Information Technology Reference
In-Depth Information
access is granted. In Windows 2000 there is the standard set of access types. For ex-
ample, in Windows 2000 user can read file NTDETECT.COM if user belongs at least
to Power User group and has no ACL restriction. Obviously, all the scopes are speci-
fied in SPSL.
Three scopes are targeted to SPR. SPR checks the initial system security state by
the security criteria, then it generates all reachable states and check them by the crite-
ria. Output of SPR is the Safety Verdict which contains "Safe/Unsafe" decision.
SPR exports API to a logical machine call and will provide a convenient interface
for starting and stopping the evaluation process, controlling the progress, filling the
logical machine with the predicates, and receiving the results.
If SPR produces the system state, which makes the security criteria false, the Secu-
rity Flaws Explorer demonstrates the sequence of the events, which leads to the secu-
rity fault. And Evaluation Reporter produces the final report containing an access
control model, an initial state, access control rules, security criteria, an evaluation
result, and a security flaws trace.
In Windows 2000 Security Flaws Explorer will generate the fault state report, con-
taining users, groups, files, ACL, registry at the moment of flaw. This is like the
stamp of the system. The report will also include the sequence of states and transitions
which move the system to the fault state from the initial one.
Evaluation Reporter collects the report from Security Flaws Explorer and the ver-
dict from SPR and forms the Final Report. The Final Report is the documentation,
which has the proof of system safety or unsafety.
SEW Applications
Safety Evaluation Workshop has task-depended and task-independent components. In
the Fig. 4 different kinds of systems to be evaluated (Windows, Linux, or Firewall)
are presented. This is the sample set of systems for evaluation. The evaluation may be
extended to variety of information systems. It is very important that the kernel of the
automated evaluation, SPR, is the task-independent unit. This circumstance makes it
possible to build on its base the evaluation programs of varied targets.
SEW may at least have two variants of security estimation. There are dynamic and
static modes of work. In the static mode the system security state gathering cuts all
other load of the system. State Analyzer collects all system information and forms
inputs for SPR, SPR produces the Safety Verdict, and the Reporter generates the Final
Report. In this case the Workshop is the set of routines and applications. The estima-
tor runs them. In the dynamic mode Workshop is running as above but at background
and does not stop the system load. It is convenient for user but implicates the system
resources waste.
Conclusion
This paper investigates new directions for analyzing the security policies. We have
found the framework of logic useful for this purpose especially when dealing with
security policies which include situations where some norms may be violated. We
focused on how to check the security policy consistency. The proposed approach has
the potential for greatly increasing the ease of evaluation and maintenance of secure
system.
