Information Technology Reference
In-Depth Information
For its work VCPU uses:
Safety Problem Specification Language
(
SPSL
): allows to specify the system state,
the access control rules, and the OSCV-criteria, and thus to obtain the formal
model of the evaluated system for further resolving;
•
•
Scopes
:
−
Model-related System Security State Scope
(
M3S
-
scope
): specifies the system
security state in SPSL. For example, the scope for MS Windows 2000 contains
the predicates describing all of the securable objects and their attributes, e.g.
users, files, processes, ACLs, owners, hierarchy, memberships, etc. This scope
is generated automatically with the Security Analyzer, the part of the SEW;
−
Access Control Rules Scope
(
ACR
-
scope
): specifies the access control rules in
SPSL. For example, in MS Windows 2000, this scope contains the rules that
regulate the access control to the securable objects and that are realized in the
system reference monitor
(e.g. MS Windows SRM). Rules have a form of
Prolog clauses and allow the state transactions resolving and computing of the
authorized accesses for any user;
−
State Security Criteria Scope
(
SSC
-
scope
): expresses the OSCV-criteria in
SPSL. For example, in MS Windows 2000, this scope allows users to set
checking of the Microsoft security requirements or the firm security policy. To
construct this scope we use the Criteria Manager, the part of the SEW facility.
For easy understanding of security specification for the VCPU and OSCVs
detection technique, we show a
Sample Vulnerability Checking
(
SVC
) applied in MS
Windows 2000 Professional.
Like on office workstation, our sample computer has the MS Office installed. All
of the MS Word templates of the user documents are located in the given folder, e.g.
C:\Documents and Settings\Administrator\Application Data\Microsoft\Templates
.
Now let's imagine the situation when user named
'Administrator'
shares her template
with other users. To do it, she grants the access to read and write the template for the
MS Windows built-in group named
'Users'
. If the violator, the member of the
'Users'
group changes the
Normal.dot
template file in the given folder so it contains the
malicious code (e.g. macro-virus). Thus, all new documents of
Administrator
will be
infected. This is a sample of the OSCV: user has ignored or forgotten the
recommendations to protect the MS Word templates.
Like in any theoretical security model, our security states are the collections of all
entities of the system (subjects, objects) and their security attributes (e.g. ACLs). In
our example, we assume that a target of OSCV-criteria is a
C:\Documents and
Settings\Administrator\Application Data\Microsoft\Templates
folder. The system
security states may be presented as the M3S-scope.
We have used the State Analyzer component of the SEW [8] to specify the SVC's
security state. The following code example shows the M3S-scope for SVC.
..........[abbreviation]........
subj
('s-1-5-21-73586283-484763869-854245398-500',
[
type
(user),
name
('administrator'),
