Loose coupling role authorized-type implementation access control method and system thereof

Abstract

The invention discloses a loose coupling role authorized-type implementation access control method and a system thereof. The method comprises the following steps of: adding a user role incidence relation based on a type implementation access control method; adding a related process type transformation rule definition relating to a user role and a corresponding type transformation decision mechanism; when a system process type is transformed, according to the process type transformation rule, judging whether to perform role related type transformation according to a current role of the user to change a user process execution flow; and entering a specific security domain of the user role. The system comprises a type implementation access control policy module, a policy security configuration module and a policy rule configuration module, wherein the type implementation access control policy module is operated in the kernel of an operating system; the policy security configuration module is operated on the user layer of the operating system; and the policy rule configuration module is positioned in a file system. The method and the system have the advantages of reducing the influence of user role configuration change on a type implementation rule system, reducing the security configuration difficulties, facilitating flexible configuration according to actual service conditions.

Description

Technical field [0001] The present invention mainly relates to the field of operating system security access control, and particularly refers to an operating system security access control strategy and control system implemented by combining role authorization and type. Background technique [0002] Currently, with the continuous development and large-scale application of information technology, information security has become an increasingly prominent issue. Among them, operating system security provides a strong guarantee for information system security. Access control effectively controls the behavior of the subject and protects information security by controlling the subject's access authority to the object in the operating system. [0003] The Type Enforcement security policy divides the objects with the same security attributes in the operating system into one type, and achieves the purpose of access control by specifying the access rights between types, with fine-grained ac...

AI Technical Summary

Problems solved by technology

[0008] However, the combination of RBAC and TE also leads to the fact that policy analysis must be carried out at two different levels, TE and RBAC. It is necessary to ensure the correctness of TE policies and analyze role authorization policies on this basis, which greatly increases the Complexity in Policy Analysis

Moreover, this approach leads to a tight coupling between type implementation policies and user roles. When the system adds a new role, it needs to check the existing TE security configuration in the system at the same time; the number of policy rules is huge, and the syntax and semantics of the policy description language are relatively complex. Both the formulation and management of rules need to be very familiar with the policy language, otherwise it is easy to make mistakes

Therefore, the configuration of such security policies is mostly carried out by system researchers. The syntax and rules of the configuration language are complex and cannot be changed flexibly. Users cannot flexibly adjust the configuration of security policies according to changes in roles.

In addition, with the increase in the number of control system rule configurations, the system performance will be greatly affected

[0009] According to the use experience of the security operating system, the most important user role in the system is the system administrator, who is responsible for the daily management and configuration of the system, involves most of the system applications, and has the highest authority; functional roles such as security administrators and audit administrators are mainly responsible for For the applications related to this function, the application types are relatively concentrated; in addition, ordinary users generally use the default role when logging in to the system, and if the roles are to be distinguished according to the actual usage, the applications involved in the role are relatively single

Images