網(wǎng)絡(luò)與信息安全：10訪問控制10

訪問控制內(nèi)容訪問控制機(jī)制自主型訪問控制和強(qiáng)制型訪問控制BLP保密模型Biba完整性模型Clark-Wilson完整性模型ChineseWall模型訪問控制機(jī)制訪問控制是信息安全的一個(gè)核心技術(shù)，它提供了保密性和完整性保證：哪個(gè)主體可以以何種方式訪問哪個(gè)客體?依靠認(rèn)證機(jī)制提供主體身份的確認(rèn)依靠授權(quán)機(jī)制實(shí)施控制策略訪問方式可以是：讀、寫、修改、執(zhí)行等舉例文件擁有者可以讀寫本文件兩個(gè)網(wǎng)絡(luò)之間只能允許電子郵件連接上級(jí)領(lǐng)導(dǎo)可以檢查下級(jí)工作律師要么支持被告，要么支持原告訪問控制原則最小特權(quán)原則職責(zé)分離原則訪問控制層次網(wǎng)絡(luò)訪問控制 防火墻等操作系統(tǒng)訪問控制應(yīng)用訪問控制比如數(shù)據(jù)庫(kù)應(yīng)用訪問控制的加密實(shí)現(xiàn)數(shù)據(jù)、VPN等訪問控制類型自主型訪問控制強(qiáng)制型訪問控制基于角色的訪問控制

自主型和強(qiáng)制型訪問控制自主型訪問控制（DiscretionaryAccessControl,DAC）由客體擁有者決定哪個(gè)主體可以以何種方式訪問客體通常用訪問控制列表（ACL）來實(shí)現(xiàn)一般用于非層次化管理系統(tǒng)中，如電子商務(wù)等強(qiáng)制型訪問控制（MandatoryAccessControl,MAC）由第三方（如系統(tǒng)管理者）決定主體可以以何種方式訪問客體一般通過標(biāo)簽（Labeling）來實(shí)現(xiàn)一般用于上下級(jí)層次化管理體系中二者可以并存強(qiáng)制型訪問控制（MAC）主體(用戶、進(jìn)程等)被分配安全標(biāo)簽客體(文件、數(shù)據(jù)）也被分配安全標(biāo)簽通過比較或檢查主體和客體的安全標(biāo)簽，確定主體是否可以以請(qǐng)求方式訪問客體舉例AnoperatingsystemenforcesaMACpolicyAwebserverexecutesat“confidential”clearanceIfcompromised,itcannotelevateitsprivilegesoraccessmoresensitive(“secret”,“topsecret”)data自主型訪問控制（DAC）EachSUBJECThasanameandcanbelongtoagroup(role)EachOBJECThasanaccesscontrollist,whichenumeratessubjects’accesspermissionsforthatobjectAccesscontrolisdonebycheckingtheuser’sidentityagainsttheaccesscontrollistoneveryaccess舉例ApersonalfirewallisanexampleofDAC-basedmechanismTheuserdetermineswhatconnectionsareallowedto/fromthePCSubjectsarelocalapplicationsObjectsareremotehostsandtheirapplications舉例訪問控制矩陣FilelFile2File3File4JohnOwnRWOwnRWAliceROwnRWWRBobRWROwnRWBell-LaPadula

保密模型第一個(gè)多級(jí)安全保密策略模型MACbased-dataisclassifiedwithlabels,usershaveclearances(unclassified,confidential,secret,topsecret)兩個(gè)性質(zhì)NoReadUp–nosubjectmayreaddataatahigherlevelNoWriteDown–nosubjectmaywritedatatoalowerlevelLabels(levels)generallydonotchangeduringsystemoperationBell-LaPadula

保密模型BLPenforces“noreadup”and“nowritedown”policiesI.rmationmayonlyflow“upward”Bell-LaPadula

保密模型SomemodernparallelstotheBLPmodelareAVPNprovidesaccesscontrol,solesstrusteduserscannotreadtransitdatawithahigherlevelofsensitivityAfirewallcouldprovideone-wayconnectivityonly格（Lattice）模型AnextensionofBLP,whichintroducescompartmentalization(multilateralsecurity)Controlsaccessacrosscompartments,notonlymultiplelevelsEachsubjectandobjectbelongtoacompartmentSubjects/objectsindifferentcompartmentsareincomparable,thereforenoinformationcanflowbetweenthemBiba

完整性模型第一個(gè)多級(jí)安全完整性策略模型MACbased-dataisclassifiedwithlabels,usershaveclearances(unclassified,confidential,secret,topsecret)兩個(gè)性質(zhì)NoReadDown–nosubjectmayreaddataatalowerlevel(preventscontaminationbyreadingfromuntrustedobjects)NoWriteUp–nosubjectmaywritedatatoahigherlevel(preventscontaminationbywritingtotrustedobjects)Biba

完整性模型Bibaenforces“noreaddown”and“nowriteup”policiesI.rmationmayonlyflow“downward”Biba

