Construction method for access control policy and system thereof

Abstract

The invention relates to a method for constructing an access control policy and a system thereof which are applied to field of the safe operation system, in particular to a policy compiler for realizing the method for constructing the access control policy. Based on the analysis and the research on the classical safety model, the invention provides the method which has common and special safety rules and is used for constructing the universal access control policy, and provides the policy compiler which can realize the functions of syntax check, semantic analysis and the like, comprises a retargetable back end and is applicable to the multiple operating system environments by setting the method as the design objective of the language of the policy compiler in the system, adopting the object-oriented design concept and determining the lexical and syntax standard methods of the language. The invention has the prominent advantage that a method of the universary description on policy elements and safety rules is used to support multiple security models.

Description

technical field [0001] The invention relates to a method for constructing an access control policy of a security model and a system thereof. Background technique [0002] At present, some research institutions at home and abroad have developed and designed some policy description languages, the traditional ones are ASL and PDL. ASL is a logic-based policy language, which has strong computing power, allows reasoning, and can better solve the problems of consistency check and conflict resolution of security policies, but they only target a certain access control model, and because of the use of predicate logic To describe the strategy, resulting in poor language readability, not easy to understand and write. PDL is an event-based policy language. The basic format of PDL is event-conditions-action, which means that the occurrence of an event will trigger the execution of an action if the conditions are met. It is mainly used in policy-based network management and does not su...

AI Technical Summary

Problems solved by technology

[0003] The newly developed policy language includes Selinux reference policy language and Ponder, etc. Although it is a policy language for new requirements, there are certain deficiencies: (1) The reference policy language developed by Selinux supports multiple security models, such as DTE and RBAC, However, the language lacks structure, and each policy rule needs to be clearly declared and written, which makes its policy rules very complex and huge, which is not easy for users to understand and use; (2) Although Selinux uses the m4 macro compiler to write external interfaces, it tries to simplify However, because the m4 macro compiler cannot provide semantic analysis (such as type checking), the robustness of the language is reduced and the probability of policy conflicts is increased; (3) Ponder is a declarative, structural policy language

However, Ponder only provides support for autonomous access control, and cannot fully describe other security models such as MAC and RBAC.

Images