Information Technology Reference
In-Depth Information
Fig. 3.
Privilege States Transition of Wuftpd (CPF)
In the system test, we select Washington University's wuftpd as an example
(Fig. 3). At the beginning, wu-ftpd's daemon process's user ids' are all 0 (root),
this corresponds to State1 in figure 3. When there is a connect request, a new
service process is established, after the user's identity has been authenticated,
the new process's effective user id (euid) is set to login in user's id and the
process transits to State3 in figure 3. When root privilege is needed, process will
transit to State2. Finally State4 is sensitive state for execve system call. In this
state, also the process is assigned the privilege to call execve, but there will be
privilege parameters to constrain the programs it can execute.
2.4
Power User Security Module
In traditional Linux operating systems, there exist two kinds of users: the ordi-
nary user and the super user root. Ordinary user has limited privilege, while root
has sovereign power. Root can perform any operations on the objects in the sys-
tem; use any resource in the system. This contradicts the basic security principle:
the principle of minimal privilege. SECIMOS fine grain the root privilege into 10
privilege user roles. Each privilege role can only perform the allowed operation
in predefined scope. We do not formalize the Power User Security Module.
3
Formal Description of Secure Policy Models
We choose Z specification language [12] to descript our secure policy models:
MAC, DAC and CPF. Because the specification is very lengthy, we only describe
the most instructive parts.
3.1
Formal Description of MAC Secure Policy Model
As mentioned in section 2, our MAC secure policy model uses the TMACH
modification of original BLP model. According to TMACH, the set of subjects
is made up of unshared sets of trusted subjects and untrusted subjects:
