发布的模型,马特·毕肖普 (Matt Bishop) 的“计算机安全:艺术与科学”绝对值得一读。

Security models are a large (and open) field of research. There's a huge array of models available to choose from, ranging from the simple:

  • Lampson's Access control matrix lists every domain object and every principal in the system with the actions that principal is allowed to perform on that object. It is very verbose and if actually implemented in this fashion, very memory intensive.

  • Access control lists are a simplification of Lampson's matrix: consider it to be something akin to a sparse-matrix implementation that lists objects and principals and allowed actions, and doesn't encode all the "null" entries from Lampson's matrix. Access control lists can include 'groups' as a convenience, and the lists can be stored via object or via principal (sometimes, via program, as in AppArmor or TOMOYO or LIDS).

  • Capability systems are based on the idea of having a reference or pointer to objects; a process has access to an initial set of capabilities, and can get more capabilities only by receiving them from other objects on the system. This sounds pretty far-out, but think of Unix file descriptors: they are an unforgeable reference to a specific open file, and the file descriptor can be handed to other processes or not. If you give the descriptor to another process, it will have access to that file. Entire operating systems were written around this idea. (The most famous are probably KeyKOS and EROS, but I'm sure this is a debatable
    point. :)

... to the more complex, which have security labels assigned to objects and principals:

  • Security Rings, such as implemented in Multics and x86 CPUs, among others, and provide security traps or gates to allows processes to transition between the rings; each ring has a different set of privileges and objects.

  • Denning's Lattice is a model of which principals are allowed to interact with which security labels in a very hierarchical fashion.

  • Bell-LaPadula is similar to Denning's Lattice, and provides rules to prevent leaking top-secret data to unclassified levels and common extensions provide further compartmentalization and categorization to better provide military-style 'need to know' support.

  • The Biba Model is similar to Bell-LaPadula, but 'turned on its head' -- Bell-LaPadula is focused on confidentiality, but does nothing for integrity, and Biba is focused on integrity, but does nothing for confidentiality. (Bell-LaPadula prevents someone from reading The List Of All Spies, but would happily allow anyone to write anything into it. Biba would happily allow anyone to read The List Of All Spies, but forbid nearly everyone to write into it.)

  • Type Enforcement (and its sibling, Domain Type Enforcement) provides labels on principals and objects, and specifies the allowed object-verb-subject(class) tables. This is the familiar SELinux and SMACK.

.. and then there are some that incorporate the passage of time:

  • Chinese Wall was developed in business settings to separate employees within an organization that provides services to competitors in a given market: e.g., once Johnson has started working on the Exxon-Mobil account, he is not allowed access to the BP account. If Johnson had started working on BP first, he would be denied access to Exxon-Mobil's data.

  • LOMAC and high-watermark are two dynamic approaches: LOMAC modifies the privileges of processes as they access progressively-higher levels of data, and forbids writing to lower levels (processes migrate towards "top security"), and high-watermark modifies the labels on data as higher-levels of processes access it (data migrates towards "top security").

  • Clark-Wilson models are very open-ended; they include invariants and rules to ensure that every state transition does not violate the invariants. (This can be as simple as double-entry accounting or as complex as HIPPA.) Think database transactions and constraints.

Matt Bishop's "Computer security: art and science" is definitely worth reading if you'd like more depth on the published models.

花开浅夏 2024-09-14 20:07:46

我更喜欢 RBAC。虽然,您会发现它与ACL非常相似,但它们语义上不同

I prefer RBAC. Although, you can find it very similar to ACL, but they differ semantically.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文