完整性模型UsageexamplesWebservers,whichonlyservedata(nopostsallowed)Networkmanagement,whichonlyreadsSNMPstatistics,butcannotchangeconfigurationClarkWilson完整性模型主要用于銀行應(yīng)用，保證數(shù)據(jù)完整性Basedonallowingonlywell-formedtransactionsAsystemacceptsunconstraineddataitems(UDI)andconvertsthemtoconstraineddataitems(CDI)CDIscanonlybechangedbytransformationprocedures(TP)Atransformationprocedure(TP)maintainsaCDI’sintegrityEachCDIhasaintegrityverificationprocedure(IVP)Accesscontrolisdefinedbytriples(subject,TP,CDI)ClarkWilson完整性模型AClark-Wilsonpolicymightbeusedinane-commercesystemtoprovideintegrityofdataChineseWall模型Amultilateralsecuritymodeltoprovideconfidentialitybetweenconflict-of-interestareas(usedmostlyininvestmentbanking)TheuserchoosesaclientcompanytoworkwithTheuserisautomaticallydisallowedtoaccessanydataofthecompany’scompetitorsDACelements:TheuserfreelychoosestheareaMACelements:Oncechosen,thesystemforcestheusertostaywithinthatarea(aChineseWalliscreatedaroundthearea)ChineseWall模型舉例AserverinsideafirewallshouldnotbeusedtorelaydatafrominsidetooutsideInternetandinsidenetworkarein“conflictofinterest”Servercanonlytalktooneside,andnevertotheotherChineseWall模型舉例DonotallowsplittunnelinginaremoteaccessVPNAremoteusereithertalkstotheInternet,ortothecorporatenetworkDeparturefromclassicChineseWall:theseparationisnotpermanent,butisdecidedwitheachconnection基于角色的訪問控制（RBAC）用戶根據(jù)其被分配角色而獲得對(duì)客體的訪問權(quán)限角色依據(jù)工作職能定義權(quán)限依據(jù)工作權(quán)力和責(zé)任定義客體只關(guān)心用戶角色而不關(guān)心其本身基于角色的訪問控制（RBAC）個(gè)人角色客體Role1Role2Role3Server1Server3Server2User’schangefrequently,Rolesdon’t特權(quán) Rolesareengineeredbasedontheprincipleofleastprivileged .Arolecontainstheminimumamountofpermissionstoinstantiateanobject.Auserisassignedtoarolethatallowshimorhertoperformonlywhat’srequiredforthatrole.Nosingleroleisgivenmorepermissionthanthesameroleforanotheruser.基于角色的訪問控制（RABC）CoreComponentsConstrainingComponentsHierarchicalRBACGeneralLimitedSeparationofDutyRelationsStaticDynamicCoreComponentsDefines:USERSROLESOPERATIONS(ops)OBJECTS(obs)UserAssignments(ua)assigned_usersnotesCoreRABCRequiresthatusersbeassignedtoroles(jobfunctions),rolesbeassignedwithpermissions(approvaltoperformanoperationonanobject)andusersacquirepermissionsbybeingassignedtoroles.Auserestablishesasessionduringwhichheactivatesasubsetofrolesassignedtohim.Eachusercanactivatemultiplesessions;howevereachsessionisassociatedwithonlyoneuser.TheoperationthatausercanperforminasessiondependsontherolesactivatedinthatsessionandpermissionsassociatedwiththoserolesnotesStaticSeparationofDuty(SSD)relationsarenecessarytopreventconflictofintereststhatarisewhenausergainspermissionsassociatedwithconflictingroles(rolesthatcannotbeassignedtothesameuser).SSDrelationsarespecifiedforanypairofrolesthatconflict.TheSSDrelationplacesaconstraintontheassignmentofuserstoroles,thatis,assignmenttoarolethattakespartinanSSDrelationpreventstheuserfrombeingassignedtotherelatedconflictingrole.TheSSDrelationshipissymmetric,butitisneitherreflexivenortransitive.SSDmayexistintheabsenceofrolehierarchies(referredtoasSSDRBAC),orinthepresenceofrolehierarchies(referredtoashierarchicalSSDRBAC).ThepresenceofrolehierarchiescomplicatestheenforcementoftheSSDrelations:beforeassigninguserstorolesnotonlyshouldonecheckthedirectuserassignmentsbutalsotheindirectuserassignmentsthatoccurduetothepresenceoftherolehierarchies.DynamicSeparationofDuty(DSD)relationsaimtopreventconflictofinterestsaswell.TheDSDrelationsplaceconstraintsontherolesthatcanbeactivatedinauser’ssession.IfonerolethattakespartinaDSDrelationisactivated,theusercannotactivatetherelated(conflicting)roleinthesamesession.Role-BasedAccessControluser_sessions(RH)RoleHierarchysession_roles(UA)UserAssign-ment(PA)PermissionAssignmentUSERSOBSOPSSESSIONSROLESPRMSSSDDSDnotesFigurebackconsistsof:1)asetofusers(USERS)whereauserisanintelligentautonomousagent,2)asetofroles(ROLES)wherearoleisajobfunction,3)asetofob