Information Technology Reference
In-Depth Information
an example technique based on the formal logic language for security specification.
Although it provides support for role-based access control, the language does not
scale well to real systems because there is no way of modeling real access control
rules. There is no specification of delegation and no way of modeling the rules for
groups of identities.
LaSCO [2] is a graphical approach for evaluating the security constraints on ob-
jects, in which the policy consists of two parts: domain (the system abstraction) and
the requirements (authorization rules). The scope of this approach is good for demon-
stration, but far from implementation.
Ponder [3] language is a specification language with object-oriented basis. It is the
closest to the safety evaluation purposes. It has JAVA implementation, but it is not
prepared for automated evaluation. The Ponder-based system does not support the
state modification and state transition.
However, to our knowledge, the general problem of the evaluation of the security
policy enforcement including weakness detection has never been addressed by any
author.
A General Security Model
Over the years several security models have been proposed in the literature. The main
goal of a security model is the definition of the security relationship between system
agents (subjects) which can perform some actions on some passive components (ob-
jects).
Analysis of common used state-based security models [4-7] leads to the conclusion
that any such model usually comprises three components (Fig. 1) — a security state,
access control rules, state security criteria.
The Security State Component. It is an abstraction of system state in reference to
security model. Examples of system entities producing the system security state are
the user's accounts, running programs, files, access rights, etc. So, system security
state is the collection of all entities of the system (active entities, called subjects , and
passive entities, named objects ) and their security attributes (access rights, access
control lists, and so on). Therefore, the system security state may be presented as the
system state space.
The Access Control Rules Component. It expresses the restrictions on a system
behavior. The system states transformation is able after the access authorized by the
access control to the system subject. All the system activities initiated by the subject
are caught by the reference monitor. The reference monitor checks the authorization
possibility against the security policy requirements formulated in the form of the
access control rules.
The State Security Criteria Component. This one makes us able to discern the
secure and insecure states. Criteria have the form of constraints which state the neces-
sary conditions of the secure state.
The relations between the described components is depicted in Fig. 2.
Search WWH ::




Custom Search